none
Install and run only nmcap RRS feed

  • Question

  • Is there a way to only install nmcap?  I want to install and run remotely and only need the command line version.  I noticed when I ran the installer with the /Q option it took longer than I expected to install.  I was hoping to speed the install up as well.

    Thanks,
    Rich

    Tuesday, June 7, 2011 8:05 PM

Answers

  • Yes, you'll need NM3.4 to record process information.  The only supported way would be to install Network Monitor using the /Q switch.  However, if you are industrious, you could rip appart the OneClick code and discover the batch file we use to detect and load the driver manually.  The tricky part is detecting whether a driver already exists.  I'm pretty sure that installing the driver is bascially calling NMConfig, and then running NMCap as administrator.  As I'm sure you know, we've never tested this directly so I can't sware this will work and not cause strange behavior.  But if you are willing to take that risk, I think it should be possible. You might want to test first :)

    Moving forward we are going to start looking at remote capture as a primary scenario.  It's something we mitigated with remote desktop or other remoting tools, but I think we can make this more seemless.

    Paul

    • Marked as answer by Rich_Viza Thursday, June 16, 2011 11:01 AM
    Monday, June 13, 2011 7:52 PM

All replies

  • There's no way to only install NMcap.  We do have a tool, called OneClick, which allows you to install the capture driver and start a trace when you run the tool.  Then the drive is uninstalled (if it wasn't there to begin with), and the resulting capture is presented so that it can be passed back to the user.  Perhaps that's another option depending on your scenario.

    Thanks,

    Paul

     

    Thursday, June 9, 2011 4:04 PM
  • Paul,

      Thanks for taking the time to respond!  I enjoyed your "Network monitor 3.4 (netmon) AD Protocol Plugfest 2011" presentation.  I'm not sure OneClick will work for me since I would like to get the process ID, and from what I could tell OneClick installs netmon 3.1. 3.1 does not capture Process ID correct? 

    Here is the scenario in which I was hoping to use Netmon:

    From time to time I get an network IDS alert that a machine is reaching out in a suspious maner, however trying to investigate to rule out a "False Positive", is sometimes difficult when you don't know the process that is triggering the IDS rule.  What I was hoping to do is remotely install netmon(from the command line), then configure a capture filter based off of the IDS rules and have it run until I see the alert again.   After that stop the capture and look to see what the process name is.  Once I have the process name I would dump that process and inspect it to see if there are any injected dlls and what not. 

    Hope that makes sense.

    Thanks again,
    Rich

    Thursday, June 9, 2011 6:08 PM
  • Yes, you'll need NM3.4 to record process information.  The only supported way would be to install Network Monitor using the /Q switch.  However, if you are industrious, you could rip appart the OneClick code and discover the batch file we use to detect and load the driver manually.  The tricky part is detecting whether a driver already exists.  I'm pretty sure that installing the driver is bascially calling NMConfig, and then running NMCap as administrator.  As I'm sure you know, we've never tested this directly so I can't sware this will work and not cause strange behavior.  But if you are willing to take that risk, I think it should be possible. You might want to test first :)

    Moving forward we are going to start looking at remote capture as a primary scenario.  It's something we mitigated with remote desktop or other remoting tools, but I think we can make this more seemless.

    Paul

    • Marked as answer by Rich_Viza Thursday, June 16, 2011 11:01 AM
    Monday, June 13, 2011 7:52 PM
  • Paul,
      Thanks for the information about the oneclick batch file.  I'll be taking a look and see what I can come up with.  Thanks again for all your help!

    Rich

    Thursday, June 16, 2011 11:01 AM