Using Eventmon and Nmcap to take network monitor trace when a particular Event is generated.
There are times when you want to take netmon trace when a certain event is generated on the server/machine. There is a nice blogpost that explains the usage of Eventmon and Nmcap
To elaborate further to simply it, i thought of adding more info here
we need to install network monitor (=>3.4 approximately).
1. create a batch file as explained in above post and put that in the netmon installation folder in
the program files.
Batch file(taken from above blog post link)
**********************copy following in a notepad and save it for example as nmcap.bat*********************
@echo off
if "%1"=="" goto Usage
if "%2"=="" goto Usage
REM Following line is wrapped
start cmd.exe /c nmcap /network * /capture /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations
cscript //NoLogo EvtMon.vbs %2 %3
ping -n 1 4.3.2.1
goto :EOF
:Usage
echo Usage:
echo %0 CaptureFile EventNumber [LogFile]
echo Logfile is optional. If used, the eventlog name
echo file ie, applicaiton, system, security, etc...
-->new note : While working on another case i came to scenario where we wanted to capture specific traffic between two machines so varion in above in nmcap would be(rest remaining the same)
*****************replace following line with above nmcap for specific traffic*********
start cmd.exe /c nmcap /network * /maxframelength 256 /capture (ipv4.address==30.30.30.4 and ipv4.address==30.30.30.4 ) /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations
********************************************************************************
2. Copy the contents of the script given in above post shown below in a notepad and save it as EvtMon.vbs and put this in netmon installation directory
'======================================================================
' Print out the help when something is not typed in correctly or when
' nothing at all is typed in.
Public Sub PrintHelp
Wscript.Echo "Usage:"
Wscript.Echo " EvtMon EventNumber [LogFileDisplayName]"
Wscript.Echo " LogFile is optional. If used, the eventlog name"
Wscript.Echo " file ie, application, system, security, etc..."
End Sub
' Get the arguments. Check for event nubmer and log file as arugments
Set objArgs = WScript.Arguments
' See how many arguments we have and colect them.
if objArgs.Count < 1 OR objArgs.Count > 2 Then
PrintHelp
ElseIf objArgs.Count > 1 Then
EventNumber = objArgs(0)
LogFile = objArgs(1)
Else
EventNumber = objArgs(0)
LogFile = ""
End If
If EventNumber <> "" Then
strComputer = "."
' Attatch to the WMI Service
Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
strComputer & "\root\cimv2")
' if the LogFile is populated add this to our query. Create a
' Event Log monitoring object and send it a query.
If LogFile = "" Then
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __InstanceCreationEvent Where " _
& "TargetInstance ISA 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '" _
& EventNumber & "'")
Else
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __InstanceCreationEvent Where " _
& "TargetInstance ISA 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '" _
& EventNumber _
& "' and TargetInstance.LogFile = '" _
& LogFile & "'")
End If
' Create an object which returns when the next event occurs.
Set objLatestEvent = colMonitoredEvents.NextEvent
' Print some info based on the event log we encountered.
Wscript.Echo objLatestEvent.TargetInstance.User
Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
Wscript.Echo objLatestEvent.TargetInstance.Message
WScript.Echo objLatestEvent.TargetInstance.Logfile
Wscript.Echo
End If
3. Also copy cmd.exe from system32 folder to the netmon installation folder , your netmon installation foldet would like like this
4. Then you can run the batch file in command prompt as below
Here trace.cap is the name of the network trace file and 4624 is an event id for which we want to take a trace in this example.
Comments
Anonymous
January 01, 2003
Here you go nmcap.bat trace.cap:200M 4624 so you can mention the size after the name of file with :size and then the event id.Anonymous
April 22, 2013
Hey Suraj!! this one's very informative and Useful.. See if you can add the option of limiting the output trace for a certain Megs.. Cheers!!Anonymous
September 02, 2015
FhfhghghgAnonymous
September 02, 2015
Fhfhghghg