Long running captures with netmon

Occasionally you need to setup up your packet capture to run for days to catch that elusive intermittent problem. I recently worked on a backup job failure problem that appeared to be related to a network error. This error occurred about once a week, fortunately its quite easy to use netmon to make long running captures on Windows.

The best tool for this nmcap, the cmd line version of netmon – its installed with netmon. You will of course need the appropriate amount of disk space too (make some trial runs to get an estimate). Basically I usually setup nmcap to create a series of 64MB files, start nmcap with a scheduled task and keep either the entire frame or only headers depending on avail. disk and what I am looking for.

For example something like this:

nmcap /network 1 /useprofile 1 /mindiskquota 200M /DisableLocalOnly /DisableConversations /MaxFrameLength 68 /capture  /file e:\cap\captureFile.chn:64M

You will need to specify your network (nmcap /displaynetwork) and I always use pure capture profile (nmcap /displayprofiles). I prefer to capture all the traffic (no capture filter) then filter it later, this has less overhead in terms of capturing, is less likely to drop packets and if you need some related traffic (DNS for ex.) you didn’t think you would need you have it. This last point is important because you need to wait another week if you don’t have what you need. The switches in this example are pretty self explanatory, DisableLocalOnly puts the NIC in promiscuous mode (cap all traffic it sees, not just brdcast and traffic addressed to the NIC), create a series of 64MB files, only capture the first 68 bytes.

A couple of tips. Make sure the time on your netmon host is synch’d with the system that reports the error. So if NetBackup writes an error at 1:11:35AM you have an idea where to find it. Also be aware that if you are using a Scheduled Task to run nmcap when you stop the task (capture) it will corrupt the current cap file. Basically that means don’t stop the Task until you are sure the error is in written out to a capture file.


