Run Network Trace for longer time without generating huge amount of data

  • Article

We see many scenarios where issues are intermittent and we have to collect network traces for such scenarios.

This could be real challenging if server is busy as it will create GBs of Data and we might now have such liberty of space.

What if we can run netmon in such a way that it will stop when event of interest occur and do this operation for burst of 5 minutes?

I was able to create PowerShell scrip which runs netmon for 5 minutes (can change time span from 1 sec to 1 hour and even more) then check if event occurred on particular machine (can mention localhost of event is going to occur on local machine itself) and if event occurred then stop execution of PowerSHell script and move files to separate location. And if event didn’t occur then keep running script and start nmcap again.

This Script could be used to run any exe which supports execution from command prompt or PowerShell script.

 

Certain Points to be considered:

Person running script should be admin on box from where we are checking event log entries otherwise we won’t be able to read logs.

Nmcap.exe should be accessible from command line without giving complete path to exe. If it is not happening then add location to exe in path variable of machine where we are running script.

Need to have both directories that we are using in script.

 

PowerShell Script:

 #Variable which decides to whether run loop or not
 $a = 0
 Do
 {
 #Start time for network trace
 $StartDate = [datetime](Get-Date).ToString()
 #Start running chained network trace for 5 minutes
 nmcap.exe /Network * /Capture /StopWhen /TimeAfter 5 minutes /file F:\netmon\trace.chn:20M
 #get latest 10000 entries from Application event logs from machine "dilkush"
 $SysEvent = Get-Eventlog -Logname Application -ComputerName dilkush -Newest 10000
 #Filter event logs to get logs which start after netmon started, event ID 958
 $SysEvent = $SysEvent | Where-Object { $_.TimeWritten -gt $StartDate} | Where-Object { $_.EventID -Like "958"} | Format-Table TimeWritten, Source, EventID, Message -auto
 #Check if we have ant entries present with filter we mentioned above, if so then enter loop
 if($SysEvent.count -gt 0)
 {
 #Move files to separate directory
 Move-Item F:\netmon\* F:\netmon_zip\ -force
 #Change variable value so that loop doesn't run again
 $a = 1
 }
 else
 {
 #If no events occurred in last 5 minutes then delete files and run loop again.
 Remove-Item F:\netmon\*
 }
 }Until($a -ge 1)