Suraj Singh's information Security Blog

For people who work on information Security.

Using Eventmon and Nmcap to take network monitor trace when a particular Event is generated.

Using Eventmon and Nmcap to take network monitor trace when a particular Event is generated.

  • Comments 2
  • Likes

There are times when you want to take netmon trace when a certain event is generated on the server/machine. There is a nice blogpost that explains the usage of Eventmon and Nmcap

http://blogs.technet.com/b/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx

 

To elaborate further to simply it, i thought of adding more info here

we need to install network monitor (=>3.4  approximately).

1. create a batch file as explained in above post and put that in the netmon installation folder in
the program files.

Batch file(taken from above blog post link)

**********************copy following in a notepad and save it for example as nmcap.bat*********************

@echo off
if "%1"=="" goto Usage
if "%2"=="" goto Usage

REM Following line is wrapped
start cmd.exe /c nmcap /network * /capture /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations

cscript //NoLogo EvtMon.vbs %2 %3
ping -n 1 4.3.2.1

goto :EOF

:Usage
echo Usage:
echo   %0 CaptureFile EventNumber [LogFile]
echo       Logfile is optional.  If used, the eventlog name
echo       file ie, applicaiton, system, security, etc... 

 

-->new note : While working on another case i came to scenario where we wanted to capture specific traffic between two machines so varion in above in nmcap would be(rest remaining the same)

*****************replace following line with above nmcap for specific traffic*********

start cmd.exe /c nmcap /network * /maxframelength 256  /capture  (ipv4.address==30.30.30.4 and ipv4.address==30.30.30.4 )   /file %1 /stopwhen /frame "ipv4.DestinationAddress==4.3.2.1" /DisableConversations

********************************************************************************

 

2. Copy the contents of the script given in above post shown below in a notepad and save it as EvtMon.vbs and put this in netmon installation directory

 

'======================================================================
' Print out the help when something is not typed in correctly or when
' nothing at all is typed in.

Public Sub PrintHelp
    Wscript.Echo "Usage:"
    Wscript.Echo "  EvtMon EventNumber [LogFileDisplayName]"
    Wscript.Echo "    LogFile is optional.  If used, the eventlog name"
    Wscript.Echo "    file ie, application, system, security, etc..."
End Sub

' Get the arguments.  Check for event nubmer and log file as arugments
Set objArgs = WScript.Arguments

' See how many arguments we have and colect them.
if objArgs.Count < 1 OR objArgs.Count > 2 Then
    PrintHelp
ElseIf objArgs.Count > 1 Then
    EventNumber = objArgs(0)
    LogFile = objArgs(1)
Else
    EventNumber = objArgs(0)
    LogFile = ""
End If

If EventNumber <> "" Then

    strComputer = "."

    ' Attatch to the WMI Service
    Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
            strComputer & "\root\cimv2")

    ' if the LogFile is populated add this to our query.  Create a
    ' Event Log monitoring object and send it a query.
    If LogFile = "" Then
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber & "'")
    Else
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber _
                    & "' and TargetInstance.LogFile = '" _
                    & LogFile & "'")
    End If

    ' Create an object which returns when the next event occurs.
    Set objLatestEvent = colMonitoredEvents.NextEvent
   
    ' Print some info based on the event log we encountered.
    Wscript.Echo objLatestEvent.TargetInstance.User
    Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
    Wscript.Echo objLatestEvent.TargetInstance.Message
    WScript.Echo objLatestEvent.TargetInstance.Logfile
    Wscript.Echo
End If

3. Also copy cmd.exe from system32 folder to the netmon installation folder , your netmon installation foldet would like like this

4. Then you can run the batch file in command prompt as below

Here trace.cap is the name of the network trace file and 4624 is an event id for which we want to take a trace in this example.


 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 


Comments
  • Hey Suraj!! this one's very informative and Useful.. See if you can add the option of limiting the output trace for a certain Megs..

    Cheers!!

  • Here you go

    nmcap.bat trace.cap:200M  4624

    so you can mention the size after the name of file with :size and then the event id.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment