Here are my tips for capturing at 10G with netmon. I have tried many combinations to get a good capture without losing frames.
- Use nmcap of course
- Use profile 0, pure capture, this means no filtering at all
- Keep the max frame length low, 80 works well
- Save to large files, I use 1024M
With the above on a busy interface you are creating many files and using up disk space fast. Typically I am only interested in a certain IP in my 10G capture so while I am capturing I start a series of jobs to filter the capture files. As the job runs I can delete the 1G files to start recovering disk space.
Here is an example. Say, my capture is creating a series of files of name net1_capture_v1(0).cap, net1_capture_v1(1).cap and so on. To filter these I use a cmd Batch for loop. The steps are like this:
- Get the list of files to process, in this case thats dir /b *v1* > filesv1.txt
- Open and check the file names in filesv1.txt looks right.
- Run you filter job (looking for IP 18.104.22.168, 0x0a234567 in this example):
- for /f %i in (filesv1.txt) do nmcap /useprofile 1 /disableconversations /inputcapture %i /capture Blob(FrameData, 26, 4) == 0x0a234567 OR Blob(FrameData, 30, 4) == 0x0a234567 /file %filtered.cap:2G
Now the blob filter above is fast but it will still take awhile to run through a 1G file so you may want to get a couple of filtering jobs running in parallel. I find the easiest way to do that is to stop the capture after it has created 20 or so files and immediately restart it with a new file name of v2 , v3 and so on. Then I create a for loop for each series of files.