NETMON Input Format
The NETMON input format parses network capture files (.cap files) created by the NetMon Network Monitor application.
The NETMON input format works in two different modes, selectable through the fMode parameter.
When the "fMode" parameter is set to "TCPIP", the NETMON input format
returns an input record for each TCP/IP packet found in the capture file.
In this case, input records contain fields from the TCP and IP packet headers, together
with the payload of each packet.
For example, the following command returns the specified fields from the TCP/IP
packets in the capture file:
LogParser "SELECT SrcPort, TCPFlags, PayloadBytes FROM MyCapture.cap" -fMode:TCPIPThe output of this command would look like the following sample:
SrcPort TCPFlags PayloadBytes ------- -------- ------------ 445 A 1 1146 A 0 1336 S 0 80 AS 0 1336 A 0 1336 AP 283 1336 A 1431 80 A 0 1336 A 1431 1336 AP 549
When the "fMode" parameter is set to "TCPConn", the NETMON input format
returns an input record for each TCP connection found in the capture file.
In this case, input records contain fields calculated by aggregating all the TCP
packets in the connection, including the reconstructed payload sent by both endpoints.
For example, the following command returns the specified fields from the TCP connections
in the capture file:
LogParser "SELECT SrcPort, TimeTaken, SrcPayloadBytes, DstPayloadBytes FROM MyCapture.cap" -fMode:TCPConnThe output of this command would look like the following sample:
SrcPort TimeTaken SrcPayloadBytes DstPayloadBytes ------- ------------ --------------- --------------- 1336 150.216000 3694 3673 1284 450.648000 312 1362 1286 711.023000 0 0 1287 1001.440000 0 0 1288 851.224000 0 0 1289 15120.240000 0 0 1283 66619.388000 1886 3718 1291 13663.102000 312 636 1285 47883.357000 312 708 1290 21203.946000 312 1362
From-Entity Syntax
Fields
Parameters
Examples