Q. How do I use the Netcap.exe (Network Monitor Capture Utility) that is included in the Windows XP and Windows Server 2003 Support Tools?

Netcap.exe (Network Monitor Capture Utility) is installed when you install the Support Tools from the Support\Tools folder on the operating system CD-ROM.

When you first run Netcap.exe, it installs the Network Monitor driver and binds it to all network adapters.

The Netcap.exe utility includes capture features that are similar those in Network Monitor, but Netcap.exe is a command-line tool.

NOTE: Network Monitor is included with Windows 2000 Server, Windows Server 2003, Windows XP, and SMS (Systems Management Server).

When I type netcap /?, I received:

 Microsoft Network Monitor capture utility

 Usage: NetCap.exe \[/B:#\] \[/T \]
                   \[/F:\] \[/C:\] \[/N:#\]
                   \[/L:HH:MM:SS\] \[/TCF:\]

 Example: NetCap /B:20 /N:2 /T BP 100 0a ff1f /F:d:\IPFilter.CF

 /B:# - Buffer, capture size to take, from 1MB to 1000MB default is 1Mb

 /T   - Trigger, stop capturing when the given buffer and/or pattern is reached
        If no trigger is given, the capture will stop when the buffer is full
        Use "/T N" to continue capturing even if the buffer fills
        Oldest frames in capture will be over written once the buffer is full
        Note: With "/T N" you will have to hit space bar to stop capturing

             - 'B' = buffer, 'P' = Pattern, 'BP' = Buffer then Pattern,
                     'PB' = Pattern then Buffer 'N' = No Trigger

           - % Buffer Size '25', '50', '75', '100' used with
                     B, BP, PB (NOT P)

        - Hex Offset from start of frame used with P, BP, PB (NOT B)

       - Hex Pattern to match used with P, BP, PB (NOT B)
                     The Pattern must be an even number of hex digits

 /C: - Move temporary capture to full path and/or file name
                     This can be any valid local or remote path
                     If "/C" is not specified the capture file will remain
                     in the default temporary capture folder

 /F:- A Network Monitor 2.x generated capture filter (*.cf)

 /L:     - Capture for given amount of time (max 99:99:99)
                     Note: This option overrides the default 100% trigger
                     unless "/T " is also specified

 /Remove           - Removes the NetCap instance of the Network Monitor driver

 /N:            - NIC Index number, for this computer

 Use the following index numbers for these adapters:
 (default) 0 = ETHERNET (0050DA662B16) Internet
           1 = ETHERNET (0050DA173D80) JSIINC
           2 = ETHERNET (98C120524153) WAN (PPP/SLIP) Interface
Microsoft Knowledge Base Article 924037 contains the following INTRODUCTION:

This article describes how to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information on source and destination computers. You can use this information to troubleshoot performance issues that you may experience during the file copy process.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.