NM3EventCap: How to stop a network capture when Windows logs an event

NM3EventCap: How to stop a network capture when Windows logs an event

  • Comments 1
  • Likes

"I wish there was a way to run a Netmon capture for an extended time and to have it stop when a certain event is recorded in the event logs. I don't have the hard drive space for large captures that are many gigs in size. I only want to see the Netmon traffic at the time a particular event is logged. If there was only a way to do this......."

The good news is that there is a way to do this by using NM3EventCap.exe as per the steps below.

Prerequisites: Network Monitor 3.2 or later, NM3EventCap 1.0, and Visual C++ 2005

Download Links:

Network Monitor 3.3
NM3EventCap 1.0
Visual C++ 2005 SP1 x86
Visual C++ 2005 SP1 x64

Goal: To take a continuous network trace and for it to stop once a particular Event ID is written in an event log. This will enable us to look at what took place on the wire up until the time the event was triggered. The frames of interest will be the last part of the capture. This is useful for sporadic intermittent issues that record entries in the Event Log when they happen.

Instructions:

1.) Download and install Network Monitor. Once it is installed, launch Netmon and make sure the parsers load the first time. This takes a few seconds. Make sure that the correct NIC is selected with a checkbox, as in the example below. Exit Network Monitor.

image

2.) Download and install Visual C++ 2005 (or Visual C++ 2008).

3.) Download NM3EventCap.exe and save it to a folder on the desktop or where ever you have available space. Make sure that there is at least 100MB of available space for the default size of the capture.

4.) Open a command prompt and change directories to the location where you saved NM3EventCap.exe. If you type in “nm3eventcap.exe” you will see the available switches as below:

NM3EventCap.exe /?
Usage: NM3EventCap.exe Capture EventNumber [m_LogFile] [-options]
  Capture     - Name of capture file to use.  use -o to overwrite if capture already exists.
  EventNumber - numeric event error message to stop on.
  LogFile     - For example, Application, Security, System.  Default searches all logs.

Options:
  -b #     - Buffer size in Mbytes for capture.  Default is 100MB.
  -c       - Use chain capture instead of the default of circular.
  -f       - Filter to use for capturing traffic.
  -o       - Overwrite capture if it exists.
  -d       - Disable Conversations.  Warning, you could shoot yourself in the foot.
  -n #     - Number of adapter to capture on.  Use Nmcap /displaynetworks to get list
  -v       - Be verbose.  Show NPL compilation messages.

Example: At the command prompt, type:  nm3eventcap FailedCapture 7036
You should see the output below.  This shows NM3EventCap listening and waiting for an Event ID 7036 to appear in the event logs.

image

Once the event is logged, you should see:

image

What have we done?  We setup NM3EventCap to take a network capture and listen for Event ID 7036. Once that event is recorded, it stops the capture and saves it with the name of “FailedCapture”. It will be saved with a .cap extension in the same directory in which NM3EventCap is being run. A breakdown of the command we used:

NM3EventCap = initializes the executable.

FailedCapture= name of the capture.

7036= the event ID to look for. Once it is recorded, this triggers NM3EventCap to stop the capture.

Note: Event ID 7036 is logged by Service Control Manager when many services enter a stopped state. Any Event ID can be used.

By default, NM3EventCap will watch all event logs. To have NM3EventCap search only the System Event Log, for example, the command would be: Nm3eventcap FailedCapture 7036 system

Other syntax examples:

1.) “Nm3eventcap FailedCapture 7036 –o”

This initiates NM3EventCap to listen for Event ID 7036 in all the event logs and save a capture with the name FailedCapture and if a capture with that name already exists, then overwrite it as specified by the “-o” switch.

2.) “Nm3eventcap FailedCapture 7036 –o –n #5”

This initiates NM3EventCap to watch for Event ID 7036 in all the event logs and save a capture with the name FailedCapture, and if a capture with that name already exists, overwrite it. The “-n #0” switch is used to specify which interface to capture on if this was a multihomed machine. At a command prompt in the same directory you can type: nmcap /displaynetworks” which will give you a list like in the example below:

image

- Shane Brasher

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • simply beautiful!

    Many thanks! This WAS a very common wish around here :)