Share via

Network Monitor: How to Capture a Two-Sided Network Trace that Terminates Based on an Event in the Event Log

  • Article

Summary

You may already be familiar with network tracing based on an event in the event log: http://blogs.technet.com/b/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx from a one-sided trace perspective.

The goal here is to build on that to allow two-sided network traces. For the scope of this article, I am assuming that the trigger event will be logged in the event log on the client machine. You can easily reverse the scripts to allow the trigger event to be logged in the event log on the server machine. The scripts are quite simple, and can be found in the More Information section below.

Install Network Monitor 3.4 (or later)

1.       Download location: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en

2.       Install Network Monitor 3.4 on the client machine (Typical installation is fine)

3.       Install Network Monitor 3.4 on the server machine (Typical installation is fine)

Copy scripts to the machines

4.       Copy CaptureStart-Server.cmd and FileMon.vbs to the server machine %programfiles%\Microsoft Network Monitor 3\ directory

5.       Copy CaptureStart-Client.cmd and EvtMon.vbs to the client machine %programfiles%\Microsoft Network Monitor 3\ directory

Start the capture on the server

6.       On the server machine, log on to the console with administrative credentials

7.       On the server machine, open an administrative Command Prompt, and change directory to %programfiles%\Microsoft Network Monitor 3

8.       On the server machine, run the following command: “CaptureStart-Server.cmd C:\NMCap-Server.cap

Start the capture on the client

9.       On the client machine, log on to the console with administrative credentials which also has Write access to C:\ on the server machine

10.   On the client machine, open an administrative Command Prompt, and change directory to %programfiles%\Microsoft Network Monitor 3

11.   On the client machine, run the following command: “CaptureStart-Client.cmd C:\NMCap-Client.cap {event_number} {DNS_name_of_server_machine} {optional_event_log_file_to_monitor}

 

Notes:

1.       You must leave the console session logged in on both machines in order to ensure that the network capture executes until the event is logged

2.       The captures run on a circular buffer of 20MB

3.       Once the event occurs on the client, the network traces will stop on both machines

a.       The client script will ping 4.3.2.1 locally to stop the client trace

b.      The client script will write a text file to C:\ on the server to trigger the stop of the server trace

c.       The server script watches for the text file existence and will ping 4.3.2.1 locally to stop the server trace

 

Gather the data

1.       Collect C:\NMCap-Server.cap from the server machine

2.       Collect C:\NMCap-Client.cap from the client machine 

 

Clean-up

1.       On the client, delete CaptureStart-Client.cmd and EvtMon.vbs from the %programfiles%\Microsoft Network Monitor 3\ directory

2.       On the server, delete CaptureStart-Server.cmd and FileMon.vbs from the %programfiles%\Microsoft Network Monitor 3\ directory

3.       (Optional) Uninstall Network Monitor 3.4 from the client and server

4.   4.       Make sure that the file that was created to stop the server trace got cleaned up: C:\StopNMCap.txt (the server script should have done this for you)

 

More Information

Script code:

CaptureStart-Server.cmd

@echo off

if "%1"=="" goto Usage

echo Starting capture....

REM Following line is wrapped

start cmd.exe /c nmcap /network * /capture /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations

cscript //NoLogo FileMon.vbs

echo Stop event detected. Stopping the network trace....

ping -n 1 4.3.2.1

goto :EOF

:Usage

echo Usage:

echo   %0 CaptureFile

 

CaptureStart-Client.cmd

@echo off

if "%1"=="" goto Usage

if "%2"=="" goto Usage

if "%3"=="" goto Usage

echo Starting capture....

REM Following line is wrapped

start cmd.exe /c nmcap /network * /capture /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations

cscript //NoLogo EvtMon.vbs %2 %4

echo Stop event detected. Stopping the network trace....

ping -n 1 4.3.2.1

echo "This file is used to stop NMCap.exe on the server." > \%3\C$\StopNMCap.txt

goto :EOF

:Usage

echo Usage:

echo   %0 CaptureFile EventNumber ServerDNSName [LogFile]

echo       Logfile is optional.  If used, the eventlog name

echo       file ie, application, system, security, etc...

 

FileMon.vbs

Option Explicit

DIM fso, deleteFile

Set fso = CreateObject("Scripting.FileSystemObject")

If (fso.FileExists("C:\StopNMCap.txt")) Then

 WScript.Echo(vbcrlf & vbcrlf & "StopNMCap.txt already exists! This is not a valid test." & vbcrlf & "Deleting the file and quitting..." & vbcrlf & vbcrlf)

 set deleteFile = fso.GetFile("C:\StopNMCap.txt")

 deleteFile.Delete

 WScript.Sleep(3000)

 WScript.Quit()

End If

Do Until (fso.FileExists("C:\StopNMCap.txt"))

 WScript.Sleep(2000)

Loop

set deleteFile = fso.GetFile("C:\StopNMCap.txt")

deleteFile.Delete

WScript.Quit()

 

EvtMon.vbs

'======================================================================

' Print out the help when something is not typed in correctly or when

' nothing at all is typed in.

Public Sub PrintHelp

    Wscript.Echo "Usage:"

    Wscript.Echo "  EvtMon EventNumber [LogFileDisplayName]"

    Wscript.Echo "    LogFile is optional.  If used, the eventlog name"

    Wscript.Echo "    file ie, application, system, security, etc..."

End Sub

' Get the arguments.  Check for event number and log file as arguments

Set objArgs = WScript.Arguments

' See how many arguments we have and collect them.

if objArgs.Count < 1 OR objArgs.Count > 2 Then

    PrintHelp

ElseIf objArgs.Count > 1 Then

    EventNumber = objArgs(0)

    LogFile = objArgs(1)

Else

    EventNumber = objArgs(0)

    LogFile = ""

End If

If EventNumber <> "" Then

    strComputer = "."

    ' Attatch to the WMI Service

    Set objWMIService = GetObject("winmgmts:{(Security)}\" & _

            strComputer & "\root\cimv2")

    ' if the LogFile is populated add this to our query.  Create a

    ' Event Log monitoring object and send it a query.

    If LogFile = "" Then

        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   

            ("Select * from __InstanceCreationEvent Where " _

                & "TargetInstance ISA 'Win32_NTLogEvent' " _

                    & "and TargetInstance.EventCode = '" _

                    & EventNumber & "'")

    Else

        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   

            ("Select * from __InstanceCreationEvent Where " _

                & "TargetInstance ISA 'Win32_NTLogEvent' " _

                    & "and TargetInstance.EventCode = '" _

                    & EventNumber _

                    & "' and TargetInstance.LogFile = '" _

                    & LogFile & "'")

    End If

    ' Create an object which returns when the next event occurs.

    Set objLatestEvent = colMonitoredEvents.NextEvent

   

    ' Print some info based on the event log we encountered.

    Wscript.Echo objLatestEvent.TargetInstance.User

    Wscript.Echo objLatestEvent.TargetInstance.TimeWritten

    Wscript.Echo objLatestEvent.TargetInstance.Message

    WScript.Echo objLatestEvent.TargetInstance.Logfile

    Wscript.Echo

End If