NetMon is a common tool which comes in handy in revealing behaviour of various problems. When Network engineers receive traces for review, some basic information is required before starting work on this:
Well, these are exactly the pain areas that I am trying to address using DOS scripting and “nmcap” command line utility of NetMon 3.
Let’s start with “simultaneous traces”.
if "%1"=="" goto Usage
REM Following line is wrapped
start /min cmd.exe /c nmcap /network * /capture /file c:\trace\%computername%.cap /stopwhen /frame "ipv4.DestinationAddress==126.96.36.199"
start /min cmd.exe /c psexec \\%1 "nmcap" /network * /capture /file c:\%1.cap /stopwhen /frame "ipv4.DestinationAddress==188.8.131.52"
echo Press any key to stop the tracing
psexec \\%1 "ping" -n 1 184.108.40.206
ping -n 1 220.127.116.11
ipconfig/all > c:\trace\%computername%.txt
psexec \\%1 "ipconfig" /all > \\%computername%\C$\trace\%1.txt
copy \\%1\C$\%1.cap c:\trace\%1.cap
echo %0 "remote machine host name"
echo In this case, it is assumed that the directory c:\trace exists on the executing machine and files are stored only in this location.
The above script uses a sysinternals tool called psexec to run commands on a remote machine. See http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx for more information. You can actually use psexec to run the command on several machines at the same time.
The above script starts tracing on the computer it is executed on and one specified in the argument simultaneously (ok, nearly simultaneously!) and waits for a keystroke (any) to stop it. Thus, one can simply run the script, reproduce the problem, go back to the original command prompt and hit a key! Traces from both machines and also ipconfig information are dumped as computername.cap & .txt in the folder c:\trace on the executing machine.
1. nmcap cannot create the folder specified. So one has to ensure that c:\trace exists or replace that with an existing folder name.
2. This script relies on file copy to get all files in one location – so please do not expect to capture file copy issue with this one! Change the script to save capture files on local machines.
3. psexec & nmcap require administrative rights on the machines – thus the logged on user should have admin rights on both machines.
To make things simple, it is best to create a folder c:\trace (or whatever else you like ensuring that you modify the script accordingly) and dump the required utilities (like psexec.exe) including the script in that folder and then execute the script from that folder.
Is ipconfig information not enough? Want to gather MPS reports just then so that the error you just reproduced is captured?
Use MPSRPT_NETWORK /Q in place of ipconfig/all > c:\trace\%computername%.txt. My experience with MPS tells me to let it dump the cab file %COMPUTERNAME%_MPSReports.CAB in its default location %systemroot%\MPSReports\Network\Bin\Reports\Cab. Of course the MPS RPT file name & storage path will differ with speciality.
start cmd.exe /c nmcap /network * /capture /file c:\trace\%computername%.cap /stopwhen /frame "ipv4.DestinationAddress==18.104.22.168"
start cmd.exe /c psexec \\%1 "nmcap" /network * /capture /file c:\%1.cap /stopwhen /frame "ipv4.DestinationAddress==22.214.171.124"
psexec \\%1 " MPSRPT_NETWORK” /Q
copy \\%1\%systemroot%\MPSReports\Network\Bin\Reports\Cab\*.CAB c:\trace\*.cab
copy %systemroot%\MPSReports\Network\Bin\Reports\Cab\*.CAB c:\trace\*.cab
Want to gather traces and capture a particular event in the Event Logs? A great place to get information on this is Paul Long’s blog http://blogs.technet.com/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx. Again here, I tried to extend it to take traces simultaneously:
if "%2"=="" goto Usage
start cmd.exe /c nmcap /network * /capture /file c:\trace\%computername%.cap /stopwhen /frame "ipv4.DestinationAddress==126.96.36.199" /DisableConversations
start cmd.exe /c psexec \\%1 "nmcap" /network * /capture /file c:\%1.cap /stopwhen /frame "ipv4.DestinationAddress==188.8.131.52" /DisableConversations
cscript //NoLogo EvtMon.vbs %2 %3
echo %0 remotecomputer EventNumber [LogFile]
echo Logfile is optional. If used, the eventlog name
echo file ie, application, system, security, etc...
Getting to see the pattern? Modify the above to gather whatever information you like.
Modify the nmcap command line to capture on a particular network connection, use a capture filter or start & stop using time as a trigger. For example:
start cmd.exe /c nmcap /network %2 /capture /file %3\%computername%.cap /stopwhen /timeafter %1 /DisableConversations
ipconfig/all > %3%computername%.txt
echo %0 time networknumber Capturepath
echo time is the time in seconds for which you want the trace to run
echo use * for networknumber to capture on all available networks or use from list below
echo ensure that you complete the capture path with a "\" eg: "c:\trace\". In case path is omitted, the files are saved in the current directory (as the command prompt)
Don’t use arguments if modifying a script for a specific case.
One situation I can’t help sharing is when I discovered a certain pattern in a chain of traces (taken using .chn). Each file, after the display filter, was pretty small and it was simply crazy to refer several files to explain the pattern. Use the following to merge:
nmcap /InputCapture 10.cap 11.cap 12.cap 13.cap 14.cap 15.cap 16.cap 17.cap 18.cap 19.cap /Capture /File trace10-19.cap
10.cap, 11.cap etc are the discrete filtered files while trace10-19.cap is the resultant file.
Contributed by: Rajeev Narshana
<p>PingBack from <a rel="nofollow" target="_new" href="http://sofia.onlinegamblingvidssite.info/cscriptarguments.html">http://sofia.onlinegamblingvidssite.info/cscriptarguments.html</a></p>