Microsoft KB Archive/924037

= How to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information =

Article ID: 924037

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



INTRODUCTION
This article describes how to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information on source and destination computers. You can use this information to troubleshoot performance issues that you may experience during the file copy process.



MORE INFORMATION
Several factors affect network file copy performance. To identify the root cause of a problem and to identify the computer that is adversely affecting file copy performance, collect simultaneous network traces on source and destination computers.

You can capture network traffic by running the Netcap.exe utility at a command prompt. The Netcap.exe utility is installed when you install the support tools that are included with Microsoft Windows XP. For more information about how to install support tools, click the following article number to view the article in the Microsoft Knowledge Base:

306794 How to install the Support Tools from the Windows XP CD-ROM

You must use the full Network Monitor interface to open the resulting capture files (.cap). Network Monitor is included with the following products:
 * Microsoft Windows 2000 Server
 * Microsoft Windows Server 2003
 * Microsoft Windows XP
 * Microsoft Systems Management Server (SMS)

The Netcap.exe utility includes capture features that resemble those in Network Monitor. However, the Netcap.exe utility is run at a command prompt. When you first run the Netcap.exe program, it installs the Network Monitor driver and binds it to all network adapters.

Command syntax for the Netcap.exe utility
Usage: Netcap.exe [/B:Number] [/T Type  Buffer  HexOffset  HexPattern  ] [/F:Filter file.cf] [/C:Capture file] [/N:Number] [/L:HH:MM:SS] [/TCF:Folder name]

Example: NetCap /B:20 /N:2 /T BP 100 0a ff1f /F:d:\IPFilter.CF

/B:Number          Specifies the buffer size in megabytes (MB). Number may be a value from 1 to 1000. The default size is 1 MB.

/T                 Specifies the use of a trigger to determine when to stop capturing. If the trigger is omitted, the Netcap.exe utility captures data until the buffer is full and then stops. The &quot;/T /N&quot; option captures until the spacebar is pressed. This option uses the buffer as a queue. If the buffer becomes full, the utility overwrites the oldest entries.

Note: If you use the &quot;/T /N&quot; option,  press the spacebar to stop capturing.

Type        B  = buffer,  P  = pattern,  BP  = buffer then pattern, PB = pattern then buffer,  N  = no trigger

Buffer      Percent buffer size ('25', '50', '75', '100') is used together with B, BP, or PB (not P).

HexOffset   Hexadecimal offset from start of frame is used together with P, BP, or PB (not B).

HexPattern  Hexadecimal pattern to match is used together with P, BP, or PB (not B). The pattern must be an even number of hexadecimal digits.

/C:Capture file    Move temporary capture to a full path or to a file name. This entry can be any valid local or remote path. If the &quot;/C&quot; option is not specified, the capture file remains in the default temporary capture folder.

/F:Filter file.cf  A Network Monitor 2.x-generated capture filter (*.cf).

/L:HH:MM:SS        Capture for set time. (The maximum time = 99:99:99.) Note: This option overrides the default 100 percent trigger unless the &quot;/T trigger type &quot; option is also specified.

/TCF:Folder name   Permanently changes the temporary capture folder. Warning: The path must be on a fixed local hard disk drive. As soon as the path is set, you only have to use the switch again to change the directory.

/Remove            Removes the Netcap.exe instance of the Network Monitor driver.

/N:Number          Network adapter index number for this computer. To capture network traces on source and destination computers, follow these steps:  On the source computer, click Start, click Run, type cmd, and then click OK. At the command prompt, type the following command:

netcap /n:1 /b:150 /c:c:\Source.cap

Notes  In this example, the Netcap.exe utility captures traffic that is located on network adapter index number 1. The capture buffer is 150 MB. The capture file is saved as C:\Source.cap. To find the network adapter index number, type netcap /? . Under the syntax information, you can see a list of the network adapters that are installed on the computer. Select the correct network adapter to capture network traffic. For example, if you want to capture traffic for local area connection 2 on a computer that uses the following network adapters, use index number 1:

Use the following index numbers for these adapters: (default) 0 = ETHERNET (2C3D20524153) WAN (PPP/SLIP) Interface 1 = ETHERNET (000039139635) Local Area Connection 2 2 = ETHERNET (0000390E118E) Local Area Connection

 If the client computer accesses the destination file server over a virtual private network (VPN) connection, the virtual interface that is created on the client computer must be monitored to see file copy traffic. </li> On the destination computer, type the following command at a command prompt, and then press ENTER:

netcap /n:1 /b:150 /c:c:\Destination.cap

Notes  In this example, the Netcap.exe utility captures traffic that is located on network adapter index number 1. The capture buffer is 150 MB. The capture file is saved as C:\Destination.cap.</li> Make sure that you select the correct network adapter index number.</li></ul> </li> On the source computer, type the following command at a command prompt, and then press ENTER:

ping –n 15

Note The IP address is the starting point for the network trace.</li> On the source computer, type the following command at a command prompt, and then press ENTER:

net use * \\ \

Note  is the name of the server where the file is stored. is the name of the file share.</li> On the source computer, type the following command at a command prompt, and then press ENTER:

Copy  :

</li> After the file copy process is complete, type the following command at a command prompt on the source computer:

ping –n 15

Note This IP address is the end point for network trace.</li> Press SPACEBAR to stop capturing network traffic.</li> Send the following information to Microsoft Product Support Services (PSS):  The Source.cap file from the source computer.</li> The Destination.cap file from the destination computer.</li> The name of the file that you copied in step 6.</li> The IP addresses of the source and destination computers.</li></ul> </li></ol>

<div class="moreinformation_section">

MORE INFORMATION
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

310875 Description of the Network Monitor Capture Utility

Keywords: kbhowto KB924037

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.