How to Enable a Circular Network Capture with Nmcap or Netsh

  • Article

It can be useful to have a circular network trace when troubleshooting issues where you do not know when the problem will reproduce again and you do not want to risk the capture file getting too large by having the trace running indefinitely.

The following Nmcap command enables a circular network capture that will stop when available disk space reaches 20%. The command works on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

  1. Download and install Network Monitor.

    http://go.microsoft.com/fwlink/?LinkID=103158
     

  2. Run the following command from a command prompt (elevated command prompt if on Windows Vista or later):

    nmcap /network * /capture not(Frame.Ethernet.IPv4.TCP.Port==3389)  /MaxFrameLength 512 /file netcap.chn:200MB /RecordConfig /CaptureProcesses /MinDiskQuotaPercentage 20

  3. Use CTRL+C to stop the capture.

What that command does:

  • Captures on all network interfaces.
  • Does not capture RDP traffic (TCP port 3389).
  • Only captures the first 512 bytes of each packet (making the capture file smaller).
  • Creates a chain of files of 200MB (edit the path on this argument as desired).
  • Records the config in the first two packets of the capture.
  • Captures processes just in case that is useful.
  • Stops when there is 20% of disk space remaining.

The time period that each 200 MB capture file will cover is completely dependent on the amount of network traffic the computer is seeing.

There is some CPU, memory, and I/O overhead when running a local network capture. If you do not want to add any additional load to the computer, you can mirror the switch port that the target computer is using, and then capture from another computer on that mirrored port.

Capturing only the first 512 bytes of the frame is enough to troubleshoot most issues and keeps the capture file smaller so each capture file will cover a longer time frame. Examples where you may want to capture the entire frame are when you want to decrypt SSL traffic, or there is data that needs to be compared against the actual amount of data that is sent on the wire.

Netsh.exe in Windows 7 and later supports network capturing without having to install the Network Monitor tool.

The following Nmcap command enables a circular network capture that will not exceed 200 MB in size. The command works on Windows 7, and Windows Server 2008 R2.

  1. Run the following command from an elevated command prompt:

    netsh trace start capture=yes packettruncatebytes=512 tracefile=%temp%\computername%_nettrace.etl maxsize=200 filemode=circular overwrite=yes report=no
     

  2. Run the following command when you want to stop the capture:

    netsh trace stop

The ETL trace file that it generates can be viewed in the Network Monitor tool.