微软抓包工具network monitor (nmcap)简单使用

C:\Program Files\Microsoft Network Monitor 3>nmcap /examples
Network Monitor Command Line Capture (nmcap) 3.4.2350.0
Example Usage:
  Example 1:

This example starts capturing all TCP frames and will be saved in a capture file
name tcp.cap. If you want to stop capturing, Press Control+C.

nmcap /network * /capture tcp /File tcp.cap


  Example 2:

This example starts capturing network frames that DO NOT contain ARPs, ICMP,
NBtNs and BROWSER frames.  If you want to stop capturing, Press Control+C.

nmcap /network * /capture  (!ARP AND !ICMP AND !NBTNS AND !BROWSER) /File NoNoise.cap

  Example 3:

This example starts capturing network frames that are TCP Continuations. The
capture filter is searching for String "Continuation in TCP Frame Summary
Description. In order to see the complete list of Netmon Properties that are
filterable,type ".Property" in the Netmon Filter UI.

nmcap /network * /capture contains(.Property.Description, \"Continuation\") /File TCPContinuations.cap

  Example 4:

This example starts capturing network frames at 3:17 PM on September 10, 2002.
All DNS frames that contains the QRecord Questions name 'my_computer' will be
saved in a capture file named dns.cap. The size of the capture file will not
exceed 6 megabytes. If the user presses x at any time during this capture, the
program will terminate, otherwise the capture will stop 10 minutes after it has
begun.

nmcap /network * /startwhen /time 3:17:00 PM 9/10/2002 /capture contains(dns.qrecord.questionname,'my_computer') /file dns.cap:6M /stopwhen /timeafter 10Min /TerminateWhen /KeyPress x

  Example 5:

This example starts capturing network frames after 10 seconds past. All IPv4
frames that received by local machine which has IP address 192.168.0.1 will be
saved in a capture file named ip.cap. The size of the capture file will not
exceed 4 megabytes (the default size). If the user presses c at any time during
this capture, the program will terminate, otherwise the capture will stop 10
minutes after it has begun.

nmcap /network * /startwhen /timeafter 10 /capture ipv4.destinationaddress == 192.168.0.1 /file ip.cap /stopwhen /timeafter 10 min /TerminateWhen /KeyPress c

  Example 6:

Starts capturing network frames immediately. All TCP frames that have a source
port or destination port of 80 are saved to the chained capture files named
test.cap, test(1).cap, test(2).cap, ... When the user presses the 'x' key the
program stops.

nmcap /network * /capture tcp.port == 80 /file c:\temp\test.chn:6M /stopwhen /keypress x

  Example 7:

Starts capturing network frames immediately. All syn TCP frames that have the
specified IPv4 network address are stored into to the capture file t.cap. The
program stops when the TCP connections ends.

nmcap /network * /startwhen /frame tcp.flags.syn == TRUE AND ipv4.Address == 192.168.0.1 /capture /file t.cap:8M /stopwhen /frame (tcp.flags.fin == TRUE OR tcp.flags.reset == TRUE) AND ipv4.Address == 192.168.0.1


  Example  8:

This example reassembles fragmented frames of capture.cap at all layers
possible. The resultant capture file, Reassembled.cap will contain the
Reassembled payloads alongwith the original unfragmented frames.

nmcap /inputcapture capture.cap /reassemblecapture /file Reassembled.cap

  Example  9:

This example starts capturing frames and will be saved in a capture file name
result.cap. If you want to stop capturing, Press Control+C. When the free disk
space is less than 20% the total space of current disk, capture will stop as
well.

nmcap /network * /capture /File result.cap /MinDiskQuotaPercentage 20


  Example 10:

This example starts capturing frames and also tracks processes that generated network
traffic. The resultant output file is ProcessTraffic.cap.

nmcap /network * /capture /File ProcessTraffic.cap /CaptureProcesses


Tips and Tricks:

Tip #1: Filtering: nmcap and Netmon UI Filtering Expressions are identical.
Netmon UI Filtering has intellisense, in terms of the Filterable elements inside
a protocol's header. You can narrow down the exact capture filter that you need
using the UI Intellisense and simply cut and Paste the Filter in nmcap
/Frame <Filter> to run from Command Line.

Tip #2: Long Term Capturing: Use /DisableConversations if you want to leave
capturing for a long time(order of days) and you are not interesting MSRPC
traffic. nmcap currently allows 500Meg limit for a single capture. You can
however use Chain Captures (.chn). /file test.chn:20M (This will create
test.cap, test(1).cap, test(2).cap).

Tip #3: Reassembly: Reassembling a capture can be done as shown in Example 8
above. If you want to view just the Reassembled Payloads, add a frame filter for
"payloadHeader".  e.g In Example 8:

nmcap /inputcapture capture.cap /reassemblecapture Payloadheader /file ReassembledPayloads.cap

would result in just the reassembled payloads.
Note nmcap reassembles BEFORE filtering.

Tip #4: Filtering using "Contains Plugin". You can filter frames by searching
for Strings in Netmon defined Properties using the contains plugin.
See Example 3 above.

nmcap.exe /network * /startwhen /timeafter 5 /capture /DisableConversations /file c:\temp\test.chn:20M /MinDiskQuotaPercentage 10 /TerminateWhen /KeyPress t

   /CaptureProcesses
      Enables process tracking. This is incompatible with the /DisableConversations switch as process tracking requires conversations.
   /DisableConversations
      Disables conversations. This enhances the performance of NMCap. Some protocols such as MSRPC require conversation to be enabled.

nmcap.exe /network * /startwhen /timeafter 5 /capture /file e:\test.chn:2M /MinDiskQuotaPercentage 10 /TerminateWhen /KeyPress t
nmcap.exe /network * /startwhen /timeafter 5 /capture /file c:\temp\test.chn:1M /MinDiskQuotaPercentage 10 /TerminateWhen /KeyPress t