locked
Can't save packets from Network Monitor 3.3 on Windows 2003 SP2 RRS feed

  • Question

  • Hello,

    I run Network Monitor 3.3 on a Windows 2003 Std, SP2 server to capture packets. I have been using Network Monitor 2.1 which came with Windows 2003 and Network Monitor 3.3 seems to be a lot different.

    I don't understand how frame buffer manager works in Netmon 3.3. How can I configure Frame buffer Manager as we do in Netmon 2.1?I can't save a capture as it says not enough memory to process the command. I have 16GB+ memory with more than 100GB disk space free. In fact I tried it on multiple Windows 2003 boxes and I see same results. So I am missing something here.

    I also set temporary capture file size to 500MB (max allowed by MS). Please advice.

    TIA

    Tuesday, June 30, 2009 8:31 PM

Answers

  • Frame buffer manager is something completely different than setting the buffer size in Netmon2.1.  The frame buffer manager lets you save frames from different traces to combine them in one trace.  But in this specific scenario we are using it to work around a problem.  The UI doens't allow you to set a buffer size and it just captures forever.  NMCap is the tool you'd use if you need to set a circular buffer like you did in Netmon2.1.

    We don't keep old versions around and instead ask that you use the latest version.  There is nothing we are aware of in NM3.3 that shoudl be a problem with regards to what you are trying to do.

    After you add all the frames, you should then close the file in Frame Buffer manager.  After you do this, it should create many files.  If you names them test.cap, then you should see test.cap, test(1).cap, test(2).cap where each one is probably 20 megs, assuming you didn't change this size in Tools, Options.

    Assuming this is the case, and you are openning the first test.cap you created with Frame Buffer manager, can you tell me the size of the capture?  If you have a Hex editor, can you send me the first couple of bytes of the binary file?

    We might want to find a way to send me this file, perhaps you can use the contact info form the blog to send me email (http://blogs.technet.com/netmon).

    Thaks,

    Paul
    • Marked as answer by TSAM Friday, July 3, 2009 2:18 AM
    Thursday, July 2, 2009 1:54 PM

All replies

  • Hello,

    I run Network Monitor 3.3 on a Windows 2003 Std, SP2 server to capture packets. I have been using Network Monitor 2.1 which came with Windows 2003 and Network Monitor 3.3 seems to be a lot different.

    I don't understand how frame buffer manager works in Netmon 3.3. How can I configure Frame buffer Manager as we do in Netmon 2.1?I can't save a capture as it says not enough memory to process the command. I have 16GB+ memory with more than 100GB disk space free. In fact I tried it on multiple Windows 2003 boxes and I see same results. So I am missing something here.

    I also set temporary capture file size to 500MB (max allowed by MS). Please advice.

    TIA


    Please find exact error message while trying to save packets to local disk.

    "not enough storage is available to process this command".

    MS has a KB for this error, but I am not sure whether it applies to W2K3 or netmon related errors.

    http://support.microsoft.com/default.aspx/kb/106167


    TIA
    Wednesday, July 1, 2009 1:12 PM
  • If you are in a situation where you have captured for a long time in the UI, you migh get in a situation where you can't save files.  This is because the UI can consume lots of memory and GUI objects.  We suggest you use NMCap if you need to capture for long periods of time as it's designed to be higher performance with a low footprint.  It also contains more options for creating capture files like Circular and Chained files.

    We also have a disk quota of 2% that might also be involved here.  If this is the case, you can change this in tools, options.  Bug given you have 100GB of free disk space (assuming this is where the temp directory is), then I doubt you've hit 2% unelss you have a really big drive.

    If you are currently in this situation in the UI where you try to save a capture and you run into the error above, you might be able to work around it using the frame buffer manager.

    1. Go to File, Frame Buffer Manager
    2. Select the New File button
    3. In file save dialog, type in a name and hit the save button.
    4. Select all frames in frame summary (Ctrl+a)
    5. Right click frames, choose Add Selected Frames -> Frame Buffer manager
    6. Hit OK
    7. Go to File, Frame Buffer Manager
    8. Close the file

    This will create a capture, or potentially set of capture files of 20megs a peice.

    Then you can use NMCap to put these back together using something like the following command line.

    NMCap /InputCapture test.cap test(1).cap test(2).cap /capture /file combined.cap:500M

    There is a limit of 500 megs on a capture file with NMCap, so anything larger won't work.  You could use a larger chained capture size with /file combined.chn:500M

    If this is not your problem, let me know.

    Thanks,

    Paul
    Wednesday, July 1, 2009 6:22 PM
  • Thanks for your suggestions, Paul.

    Before I posted the question to the forum, I went through the steps you mentioned above to add all frames to Frame buffer manager. After adding all frames about 250MB size to frame buffer manager, I tried to open them through netmon and I got a error saying "Unable to open c:\capture\test.cap. The capture file does not have any frames". Please advice.

    Also, is frame buffer manager an improved version/ same concept as old netmon 2.1 buffer size? I like to try with netmon 3.0 or 3.1 or 3.2, but I don't think MS keeps an archive of these release anymore.

    Thanks very much

    Thursday, July 2, 2009 1:07 AM
  • Frame buffer manager is something completely different than setting the buffer size in Netmon2.1.  The frame buffer manager lets you save frames from different traces to combine them in one trace.  But in this specific scenario we are using it to work around a problem.  The UI doens't allow you to set a buffer size and it just captures forever.  NMCap is the tool you'd use if you need to set a circular buffer like you did in Netmon2.1.

    We don't keep old versions around and instead ask that you use the latest version.  There is nothing we are aware of in NM3.3 that shoudl be a problem with regards to what you are trying to do.

    After you add all the frames, you should then close the file in Frame Buffer manager.  After you do this, it should create many files.  If you names them test.cap, then you should see test.cap, test(1).cap, test(2).cap where each one is probably 20 megs, assuming you didn't change this size in Tools, Options.

    Assuming this is the case, and you are openning the first test.cap you created with Frame Buffer manager, can you tell me the size of the capture?  If you have a Hex editor, can you send me the first couple of bytes of the binary file?

    We might want to find a way to send me this file, perhaps you can use the contact info form the blog to send me email (http://blogs.technet.com/netmon).

    Thaks,

    Paul
    • Marked as answer by TSAM Friday, July 3, 2009 2:18 AM
    Thursday, July 2, 2009 1:54 PM
  • Hello Paul,


    Once I added frames to frame buffer manager, I never closed it. Once I did I can open them in netmon. Also, I see options for close the file and close all files there. What is the difference?

    TIA
    Friday, July 3, 2009 2:20 AM
  • With the frame buffer manager you can create multiple files and add different frames to each one.  So when you are closing a file, you can choose just to close one file, or if you have multiple ones open you can close them all.

    The original purpose of Frame Buffer manager was to create new traces by combining data from multiple captures.  I've personally used this to add MSRPC Bind information to a trace that was missing that data.  This way my new frankenstiened trace would parse correctly as the BIND info in RPC is needed to understand the GUID and therefor component of RPC.

    Thanks,

    Paul

    Monday, July 6, 2009 1:44 PM