Windows Tools

NetCap Notes

Overview | Notes | Syntax | Examples | Related Tools Open Command Prompt

How The Network Monitor Driver Works

Network Monitor tracks the network data stream, which consists of all of the information transferred over a network at any given time. Before transmission, the networking software divides this information into smaller segments, called frames (packets). Each frame contains the following information:

All frames on a network segment pass through every computer connected to that segment. However, the network card typically passes on only the frames addressed to it, as the destination computer, to the networking software. The Windows XP Professional version of Network Monitor can copy frames originating from or sent to the local computer to a temporary capture file. The process by which Network Monitor copies frames is referred to as data capture.

The amount of information that the Network Monitor Driver can capture is limited only by the amount of memory available on your system. However, you usually need to capture only a small subset of the frames traveling on your network. To isolate a subset of frames, you can design a capture filter, which functions like a database query to isolate the information that you specify. You can filter frames on the basis of source and destination addresses, protocols, protocol properties, and pattern offset.

If you want a running capture to respond to specific conditions as soon as the Network Monitor detects them, you can design a capture trigger. When the Network Monitor detects a particular set of conditions on the network, this capture trigger performs a specified action, such as starting an executable file.

Note

The Network Data Stream

Network Monitor monitors the network data stream, which consists of all information transferred over a network at any given time. Prior to transmission, this information is divided by the network software into smaller pieces, called frames or packets.

Frames, whether broadcast, multicast, or directed, are made up of several different pieces that can be analyzed separately. Some of these pieces contain data that Network Monitor can use to troubleshoot networking problems. For example, by examining the destination address, it can be determined whether the frame was a broadcast frame, indicating all hosts had to receive and process this frame, or a directed frame sent to a specific host. By analyzing frames, you can determine the exact cause of the frame, which helps determine whether the service generating these types of frames can be optimized.