It is amazing to see what one little innocent question and two topic suggestions can generate.
Your question was:
Do you have any good LogParser tricks?
and your topic suggestions: Scripting, Tools and Utilities
This will most definitely span multiple posts as the answers generated by the MSCOM Ops team keep pouring in.
Lets start with NetCap.exe
Netcap provides capture abilities only from a command prompt; to open the resulting capture (.cap) files, you must use the full Network Monitor interface. Netcap is installed when you install the Support tools that are on the Windows XP CD-ROM.For additional information about how to install these tools, click the article number below to view the article in the Microsoft Knowledge Base:
306794 (http://support.microsoft.com/kb/306794/EN-US/) How to Install the Support Tools from the Windows XP CD-ROM
Network Monitor is provided with Windows Server products and Microsoft Systems Management Server (SMS). Netcap provides capture abilities that are similar to the version of Network Monitor that is included with the Windows Server products; however, you must use Netcap at a command prompt. Netcap installs the Network Monitor driver and binds it to all adapters when you first run the Netcap command.
This is real world example of how we use NetCap.exe
Capturing network traffic using netcap.exe and a capture filter (the example below is for outgoing GET, HEAD and POST HTTP requests).
‘Start netcap on Network Interface 0; using 500MB buffer size and capture filter called http_filter.cf; saving the file to e:\capture\temp.cap; and running the capture for duration of 1 hour.
netcap.exe /B:500 /N:0 /F:E:\capture\http_filter.cf /C:E:\capture\temp.cap /L:01:00:00
‘Sample capture filter saved as http_filter.cf
ADDRESSPAIR1=0, 0, 1, 192.168.100.60, 6, *ANY,[WEBSERVERONE][*ANY]
ADDRESSPAIR2=0, 0, 1, 192.168.100.40, 6, *ANY,[WEBSERVERONE][*ANY]
PATTERN1=0, 36, 5,4845414420
PATTERN2=0, 36, 5,504F535420
PATTERN3=0, 36, 4,47455420
Parse the netcap capture using logparser and export the data to a SQL database
logparser.exe -i:netmon -o:sql file:E:\capture\http.sql?logfile=E:\capture\temp.cap -server:SQLSEVER01 -database:NETWORKDATABASE
‘Logparser query saved in http.sql
select DateTime, SrcIP, SrcPort, DstIP, DstPort, PayloadBytes,
EXTRACT_TOKEN(Payload,0,' ') as RequestType,
EXTRACT_TOKEN(Payload,1,' ') as URI,
EXTRACT_TOKEN(EXTRACT_TOKEN(Payload,1,'Host:'),0,'..') as Host,
EXTRACT_TOKEN(EXTRACT_TOKEN(Payload,1,'User-Agent: '),0,'..') as User-Agent
Stay tuned…MANY more of these types of post are on the way. We want to get you information that you can <deep breath> actually use! (What a concept.)