O R G A N I C / F E R T I L I Z E R: os: capturing packet traces in such a clever way...

Jul 2, 2007

os: capturing packet traces in such a clever way...

i was referred to by microsoft pss on this great article on how to capture netmon traces (and stop them when a certain criteria is met). there were a few differences from our end than what's in the article. basically, we were required to look for an event on a particular machine and stop the trace on an entirely different machine. here's the command line i used:

nmcap /network * /capture /file c:\temp\myCapture.cap:200M /stopwhen /frame "ipv4.SourceAddress== and ipv4.DestinationAddress==" /DisableConversations
here's what the switches mean:
  • nmcap - this file is usually located under c:\program files\microsoft network monitor 3.0
  • /network * - selects all network adapters, wildcard capable
  • /capture - capture packets
  • /file - capture to the file c:\temp\myCapture.cap
  • :200M - sets myCapture.cap to a circular 200MB
  • /stopwhen - specifies to look for a condition on when to stop (in this case what's defined in /frame)
  • /frame - filter used to specify when source addr of a packet is and the destination addr is
  • /disableconversations - this is discussed in the linked article, basically helps save memory consumption
putting it all together, the machine that triggers the event has a script running on it that detects an event id. when the event id is found, the script pings the other machine. once the packet comes across on the other machine, with the source/destination matching up to what's in "/frame", it stops the capture.