Use pigs to find truffles and use Netcap to do quick and dirty packet captures.
By Jeffery Hicks
I know there are many packet-capturing tools, including some terrific open source products. But for real simplicity, and the cost is right, there's the command-line version of Network Monitor, also called Netcap.exe.
Netcap.exe is part of Windows Support Tools. The only other step you have to take to use it is to install the Network Monitor driver and bind it to the network card you'll be capturing.
Before you can capture, you need to know the adapter number. At the command prompt, type netcap /?. At the end of the help screen you'll see the available adapters and their respective numbers. Let's assume it is 4, since that's what it is for me and it makes my examples easier.
You can capture traffic until the specified buffer is full, when some trigger is met or after a given period of time. You can stop the capture at any time. By default, captures are stored in your temp directory with a temporary file name. I prefer to use the /C switch and specify a file.
Normally, I'm only capturing packets while I'm monitoring or working out some problem. Because Netcap will stop if its default 1MB buffer is met, I always reset it to at least 10MB. (The max is 1000MB.) When I'm ready to go, I open a command prompt and type:
netcap /n:4 /c:e:\temp\webtrace.cap /b:10
Once I'm done with my testing, I go back to the command prompt and press the space bar to stop the capture. Because I installed Network Monitoring tools when I installed the driver, I can double click my capture file and it will open in the Network Monitor application.
Yes, I know I could have just used the application and be done. But I can get it started faster from the command line. Plus, if I'm troubleshooting an application or a script, I can combine it with Netcap in a batch file. This way, I can kick off the network trace and immediately follow it with a script. In the batch file I use Start Netcap in a separate window, wait a second, then launch the script:
@echo off
start netcap /b:10 /n:4 /c:e:\temp\test1.cap /L:00:00:10
sleep 1
cscript s:\wmiosinfo.vbs dc01
As written, the capture will only run for 10 seconds, but I can end it prematurely if the script finishes before then.
Again, there are plenty of great packet capture tools out there and you should have at least one. But Netcap's simplicity and ease of use is pretty hard to beat for quick and dirty work.
Comment: http://mcpmag.com/columns/article.asp?editorialsid=1737#post
Jeffery Hicks MCSE, MCSA, MCT is a senior network engineer with Visory Group. He's a contributing editor to ScriptingAnswers.com and the coauthor, with Don Jones, of "Advanced VBScript for Microsoft Windows Administrators" (Microsoft Press, http://tinyurl.com/g63nf ) and "PowerShell TFM" (SAPIEN Press, http://tinyurl.com/2v7dye ). Jeff is also the creator of several popular, script-related tools used for network and Exchange administration. He maintains a blog at http://jdhitsolutions.blogspot.com .