Starting and stopping nmcap with Scheduled Task RRS feed

  • Question

  • I have created a scheduled Task to run nmcap so I can keep capturing running after I log off. The problem is that stopping the Task using the End command seems to cause nmcap to stop without closing the .cap file correctly. The capture .cap file has significant size but when trying to open the cap file I get the message - Unable to open ... The capture file does not have any frames.

    Does anyone know of a workaround to this? I need to have nmcap running for a week or two. I use file chainining which will produce many cap files that are readable but not the current active file at the time of ending the task.



    Wednesday, August 1, 2012 8:31 PM

All replies

  • Hi Wes,

    Is your nmcap command doing any filtering currently and is this just you manually ending the task?  As you could add a stop when flag to the command and then ping the machine to stop it instead (see an intro article on Paul's blog here) or just have it run for two weeks.


    Michael Hawker | Program Manager | Network Monitor

    Thursday, August 2, 2012 8:33 PM
  • Michael,

    No filtering and yes this is just the SysAdmin ending the task manually. What has happened a couple of times is the SysAdmin has manually ended the task once the intermittent error occurs, and of course the error is in the active cap file and we lose the capture of the error because the file is corrupt. Then we have to start over waiting for the error to occur. The approach we have been using is to make sure they don't end the task and wait until nmcap creates a new cap file (next in chain), then the error is in a good cap file we can read.

    I have read about the ping to stop method but haven't tried it mostly because of concerns about the filter impacting the capture perfomance on busy links. Also I don't always have an IP address on the capturing interface (using port mirroring). I think the ping to stop will work in some scenario so thanks for the reminder and I will give it a try.


    Friday, August 3, 2012 5:52 PM