<< Click to Display Table of Contents >> Navigation:  Network Tools > Network Capture Service

The EventSentry Network Capture Service (es_netcap_svc) is a Windows service which runs in the background and constantly captures network traffic in a memory buffer, up to the configured maximum size (50Mb by default). When requested, the captured network traffic which resides in memory is written to a local file in PCAP format.

 

The service is configured via the command line, which writes the respective settings to the registry. By default, the service uses a 50Mb-sized buffer and writes .pcap files to the %TEMP% directory while monitoring the first active network adapter with a valid IP address. The following parameters can be configured via the command line. Configuration changes will become effective after a restart of the es_netcap_svc service.

 

 

 

See Usage for a complete list of command line parameters. The service also logs various status messages to the event log, see Event Log for more information.

 

Dumping to disk

The contents of the buffer can written to disk with the /dumpbuffer command line parameter, or by creating the following DWORD registry entry with a value of "1":

 

HKEY_CURRENT_MACHINE\Software\netikus.net\essysadmintools\es_netcap_svc\save -> 1 (DWORD)

 

If the service is running, then the created value is automatically deleted by the service and the contents of the memory buffer are written to the configured dump directory. The format of the dump file is as follows:

 

es_netcap_dump_YYYY-MM-DD_HH-MM-SS.pcap

 

The service logs event id 120 after the buffer was successfully written to a file.

 

Requirements

Npcap packet sniffing library (recommended) or WinPcap network driver

 

Interface

Service

 

Files

es_netcap_svc_x64.exe

 

Supported Platforms

Windows