This project is read-only.
Project Description
NM3Event Cap makes it easier for system administrators and technical support professionals to get a network trace and stop when a particular event shows up in the event log.


On Vista and above, this requires administrator privilege’s. You'll have to run from an elevated command prompt as this access is required to query the event log privilege’s

]] NM3EventCap.exe /?
Usage: NM3EventCap.exe Capture EventNumber [m_LogFile] [-options]
  Capture     - Name of capture file to use.  use -o to overwrite if capture already exists.
  EventNumber - numeric event error message to stop on.
  LogFile     - For example, Application, Security, System.  Default searches all logs.

  -b #     - Buffer size in Mbytes for capture.  Default is 100MB.
  -c       - Use chain capture instead of the default of circular.
  -f       - Filter to use for capturing traffic.
  -o       - Overwrite capture if it exists.
  -d       - Disable Conversations.  Warning, you could shoot yourself in the foot.
  -n #     - Number of adapter to capture on.  Use Nmcap /displaynetworks to get list
  -v       - Be verbose.  Show NPL compilation messages.

NM3EventCap t1.cap 400

Stops when an event 400 occurs in any log. For instance, starting powershell with cause this particular instance to stop capturing.

Look at Network Monitor Blog Article for more examples.

Network Monitor 3.x Install latest version
VC 2008 Redistributable VC9 Redist

Last edited Nov 29, 2011 at 5:27 PM by PaulLong, version 12