Project DescriptionNM3Event Cap makes it easier for system administrators and technical support professionals to get a network trace and stop when a particular event shows up in the event log.
UsageOn Vista and above, this requires administrator privilege’s. You'll have to run from an elevated command prompt as this access is required to query the event log privilege’s
]] NM3EventCap.exe /?
Usage: NM3EventCap.exe Capture EventNumber [m_LogFile] [-options]
Capture - Name of capture file to use. use -o to overwrite if capture already exists.
EventNumber - numeric event error message to stop on.
LogFile - For example, Application, Security, System. Default searches all logs.
Options:
-b # - Buffer size in Mbytes for capture. Default is 100MB.
-c - Use chain capture instead of the default of circular.
-f - Filter to use for capturing traffic.
-o - Overwrite capture if it exists.
-d - Disable Conversations. Warning, you could shoot yourself in the foot.
-n # - Number of adapter to capture on. Use Nmcap /displaynetworks to get list
-v - Be verbose. Show NPL compilation messages.
Example
NM3EventCap t1.cap 400
Stops when an event 400 occurs in any log. For instance, starting powershell with cause this particular instance to stop capturing.
Look at
Network Monitor Blog Article for more examples.
DependanciesNetwork Monitor 3.x
Install latest versionVC 2008 Redistributable
VC9 Redist