How to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information (924037)
The information in this article applies to:
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
INTRODUCTIONThis article describes how to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information on source and destination computers. You can use this information to troubleshoot performance issues that you may experience during the file copy process.MORE INFORMATIONSeveral factors affect network file copy performance. To identify the root cause of a problem and to identify the computer that is adversely affecting file copy performance, collect simultaneous network traces on source and destination computers. You can capture network traffic by running the Netcap.exe utility at a command prompt. The Netcap.exe utility is installed when you install the support tools that are included with Microsoft Windows XP.
For more information about how to install support tools, click the following article number to view the article in the Microsoft Knowledge Base:
306794
How to install the Support Tools from the Windows XP CD-ROM
You must use the full Network Monitor interface to open the resulting capture files (.cap). Network Monitor is included with the following products: - Microsoft Windows 2000 Server
- Microsoft Windows Server 2003
- Microsoft Windows XP
- Microsoft Systems Management Server (SMS)
The Netcap.exe utility includes capture features that resemble those in Network Monitor. However, the Netcap.exe utility is run at a command prompt. When you first run the Netcap.exe program, it installs the Network Monitor driver and binds it to all network adapters. Command syntax for the Netcap.exe utilityUsage:
Netcap.exe [/B:Number] [/T Type Buffer HexOffset HexPattern ]
[/F:Filter file.cf] [/C:Capture file] [/N:Number]
[/L:HH:MM:SS] [/TCF:Folder name]
Example: NetCap /B:20 /N:2 /T BP 100 0a ff1f /F:d:\IPFilter.CF
/B:Number Specifies the buffer size in megabytes (MB). Number may be a value from 1 to 1000.
The default size is 1 MB.
/T Specifies the use of a trigger to determine when to stop capturing. If the trigger is omitted,
the Netcap.exe utility captures data until the buffer is full and then stops. The "/T /N" option
captures until the spacebar is pressed. This option uses the buffer as a queue. If the buffer
becomes full, the utility overwrites the oldest entries.
Note: If you use the "/T /N" option, press the spacebar to stop capturing.
Type B = buffer, P = pattern, BP = buffer then pattern,
PB = pattern then buffer, N = no trigger
Buffer Percent buffer size ('25', '50', '75', '100') is used together with
B, BP, or PB (not P).
HexOffset Hexadecimal offset from start of frame is used together with P, BP, or PB (not B).
HexPattern Hexadecimal pattern to match is used together with P, BP, or PB (not B).
The pattern must be an even number of hexadecimal digits.
/C:Capture file Move temporary capture to a full path or to a file name.
This entry can be any valid local or remote path.
If the "/C" option is not specified, the capture file remains
in the default temporary capture folder.
/F:Filter file.cf A Network Monitor 2.x-generated capture filter (*.cf).
/L:HH:MM:SS Capture for set time. (The maximum time = 99:99:99.)
Note: This option overrides the default 100 percent trigger
unless the "/T trigger type " option is also specified.
/TCF:Folder name Permanently changes the temporary capture folder.
Warning: The path must be on a fixed local hard disk drive.
As soon as the path is set, you only have to use the switch again
to change the directory.
/Remove Removes the Netcap.exe instance of the Network Monitor driver.
/N:Number Network adapter index number for this computer.
To capture network traces on source and destination computers, follow these steps: - On the source computer, click Start, click Run, type cmd, and then click OK.
- At the command prompt, type the following command:
netcap /n:1 /b:150 /c:c:\Source.cap Notes- In this example, the Netcap.exe utility captures traffic that is located on network adapter index number 1. The capture buffer is 150 MB. The capture file is saved as C:\Source.cap.
- To find the network adapter index number, type netcap /?. Under the syntax information, you can see a list of the network adapters that are installed on the computer. Select the correct network adapter to capture network traffic. For example, if you want to capture traffic for local area connection 2 on a computer that uses the following network adapters, use index number 1:
Use the following index numbers for these adapters:
(default) 0 = ETHERNET (2C3D20524153) WAN (PPP/SLIP) Interface
1 = ETHERNET (000039139635) Local Area Connection 2
2 = ETHERNET (0000390E118E) Local Area Connection
- If the client computer accesses the destination file server over a virtual private network (VPN)
connection, the virtual interface that is created on the client computer must be monitored to see file copy traffic.
- On the destination computer, type the following command at a command prompt, and then press ENTER:
netcap /n:1 /b:150 /c:c:\Destination.cap Notes- In this example, the Netcap.exe utility captures traffic that is located on network adapter index number 1. The capture buffer is 150 MB. The capture file is saved as C:\Destination.cap.
- Make sure that you select the correct network adapter index number.
- On the source computer, type the following command at a command prompt, and then press ENTER:
ping -n 15 Destination_IP_address Note The IP address is the starting point for the network trace. - On the source computer, type the following command at a command prompt, and then press ENTER:Note Server is the name of the server where the file is stored. Share is the name of the file share.
- On the source computer, type the following command at a command prompt, and then press ENTER:
Copy File_name Drive_letter: - After the file copy process is complete, type the following command at a command prompt on the source computer:
ping -n 15 Destination_IP_address Note This IP address is the end point for network trace. - Press SPACEBAR to stop capturing network traffic.
- Send the following information to Microsoft Product Support Services (PSS):
- The Source.cap file from the source computer.
- The Destination.cap file from the destination computer.
- The name of the file that you copied in step 6.
- The IP addresses of the source and destination computers.
Modification Type: | Minor | Last Reviewed: | 9/13/2006 |
---|
Keywords: | kbhowto KB924037 kbAudITPRO kbAudEndUser |
---|
|