Wednesday, September 1, 2010

NMCap

NMCap is a command-line executable that is included within Microsoft’s Network Monitor installation.  It allows for network capture via a non-GUI method such as a batch file.  The command nmcap /displaynetwork will show the available network cards.

nmcap1

The command nmcap /network * /capture /file C:\users\swalker\desktop\test.cap will capture all traffic on all network cards, and will place the data within a file called test.cap.

nmcap2

The command nmcap /network * /capture “tcp.port == 80” /file C:\users\swalker\desktop\test.cap will capture traffic only using TCP port 80 for all network cards, and will place the data within a file called test.cap.

nmap3

One option is to create capture files based on file size.  This would prevent the creation of one large single file.  The command nmcap /network * /capture /file C:\users\swalker\desktop\test.chn:1MB will capture traffic on all interfaces and create a series of 1 MB files.

nmap4

After using the command above, several separate files will be created after a period of time.

nmap5 

The individual files can be combined into a single file after the fact.  The command nmcap /inputcapture test.cap test(1).cap test(2).cap test(3).cap test(4).cap /capture /file out.cap will combine the various individual files into one file.

nmap6

After the command is used, a new single file with all of the captured data should be present.

nmap7

To see more sample options, use the command nmcap /examples.  For example, the command nmcap /network * /capture  (!ARP AND !ICMP AND !NBTNS AND !BROWSER) /File NoNoise.cap creates a capture file excluding several traffic types.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.