The Windows Support Tools Network Monitor Capture Utility is designed to investigate packets flowing in and out of a Windows XP system’s network adapter and to create a log file you can analyze with a full-fledged version of the Network Monitor tool. While the Network Monitor Capture Utility is a very powerful tool with a ton of configuration options that allow you to finely tune your analysis, it’s stuck in the command line-only category, which can make it very difficult to use.
With a little bit of magic conjured up with Windows Script Host and VBScript, I’ve discovered a way to streamline Network Monitor Capture Utility by giving it a downloadable wizard front end, which makes it easier to use this awesome tool. The wizard simplifies the way the utility works so that you can harness all of its powerful configuration options. Once you’ve installed the utility wizard, taking full advantage of the command line tool will be extremely easy—no more fumbling around trying to correctly type the command and all of its detailed parameters.
I’ll tell you how I created this wizard front end in Windows Script Host and VBScript. I’ll also show you how to install and use the wizard to create Network Monitor Capture files and then give you some background information on Windows XP’s Network Monitor Capture Utility.
Dissecting the Network Monitor Capture Utility
Before we get started with the script, let’s take a closer look at how the utility works. Doing so will make it easier to understand how the script will work. To begin with, it’s important to understand that this command-line utility is only meant to capture network traffic passing to and from the network card installed in a Windows XP system. To analyze the data in the capture file, you’ll need to copy the file to a system running the full-fledged Network Monitor tool that is a part of the Windows Server products, as well as Microsoft Systems Management Server (SMS).
The first time you run the Network Monitor Capture Utility, it will install the Network Monitor driver and automatically bind that driver to all of the network adapters installed on the system. Then, the utility can monitor data packets traveling through those adapters and save that information to a file.
Once you install the Network Monitor driver, it remains a part of your system until you uninstall it. When you’re not actively using the Network Monitor Capture Utility, you’ll want to uninstall the driver so that it doesn’t inadvertently affect the performance of your network. As you will see, uninstalling the driver is extremely easy.
Specifying the network adapter to monitor
The Network Monitor Capture Utility has the capability to monitor any network adapter installed in your system—including a dial-up WAN (PPP/SLIP) interface connection. You’ll need to specify exactly which network adapter you want to monitor.
The capture file name and location
By default, the Network Monitor Capture Utility saves its capture files in the UserProfile\Local Settings\Temp folder, where UserProfile is the name of the user currently logged on to the system. The utility names its capture files using a cryptic naming scheme.
The utility allows you to customize the name and location that it uses for the capture files. For example, you can change the default folder it uses to save its capture files. When you use this method, the utility will actually create the folder for you. It will also store the new folder name in its configuration and will then save all future capture files to that folder. This new folder must be on the local hard disk. Also, you can specify a unique name for the capture file. When you do, you can also specify the name of an existing folder—either on the local hard disk or on a network server.
The changing default folder method appears to be a little buggy—it doesn’t work consistently. Furthermore, it won’t allow you to use a custom name for the capture file. Since the second method allows you to specify a custom name and location, as well as just a custom location or just a custom name, it’s far more flexible. I decided to leave the first method out of the script and only use the second method.
Using a Network Monitor filter
If you’ve used the full-fledged Network Monitor to create a special filter designed to restrict the monitoring operation to a specific host, you can use it with the Network Monitor Capture Utility.
Controlling the capture procedure via file size
As you can imagine, the amount of data that typically travels across the network can very quickly fill up a capture file. The utility gives you several options for managing the size of the capture file. To begin with, the default size for a capture file is 1 MB. You can specify the size for a capture file from 1 MB to 1 GB. Once the capture file reaches the specified size, the Network Monitor Capture Utility stops collecting data and exits.
Controlling the capture procedure via event triggers
In addition to using the size of the file as the determining factor for ending the data collection session, the utility lets you specify a number of trigger events. The first such trigger is the percentage of the size of the specified capture file. You can configure the utility to stop collecting data when the size of the file is 25, 50, 75, or 100 percent of the specified maximum.
The second trigger event is a specific hexadecimal pattern; it can be a specific hexadecimal offset from the start of a frame or a specific hexadecimal pattern that matches the one provided. When using the latter trigger, the pattern must consist of an even number of hexadecimal digits.
Combining the percentage and the pattern creates the next two trigger events in a whichever-comes-first configuration. The third trigger event is percentage, then pattern, which, if the specified percentage is reached before the pattern is found, indicates to stop capturing data and close the file. The fourth trigger event is pattern, then percentage, which, if the specified pattern is found before the percentage is reached, indicates to stop capturing data and close the file.
The fifth trigger event is actually a manual intervention. In this case, the Network Monitor Capture Utility will continuously collect data until you press the spacebar. When you use this method, it takes a FIFO (first in, first out) approach to managing the capture file once it reaches either the specified or default maximum. In other words, once the file is full, the newest frames will overwrite the oldest frames in the capture file.
Controlling the capture procedure via a timed session
There’s one more way to control how long the Network Monitor Capture Utility runs: with timed session. In this method, you specify the amount of time that you want the utility to run in hours, minutes, and seconds. When you use a timed session, the FIFO approach to managing the capture file applies. Of course, you can combine a timed session with any of the other triggers.
Now that you have a good idea of how the Network Monitor Capture Utility works, let’s take a brief look at the script I designed to automate it. To begin with, I decided to implement this script using a wizard format with each step prompting you to choose those options that you want to use to run the utility. This is basically the same format that I used in the Network Connectivity Tester Wizard script, which I presented in the article, Automate Win2K’s Network Connectivity Tester.
Just like in that script, I’ll employ the DialogBox function and a series of HTML files to create the wizard screens with a Windows Script File running the whole show. Since I described the wizard technique in detail in that article, I’ll refer you to that article for background information.
This Windows Script File that makes up the Network Capture Monitor Utility Wizard consists of 260 lines of code and employs nine HTML files and the DialogBox function to create the wizard screens. There’s way too much code to go over each file line by line, so I’ll simply provide you with all the files in one download package and focus on how to install and use the wizard.
Installing the Network Monitor Capture Utility Wizard
Once you download the wizard and extract the files, you’ll find these 11 files:
- · NetMonCap.wsf
- · FdialogBox.vbs
- · NetMonCap-1.htm
- · NetMonCap-2.htm
- · NetMonCap-3.htm
- · NetMonCap-4a.htm
- · NetMonCap-4b.htm
- · NetMonCap-4c.htm
- · NetMonCap-5.htm
- · NetMonCap-6.htm
- · NetMonCap-7.htm
You should copy these files to the C:\Program Files\Support Tools folder on your hard disk. Next, create a shortcut to NetMonCap.wsf and move the shortcut to the Start | All Programs | Windows Support Tools menu. Doing so will make it very easy for you to launch the wizard when you need it.
Running the Network Monitor Capture Utility Wizard
When you launch the wizard, you’ll see the opening screen, shown in Figure A.
|The first Network Monitor Capture Utility Wizard screen lets you either run the utility or remove the driver.|
As I mentioned, to do its job, the utility installs a special driver that you’ll want to remove once you’re finished capturing network data. If you select the second option, the wizard will open a Command Prompt window and launch the command to unload the driver.
If you choose to run the utility, you’ll see the screen shown in Figure B. Here, you’ll be prompted to select the adapter that you want to monitor. If the system only has one adapter, you can use the default option.
|Specify which network adapter you want to monitor.|
On the next screen, shown in Figure C, you can choose how you want to terminate the capture procedure. The first option is the default for the Network Monitor Capture Utility and will terminate the capture procedure once the capture file reaches 1 MB.
|The wizard makes it easy to configure the termination of the capture procedure.|
The second option allows you to manually terminate the capture session. As you’ll remember, this option will continuously collect data using a FIFO managed capture file until you press the spacebar. Selecting the third option indicates that you want to use one or a combination of the utility’s event triggers, which I’ll discuss later.
The fourth and fifth options let you use the file size and timed termination configurations alone or combine them with event triggers. If you want to use either of these options alone, just select the appropriate radio button. If you want to use either of them with event triggers, select the radio button along with the adjacent check box.
When you select the file size option, you’ll see the screen shown in Figure D, which allows you to specify the size of the capture file. Remember that the utility will only accept a file size specification in the 1 MB to 1 GB range. If you type a number outside this range, the wizard will display an error message and abort the script.
If you choose to use a timed session when running the Network Monitor Capture Utility Wizard, you’ll see the screen shown in Figure E. You can enter the amount of time you want the capture session to run by entering the number of hours, minutes, and seconds.
Choosing the event triggers to terminate the capture session brings up the screen shown in Figure F. If you want to specify a percentage of the capture file, select the first check box and then click the drop-down arrow to specify one of the options: 50, 75, or 100 percent. In this case, 25 percent is the default. To monitor the network traffic for a specific hexadecimal pattern or offset value, select the second check box and then specify the value in the text box.
|The utility allows you to specify individual trigger events or combine them.|
If you want to use a combination of a percentage and a hexadecimal value, you can select the first two check boxes and specify the values. Then, select the third check box and choose the appropriate radio button depending on which of the event triggers you want to take priority.
Next, you’ll be given the opportunity to add a Network Monitor filter file to the command line, as shown in Figure G. If you aren’t using a Network Monitor filter file, just click Next.
|If you’ve created a capture filter, the wizard gives you the option to use it in the procedure.|
You’ll have an opportunity to specify whether you want to save the capture file to the default folder or to an alternative location either on the local hard disk or to a shared network drive, as shown in Figure H. If so, just click the second radio button and then type the full local or UNC path into the text box. When you do so, remember to type the backslash character (\) at the end of the path.
Next, you’ll have the opportunity to specify whether you want to use a custom name for the capture file, as shown in Figure I. If you choose the custom filename option, just type the first part of the filename in the text box and the wizard will automatically append the correct file extension.
When you’ve finished choosing the options that you want to employ with the utility, the script will open a Command Prompt window and run the command, as shown in Figure J. You can see the exact command line that you’ve configured displayed in the title bar of the Command Prompt window. Once the utility finishes, simply close the Command Prompt window.
|When the Network Monitor Capture Utility is running, you can see the exact command line in the title bar.|
More DialogBox function help
If you want to learn more about the DialogBox function technique used in this script, check out a series of articles I created earlier for the TechProGuild Windows Client track:
- · Create your own reusable dialog box for Windows Script Host
- · Design Windows Script Host dialog boxes for any occasion
- · Take your pick: These three script dialog boxes make it easy to interact
- · All together now: Four dialog box function controls in one easy script