[스크랩] 넷몬 자동 캡쳐

※ 넷몬 패킷캡쳐

nmcap /network * /CaptureProcesses /capture /File node1.cap:500M

위 명령어를 했더니...

200초 지나니까 서버 메모리 약 200MB 정도 차지
1000초 지나니까 서버 메모리 약 310MB 정도 차지
4000초 지나니까 서버 메모리 약 774MB 정도 차지

4천초 지나고 무서워서 끄니까 대략 280MB 정도 패킷이 캡쳐되었다.

(이건 근데 네트워크 패킷에 따라 다를듯)

https://blogs.technet.microsoft.com/rmilne/2014/01/27/how-to-automate-netmon-captures/

How To Automate NetMon Captures

When troubleshooting various Exchange issues it can be very beneficial to get a network capture to look at the actual packets going over the wire.  For example when looking at Outlook connectivity issues we can enable Outlook client logging and RPC Client Access Logging on the Exchange Server.  Both are both great troubleshooting tools and while we can solve a lot of issues with that information, there can still be great value in looking at the actual network packets.  Is there some inline WAN optimisation device that is causing an issue or do we see retransmits?

Unlike in days of old * we do not install the full version of NetMon from the SMS installation media, it can be downloaded from the Microsoft Download Centre.

Note that there are separate packages for x86, x64 and Itanium installations.  Ensure that you chose the correct type else it will not install.  

Installing Network Monitor is straightforward.  It will install the tool itself, and then the parsers which are required to split and analyse the traffic.  The parsers that come with the Netmon download are a bit out-dated nowadays.  The latest parsers can be downloaded from Codeplex.   Installing the newer parsers will overwrite the older ones.

By default Netmon 3.4 will install into C:\Program Files\Microsoft Netmon 3.  This folder is used for both x86 and x64 installations since the image type is native to the OS.

I won’t go into detail in using the Netmon GUI, rather let’s focus on the command line aspects of capturing.  As it can be easier to capture data this way rather than explaining what buttons or options someone has to select in the UI.  From a Microsoft perspective this allows us to send out a command that we know will be correctly executed and the required data gathered.  Else the data could be missed and we have to wait for another occurrence thus delaying the troubleshooting.

The GUI Network Monitor executable file is Netmon.exe.  For command line work we need to use NMCap.exe.

 

Quick & Simple Examples

Some quick examples before we go down the rabbit hole……

Capture All Traffic To A Rolling Log File

NMCap.exe /Network * /Capture /File C:\Netmon.cap:100MB

 

Capture Traffic on A Named Interface – Local Area Connection

NMCap.exe /Network “Local Area Connection” /Capture /File C:\NetMon.cap:100MB

 

Capture All Traffic – Chained Log Files

NMCap.exe /Network * /Capture /File C:\Netmon.chn:100MB

 

 

Command Line Options

To explore all of the command line options open an elevated CMD prompt, and change directory to C:\Program Files\Microsoft Netmon 3 directory.  once there run

NMCap.exe /?

To see examples run:

NMCap.exe /Examples

I’ll let you pick through all of the syntax, but there are a couple to note.  First up, the file extension controls if circular logging is used.

/File <Capture File>[:<File Size Limit>]   Name of capture file to save frames to. Extensions are used to determine the behavior of NMCap.
       .cap -- Netmon 2 capture file
       .chn -- Series of Netmon 2 capture files: t.cap, t(1).cap, t(2).cap...
      <File Size Limit> is optional. It limits the file size of each capture file generated.  Default single capture file size limit is 20 MB. The upper bound of the file size limit is 500 MB. The lower bound of the file size limit depends on the frame size captured. (Note that the maximal size of Ethernet frames is 1500 bytes).  The files are circular, so once the size limit is reached, new data overwrites older data.

      Example Usage: /File t.cap:50M

There are various start and stop conditions that can be used.  They can be time or action based.  If noting is specified use Ctrl + C to stop the capture.  Take a look at the help for more details on /TerminateWhen, /StopWhen and /StartWhen.

 

Capturing Data Via The Command Line

In Short the command line steps are:

1. Open elevated CMD prompt
2. Ensure C:\Netmon folder exists
3. Change directory to C:\Program Files\Microsoft Netmon 3 directory
4. Run the Netmon capture command

 

One thing to note!  There are options to limit the networks that data will be captured on.  For example Nmcap.exe /Network 3 could be used.  How do we know what networks are present, and which interface is what?

NMCap.exe /DisplayNetwork to the rescue!

 

 

Netmon Bundled Examples

 

Example 1:

This example starts capturing all TCP frames and will be saved in a capture file name tcp.cap. If you want to stop capturing, Press Control+C.

nmcap /network * /capture tcp /File tcp.cap

 

Example 2:

This example starts capturing network frames that DO NOT contain ARPs, ICMP,NBtNs and BROWSER frames.  If you want to stop capturing, Press Control+C.

nmcap /network * /capture  (!ARP AND !ICMP AND !NBTNS AND !BROWSER) /File NoNoise.cap

 

Example 3:

This example starts capturing network frames that are TCP Continuations. The capture filter is searching for String "Continuation in TCP Frame Summary Description. In order to see the complete list of Netmon Properties that are filterable,type ".Property" in the Netmon Filter UI.

nmcap /network * /capture contains(.Property.Description, \"Continuation\") /File TCPContinuations.cap

 

Example 4:

This example starts capturing network frames at 3:17 PM on September 10, 2002.  All DNS frames that contains the QRecord Questions name 'my_computer' will be saved in a capture file named dns.cap. The size of the capture file will not exceed 6 megabytes. If the user presses x at any time during this capture, the program will terminate, otherwise the capture will stop 10 minutes after it has begun.

nmcap /network * /startwhen /time 3:17:00 PM 9/10/2002 /capture contains(dns.qrecord.questionname,'my_computer') /file dns.cap:6M /stopwhen /timeafter 10Min /TerminateWhen /KeyPress x

Example 5:

This example starts capturing network frames after 10 seconds past. All IPv4 frames that received by local machine which has IP address 192.168.0.1 will be saved in a capture file named ip.cap. The size of the capture file will not exceed 4 megabytes (the default size). If the user presses c at any time during this capture, the program will terminate, otherwise the capture will stop 10 minutes after it has begun.

nmcap /network * /startwhen /timeafter 10 /capture ipv4.destinationaddress == 192.168.0.1 /file ip.cap /stopwhen /timeafter 10 min /TerminateWhen /KeyPress c

 

Example 6:

Starts capturing network frames immediately. All TCP frames that have a source port or destination port of 80 are saved to the chained capture files named test.cap, test(1).cap, test(2).cap, ... When the user presses the 'x' key the program stops.

nmcap /network * /capture tcp.port == 80 /file c:\temp\test.chn:6M /stopwhen /keypress x

 

Example 7:

Starts capturing network frames immediately. All syn TCP frames that have the specified IPv4 network address are stored into to the capture file t.cap. The program stops when the TCP connections ends.

nmcap /network * /startwhen /frame tcp.flags.syn == TRUE AND ipv4.Address == 192.168.0.1 /capture /file t.cap:8M /stopwhen /frame (tcp.flags.fin == TRUE OR tcp.flags.reset == TRUE) AND ipv4.Address == 192.168.0.1

 

Example  8:

This example reassembles fragmented frames of capture.cap at all layers possible. The resultant capture file, Reassembled.cap will contain the Reassembled payloads alongwith the original unfragmented frames.

nmcap /inputcapture capture.cap /reassemblecapture /file Reassembled.cap

 

Example  9:

This example starts capturing frames and will be saved in a capture file name result.cap. If you want to stop capturing, Press Control+C. When the free disk space is less than 20% the total space of current disk, capture will stop as well.

nmcap /network * /capture /File result.cap /MinDiskQuotaPercentage 20

 

Example 10:

This example starts capturing frames and also tracks processes that generated network traffic. The resultant output file is ProcessTraffic.cap.

nmcap /network * /capture /File ProcessTraffic.cap /CaptureProcesses

 

Advanced Examples

The examples below are from real troubleshooting incidents.  Note that %computername% is embedded into the output file so that we can easily identify which capture is which.  Just like in 1994 and we have CV~1.doc, CV~2.doc and CV~3.doc on a floppy disk, it’s a real pain looking at a bunch of files called capture.cap.  Yes we can place them in folders, but they often get messed up!

One of the neat things is that NMCAP uses the same filter syntax as Netmon.exe.  That means you can tweak and develop the capture filter in the UI and then transpose it. 

In the examples below we are using the Blob mechanism to determine the data that we want to capture.  While this is not explicitly documented in the NMCap help content, it does fall within the [FrameFilter] section.  As discussed on the NetMon team blog, to create a filter using the Blob, you need to know the offset and length of the pattern you are matching. Often, the simplest way to do this is open a trace you’ve taken from the network you are interested in, and click on the field in question. Then look in the hex details for that location and offset.

Below is an example of this.  We have highlighted the IPv4 Destination Address field.  Note in the Hex Details pane, the Frame Offset is then show as 30 with the Sel Bytes of 4.

For this example the filter would be Blob(FrameData, 30, 4) == 192.168.2.40

Neat, eh?  I have to thank Curtis Houck for introducing this to me  

While it is possible to use this syntax for filtering, this many not be the  most optimal in a high volume traffic scenario.  In such cases we can convert the IP address to HEX and use that in the filer.  For the above example, let’s do that conversion to HEX, the staring filter is:

Blob(FrameData, 30, 4) == 192.168.2.40

 

I do this in two steps, firstly the IP octets are converted to HEX using the Windows calculator. 

Blob(FrameData, 30, 4) == CO.A8.2.28

Then the periods are removed, and the HEX prefix of 0x  is added

Blob(FrameData, 30, 4) == 0xCOA8228

 

 

Advanced Example 1

Capture all data between Source IP 192.168.16.5 and Destination IP 131.107.2.200.

In this example we will capture on any network, limiting FrameLength to 256 Bytes  with an series of chained output files each of which are limited to 100 MB.  The capture filter uses the Blob methodology described above for high performance parsing.   Blob(FrameData,26,4)==192.168.16.5  is the filter for IPv4 Source Address.  Blob(FrameData,30,4)==131.107.2.200  is the IPv4 Destination Address filter.

Nmcap /network * /maxframelength 256 /capture Blob(framedata,26,4)==192.168.16.5 or Blob(framedata,30,4)==131.107.2.200 /file C:\NetMon\%computername%.chn:100MB

 

 

Advanced Example 2

Capture all data between to Destination IP 192.168.2.15 on network interface 6

This example is similar to the

Nmcap /network 6 /maxframelength 256 /capture Blob(framedata,30,4)==192.168.2.15 /file C:\NetMon\Capture\%computername%.chn:100MB

 

Cheers,

Rhoderick

* – I still think that I miss having to re-install the service pack on NT and getting prompted to restart just by looking at the network connection properties.  I think….

--------------------------------------------------------------------------------------

https://blogs.technet.microsoft.com/networking/2008/08/27/the-quick-and-easy-on-using-nmcap-to-create-circular-network-traces-based-on-file-size/

The Quick and Easy on Using NMCap to Create Circular Network Traces Based on File Size

Hello all Networking Blog readers.  My name is Brett Crane and I am an engineer with the Networking Teams here at Microsoft.  I wanted to take a minute to show you a quick way to utilize Network Monitor to perform Sequential, or also called Circular, captures for troubleshooting issues.  This is particularly useful when you can’t dictate when the networking communications you are looking for are going to happen. This method of troubleshooting has been available via GUI configurations using other network traffic capture utilities but has been, and currently is, only available through the command line options provided with Network Monitor. 

(NMCap is a tool that is installed when you install Network Monitor 3.x.  This is a command line based tool that provides great a bit of functionality.  As time goes by you will find more postings on other uses this tool can provide.)

As said before, the goal of this discussion is to describe how to collect a sequential trace.  What I mean by that is that you set Netmon to create a trace that only grows so large… 200MB for example.  once the capture has grown to 200MB it will close the current file and create a new one.  That file will grow up to 200MB and then create another file.  This will provide you the ability to go back and review your files and look to see if the date/time stamp matches the date/time of when your possible problem may have occurred.  Having this information helps because you can delete the trace files that you know do not meet your criteria.  If you were to just start a trace file and walk away it could easily fill your hard drive or become so large that it will become too much of a burden to be open or parsed in a timely fashion. 

(Actual file size is adjustable and is dictated by the user entering the command.  Based on your needs it could be 1500B or larger.  The upper limit on the file size is 500MB.  If you do not dictate a size it will default to 20MB.  Please make sure you check available disk space as this process could easily fill your entire drive if not monitored properly.) 

To utilize NMCap to collect the sequential captures you will need to install Network Monitor 3.x. (For download and installation information please look back at our other postings: http://blogs.technet.com/networking/archive/tags/Network+Monitor/default.aspx)  

Once Network Monitor is installed, open a command prompt and use the following command line statement:

Statement Definitions:

NMCap: The application used to provide command line statements.  It is a lighter weight application, takes fewer resources, and is more flexible.

/Network: Selects one or more space delimited network adapters to capture from. Adapters may be specified using their index, partial name with wild *, or quoted friendly name.  (If you are uncertain of the Network adapters name you want to trace from you can find it using the NMCap /displayNetwork command)

/Capture: Saves frames that pass the frame filter to the specified capture files.  Think of this as the start command for Network Monitor.

/File: The command after this switch will be what you are wanting to name the trace file.  By following up this command with a “:” and a size, you will set the size in which each file will grow to be prior to stopping and starting the next file.  Each new file will be noted by an incrementing number notation.

* Notes:

– In the example given above we used the file name test.chn.  The extension chn stands for Chain.  By using this extension in the filename we are telling NMCap to start the next file in the chain when we reach the stated size (200MB in the example).  If you utilize the .cap extension in the filename of the format used above it will not create a new file.  It will just cap off the file at the stated size then overwrite older data.  By using the .cap file extension you will NOT accomplish the goal of multiple file creation!

– Keep in mind, as with all command line statements, the file will save in the current directory (e.g. from above: the file will be stored on the C:\ drive).

– There are many useful advanced filters that can also be used during the process of capturing Sequential/Circular Trace files (E.g.: /RecordFilters; /RecordConfig).  For more information on commands of these sorts please refer to the Help for NMCap.  (Help for NMCap can be accessed by running the following command in your CMD window: nmcap /?)

To stop your Capture process:

Once you feel the tracing has run long enough to capture what you are looking for, you will need to stop NMCap from continuing to create your trace files. To do this correctly all you will need to do is make sure that your Command Prompt window that you have opened and running the sequential traces on is the focus on your machine and hit Ctrl+C. Keep in mind that if you close the window you started tracing in, or log off, you will stop the tracing process.

*Note:  There are advanced methods that can stop the tracing based on different variables such as Date/Time, for example. More information on these methods can be found in the Help for NMCap.  (Help for NMCap can be accessed by running the following command in your CMD window: nmcap /?)

So, that’s all there is to it! Now you can let your traces run, checking back often and deleting the files that you know do not contain any relevant information!

(For more detailed information on using nmcap you can also refer to this link: http://blogs.technet.com/netmon/archive/2006/10/24/nmcap-the-easy-way-to-automate-capturing.aspx)

– Brett Crane