Network Monitor: How to Capture a Two-Sided Network Trace that Terminates Based on an Event in the Event Log
Summary
You may already be familiar with network tracing based on an event in the event log: http://blogs.technet.com/b/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx from a one-sided trace perspective.
The goal here is to build on that to allow two-sided network traces. For the scope of this article, I am assuming that the trigger event will be logged in the event log on the client machine. You can easily reverse the scripts to allow the trigger event to be logged in the event log on the server machine. The scripts are quite simple, and can be found in the More Information section below.
Install Network Monitor 3.4 (or later)
1. Download location: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en
2. Install Network Monitor 3.4 on the client machine (Typical installation is fine)
3. Install Network Monitor 3.4 on the server machine (Typical installation is fine)
Copy scripts to the machines
4. Copy CaptureStart-Server.cmd and FileMon.vbs to the server machine %programfiles%\Microsoft Network Monitor 3\ directory
5. Copy CaptureStart-Client.cmd and EvtMon.vbs to the client machine %programfiles%\Microsoft Network Monitor 3\ directory
Start the capture on the server
6. On the server machine, log on to the console with administrative credentials
7. On the server machine, open an administrative Command Prompt, and change directory to %programfiles%\Microsoft Network Monitor 3
8. On the server machine, run the following command: “CaptureStart-Server.cmd C:\NMCap-Server.cap”
Start the capture on the client
9. On the client machine, log on to the console with administrative credentials which also has Write access to C:\ on the server machine
10. On the client machine, open an administrative Command Prompt, and change directory to %programfiles%\Microsoft Network Monitor 3
11. On the client machine, run the following command: “CaptureStart-Client.cmd C:\NMCap-Client.cap {event_number} {DNS_name_of_server_machine} {optional_event_log_file_to_monitor}”
Notes:
1. You must leave the console session logged in on both machines in order to ensure that the network capture executes until the event is logged
2. The captures run on a circular buffer of 20MB
3. Once the event occurs on the client, the network traces will stop on both machines
a. The client script will ping 4.3.2.1 locally to stop the client trace
b. The client script will write a text file to C:\ on the server to trigger the stop of the server trace
c. The server script watches for the text file existence and will ping 4.3.2.1 locally to stop the server trace
Gather the data
1. Collect C:\NMCap-Server.cap from the server machine
2. Collect C:\NMCap-Client.cap from the client machine
Clean-up
1. On the client, delete CaptureStart-Client.cmd and EvtMon.vbs from the %programfiles%\Microsoft Network Monitor 3\ directory
2. On the server, delete CaptureStart-Server.cmd and FileMon.vbs from the %programfiles%\Microsoft Network Monitor 3\ directory
3. (Optional) Uninstall Network Monitor 3.4 from the client and server
4. 4. Make sure that the file that was created to stop the server trace got cleaned up: C:\StopNMCap.txt (the server script should have done this for you)
More Information
Script code:
CaptureStart-Server.cmd
@echo off
if "%1"=="" goto Usage
echo Starting capture....
REM Following line is wrapped
start cmd.exe /c nmcap /network * /capture /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations
cscript //NoLogo FileMon.vbs
echo Stop event detected. Stopping the network trace....
ping -n 1 4.3.2.1
goto :EOF
:Usage
echo Usage:
echo %0 CaptureFile
CaptureStart-Client.cmd
@echo off
if "%1"=="" goto Usage
if "%2"=="" goto Usage
if "%3"=="" goto Usage
echo Starting capture....
REM Following line is wrapped
start cmd.exe /c nmcap /network * /capture /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations
cscript //NoLogo EvtMon.vbs %2 %4
echo Stop event detected. Stopping the network trace....
ping -n 1 4.3.2.1
echo "This file is used to stop NMCap.exe on the server." > \%3\C$\StopNMCap.txt
goto :EOF
:Usage
echo Usage:
echo %0 CaptureFile EventNumber ServerDNSName [LogFile]
echo Logfile is optional. If used, the eventlog name
echo file ie, application, system, security, etc...
FileMon.vbs
Option Explicit
DIM fso, deleteFile
Set fso = CreateObject("Scripting.FileSystemObject")
If (fso.FileExists("C:\StopNMCap.txt")) Then
WScript.Echo(vbcrlf & vbcrlf & "StopNMCap.txt already exists! This is not a valid test." & vbcrlf & "Deleting the file and quitting..." & vbcrlf & vbcrlf)
set deleteFile = fso.GetFile("C:\StopNMCap.txt")
deleteFile.Delete
WScript.Sleep(3000)
WScript.Quit()
End If
Do Until (fso.FileExists("C:\StopNMCap.txt"))
WScript.Sleep(2000)
Loop
set deleteFile = fso.GetFile("C:\StopNMCap.txt")
deleteFile.Delete
WScript.Quit()
EvtMon.vbs
'======================================================================
' Print out the help when something is not typed in correctly or when
' nothing at all is typed in.
Public Sub PrintHelp
Wscript.Echo "Usage:"
Wscript.Echo " EvtMon EventNumber [LogFileDisplayName]"
Wscript.Echo " LogFile is optional. If used, the eventlog name"
Wscript.Echo " file ie, application, system, security, etc..."
End Sub
' Get the arguments. Check for event number and log file as arguments
Set objArgs = WScript.Arguments
' See how many arguments we have and collect them.
if objArgs.Count < 1 OR objArgs.Count > 2 Then
PrintHelp
ElseIf objArgs.Count > 1 Then
EventNumber = objArgs(0)
LogFile = objArgs(1)
Else
EventNumber = objArgs(0)
LogFile = ""
End If
If EventNumber <> "" Then
strComputer = "."
' Attatch to the WMI Service
Set objWMIService = GetObject("winmgmts:{(Security)}\" & _
strComputer & "\root\cimv2")
' if the LogFile is populated add this to our query. Create a
' Event Log monitoring object and send it a query.
If LogFile = "" Then
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __InstanceCreationEvent Where " _
& "TargetInstance ISA 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '" _
& EventNumber & "'")
Else
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __InstanceCreationEvent Where " _
& "TargetInstance ISA 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '" _
& EventNumber _
& "' and TargetInstance.LogFile = '" _
& LogFile & "'")
End If
' Create an object which returns when the next event occurs.
Set objLatestEvent = colMonitoredEvents.NextEvent
' Print some info based on the event log we encountered.
Wscript.Echo objLatestEvent.TargetInstance.User
Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
Wscript.Echo objLatestEvent.TargetInstance.Message
WScript.Echo objLatestEvent.TargetInstance.Logfile
Wscript.Echo
End If