Some batch files to take the pain out of capturing traces along with other relevant information

Some batch files to take the pain out of capturing traces along with other relevant information

  • Comments 1
  • Likes

NetMon is a common tool which comes in handy in revealing behaviour of various problems. When Network engineers receive traces for review, some basic information is required before starting work on this:

  1. At What machine was the trace taken?
  2. Were simultaneous traces collected? – A lot of times, network issues are revealed only if we have traces from both ends. Consider a simple scenario where client machines are not able to open intranet websites. It’s possible that requests from the client machine get dropped by an intermediate device and never reach the server. Such issues are revealed only if we have traces run simultaneously on the client machine and the server.
  3. What are the IPs of the machines involved?

Well, these are exactly the pain areas that I am trying to address using DOS scripting and “nmcap” command line utility of NetMon 3.

Let’s start with “simultaneous traces”.

@echo off

if "%1"=="" goto Usage

REM Following line is wrapped

start /min cmd.exe /c nmcap /network * /capture /file c:\trace\%computername%.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1"

start /min cmd.exe /c psexec \\%1 "nmcap" /network * /capture /file c:\%1.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1"

echo Press any key to stop the tracing

pause

psexec \\%1 "ping" -n 1 4.3.2.1

ping -n 1 4.3.2.1

ipconfig/all > c:\trace\%computername%.txt

psexec \\%1 "ipconfig" /all > \\%computername%\C$\trace\%1.txt

copy \\%1\C$\%1.cap c:\trace\%1.cap

del \\%1\C$\%1.cap

goto :EOF

:Usage

echo Usage:

echo %0 "remote machine host name"

echo In this case, it is assumed that the directory c:\trace exists on the executing machine and files are stored only in this location.

The above script uses a sysinternals tool called psexec to run commands on a remote machine. See http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx for more information. You can actually use psexec to run the command on several machines at the same time.

The above script starts tracing on the computer it is executed on and one specified in the argument simultaneously (ok, nearly simultaneously!) and waits for a keystroke (any) to stop it. Thus, one can simply run the script, reproduce the problem, go back to the original command prompt and hit a key! Traces from both machines and also ipconfig information are dumped as computername.cap & .txt in the folder c:\trace on the executing machine.

Note

1. nmcap cannot create the folder specified. So one has to ensure that c:\trace exists or replace that with an existing folder name.

2. This script relies on file copy to get all files in one location – so please do not expect to capture file copy issue with this one! Change the script to save capture files on local machines.

3. psexec & nmcap require administrative rights on the machines – thus the logged on user should have admin rights on both machines.

To make things simple, it is best to create a folder c:\trace (or whatever else you like ensuring that you modify the script accordingly) and dump the required utilities (like psexec.exe) including the script in that folder and then execute the script from that folder.

Is ipconfig information not enough? Want to gather MPS reports just then so that the error you just reproduced is captured?

Use MPSRPT_NETWORK /Q in place of ipconfig/all > c:\trace\%computername%.txt. My experience with MPS tells me to let it dump the cab file %COMPUTERNAME%_MPSReports.CAB in its default location %systemroot%\MPSReports\Network\Bin\Reports\Cab. Of course the MPS RPT file name & storage path will differ with speciality.

Thus:

@echo off

if "%1"=="" goto Usage

REM Following line is wrapped

start cmd.exe /c nmcap /network * /capture /file c:\trace\%computername%.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1"

start cmd.exe /c psexec \\%1 "nmcap" /network * /capture /file c:\%1.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1"

echo Press any key to stop the tracing

pause

psexec \\%1 "ping" -n 1 4.3.2.1

ping -n 1 4.3.2.1

MPSRPT_NETWORK /Q

psexec \\%1 " MPSRPT_NETWORK” /Q

copy \\%1\C$\%1.cap c:\trace\%1.cap

copy \\%1\%systemroot%\MPSReports\Network\Bin\Reports\Cab\*.CAB c:\trace\*.cab

copy %systemroot%\MPSReports\Network\Bin\Reports\Cab\*.CAB c:\trace\*.cab

del \\%1\C$\%1.cap

goto :EOF

:Usage

echo Usage:

echo %0 "remote machine host name"

echo In this case, it is assumed that the directory c:\trace exists on the executing machine and files are stored only in this location.

Want to gather traces and capture a particular event in the Event Logs? A great place to get information on this is Paul Long’s blog http://blogs.technet.com/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx. Again here, I tried to extend it to take traces simultaneously:


@echo off

if "%1"=="" goto Usage

if "%2"=="" goto Usage

REM Following line is wrapped

start cmd.exe /c nmcap /network * /capture /file c:\trace\%computername%.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations

start cmd.exe /c psexec \\%1 "nmcap" /network * /capture /file c:\%1.cap /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations

cscript //NoLogo EvtMon.vbs %2 %3

psexec \\%1 "ping" -n 1 4.3.2.1

ping -n 1 4.3.2.1

ipconfig/all > c:\trace\%computername%.txt

psexec \\%1 "ipconfig" /all > \\%computername%\C$\trace\%1.txt

copy \\%1\C$\%1.cap c:\trace\%1.cap

del \\%1\C$\%1.cap

goto :EOF

:Usage

echo Usage:

echo %0 remotecomputer EventNumber [LogFile]

echo Logfile is optional. If used, the eventlog name

echo file ie, application, system, security, etc...

echo In this case, it is assumed that the directory c:\trace exists on the executing machine and files are stored only in this location.

Getting to see the pattern? Modify the above to gather whatever information you like.

Modify the nmcap command line to capture on a particular network connection, use a capture filter or start & stop using time as a trigger. For example:

@echo off

if "%1"=="" goto Usage

if "%2"=="" goto Usage

REM Following line is wrapped

start cmd.exe /c nmcap /network %2 /capture /file %3\%computername%.cap /stopwhen /timeafter %1 /DisableConversations

ipconfig/all > %3%computername%.txt

goto :EOF

:Usage

echo Usage:

echo %0 time networknumber Capturepath

echo.

echo time is the time in seconds for which you want the trace to run

echo.

echo use * for networknumber to capture on all available networks or use from list below

nmcap/displaynetworks

echo.

echo ensure that you complete the capture path with a "\" eg: "c:\trace\". In case path is omitted, the files are saved in the current directory (as the command prompt)

Don’t use arguments if modifying a script for a specific case.

One situation I can’t help sharing is when I discovered a certain pattern in a chain of traces (taken using .chn). Each file, after the display filter, was pretty small and it was simply crazy to refer several files to explain the pattern. Use the following to merge:

nmcap /InputCapture 10.cap 11.cap 12.cap 13.cap 14.cap 15.cap 16.cap 17.cap 18.cap 19.cap /Capture /File trace10-19.cap

10.cap, 11.cap etc are the discrete filtered files while trace10-19.cap is the resultant file.

Contributed by: Rajeev Narshana

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • <p>PingBack from <a rel="nofollow" target="_new" href="http://sofia.onlinegamblingvidssite.info/cscriptarguments.html">http://sofia.onlinegamblingvidssite.info/cscriptarguments.html</a></p>