Capturing Network Logon Without Spanning A Port (Part 1 of 2)
Hey Everyone,
Sorry for the delay in posts. I was traveling a bit and not prepared to write a post from the road (aka I forgot my lab's IP address/I was out of ideas.) Then the Holidays hit and you know how that goes. Alright on to the fun stuff. Today I want to talk about a creative way to capture some network logon traces. Sometimes when you are troubleshooting a problem you just need a network trace of what is happening. The trace never lies. Most of the time you just install Netcap from the Windows Support Tools , start and stop your capture, and call it a day. But what if you are trying to get a capture for some sort of logon event? For example you are trying to login but it is somehow timing out. How could you get a capture of what is happening before you are even logged into Windows? There are three different ways.
1.) Ask your network team very nicely to span the port for that client machine to capture the traffic while you try to reproduce this.
2.) Go find a hub, plug a laptop in and do a capture using Network Monitor in Promiscuous mode and then once again try to reproduce the problem.
Both 1 and 2 will work fine but sometimes the network team isn't around and sometimes you cant find the hub in the bottom drawer of your desk. The user is getting a little worked up and needs this solved. Time to get creative.
3.) Run Netcap in a command prompt in interactive mode.
So this one is actually pretty slick. Interactive mode switch will launch the app in the context of the system, which will stay running after the current user logs out. First things first login with your account and install the Windows Support Tools if you already haven't. Then open a command prompt. Run the following command. "at 15:43 /interactive /next: cmd.exe" Replace the 15:43 for whatever time you want the new cmd.exe window to open at. As you can see below I'm logged in as Mark1.
At that designated time a new command prompt should open up running under the system context. Perfect time to start the capture. In this new cmd.exe window, CD over to Support Tools. Run the following command. Netcap /N:1 /B:100 /C:C:\yourfilename.cap . The N/:1 is for whatever network adapter you want to do the capturing of. After this has started running, logout and have the other user try to login.
(Who needs a Hub?)
For illustration purposes I've logged in as another user (Mark2) and you can see the command prompt and network capture are still running.
(Capturing like a champ)
When you are all done just stop the network capture and start investigating. Keep in mind this only works for XP. You have to go about it differently for Windows 7 which will be an upcoming post.
Mark "I think I ate too much holiday joy" Morowczynski