I have been engaged in product technical support for many years and have met many occasions where Event Log reports errors. We want to know how this incident is associated with the problems we are troubleshooting. in some cases, event log errors are the problems we need to solve. therefore, the problem at hand is how to obtain the network trace records from the time before the event occurs until it occurs ).
In the past, we had a tool named eventmon to achieve this. it is a simple wrapper that can enable network trace, and can monitor Event Logs to find specific events. therefore, the purpose of this blog is to use nmcap, vbs, and CMD batch wrapper to create a similar tool,
Event Log monitoring
==============================
WMI (Windows Management Interface) has exposed a method that allows us to monitor event log. this means that we can create a simple vbs script to help us deal with this. the guiding ideology is to pass the event number and Event Log File (application, security, system, etc) that we are interested in to the script, so that the script runs until this event occurs. in our example, the event log file parameter is an optional parameter.
Our script is very simple. we simply create an object for WMI, which allows us to get the event log notification object. the notification event object we are looking for is based on the parameters we pass to the script. by passing a simple query similar to SQL, we narrow the scope of the notification type we are looking. once this object is created, we call a method to wait for the expected event to happen. once an event is detected, the object returns the point pointing to the specific event information.
This is the first part of our puzzle, evtmon. vbs.
'================================================ ============================== 'Print out the help when something is not typed In correctly or when 'Nothing at all is typed in. Public sub Printhelp wscript. Echo "Usage :" Wscript. Echo "Evtmon eventnumber [logfiledisplayname]" Wscript. Echo "Logfile is optional. If used, the EventLog name" Wscript. Echo"File IE, application, system, security, Etc ..." End sub 'Get the arguments. Check for event nubmer and log file as arugments Set Objargs = wscript. Arguments 'See how many arguments we have and colect them. If Objargs. Count <1 Or Objargs. Count> 2 Then Printhelp Elseif Objargs. Count> 1 Then Eventnumber = objargs (0) logfile = objargs (1) Else Eventnumber = objargs (0) logfile = "" End ifif Eventnumber <> "" Then Strcomputer = "." 'Attatch to the WMI Service Set Ob1_miservice = GetObject ( "Winmgmts: {(Security )}\\" & _ Strcomputer & "\ Root \ cimv2" ) 'If the logfile is populated add this to our query. create a' event log monitoring object and send it a query. If Logfile = "" Then set Colmonitoredevents = obw.miservice. execnotificationquery _( "Select * from _ instancecreationevent where" _& "Targetinstance ISA 'win32 _ ntlogevent '" _& "And targetinstance. eventcode = '" _ & Eventnumber & "'" ) Else set Colmonitoredevents = obw.miservice. execnotificationquery _( "Select * from _ instancecreationevent where" _&"Targetinstance ISA 'win32 _ ntlogevent '" _& "And targetinstance. eventcode = '" _ & Eventnumber _& "'And targetinstance. logfile = '" _ & Logfile & "'" ) End if 'Create an object which returns when the next event occurs. Set Objlatestevent = colmonitoredevents. nextevent 'Print some info based on the event log we encountered. Wscript. Echo objlatestevent. targetinstance. User wscript. Echo objlatestevent. targetinstance. timewritten wscript. Echo response. targetinstance. Message wscript. Echo objlatestevent. targetinstance. logfile wscript. Echo End if
Master cmd: eventmon. CMD for control
======================================
The above vbs script simply monitors the writing of Event Logs. however, we still need a method to enable trace and end the capture at the end of the script. we will use a CMD file that can hatch nmcap and notify nmcap to stop capturing at the end of the script. we also added an additional parameter before event number and Event Log to allow you to enter the file name of the captured packet to be created.
Since nmcap does not directly notify him, we will use the ping command to generate a packet for network communication and use this packet to tell nmcap to stop capturing trace.
The CMD file looks like the following:
@ Echo offIf"% 1"=""GotoUsageIf"% 2"=""GotoUsageRem following line is wrappedStart cmd.exe/C nmcap/Network */capture/file % 1/stopwhen/Frame"Ipv4.destinationaddress = 4.3.2.1"/Disableconversationscscript // nologo evtmon. vbs % 2% 3 Ping-N 1 4.3.2.1Goto: EOF: usageecho usage: Echo % 0 capturefile eventnumber [logfile] echo logfileIs optional. If used, the EventLog nameecho file IE, applicaiton, system, security, Etc...
Note: Because nmcap takes a little time to start, you 'd better run the command after calling nmcap for a while. in this way, you can ensure that nmcap is running normally before you start to monitor event log.
This also assumes that nmcap is in the environment variable path, or the CMD file is running in the Nm3 installation directory. Of course, you can always add the complete path for nmcap.
Finally, because the ping command is used to stop the network trace, you must ensure that this ping command will not be blocked by your firewall, or your nmcap will never see this traffice. I chose the ping command because your firewall usually does not touch the ping command, but you can always replace Ping with another traffic as the trigger. of course, this technique is to create a filter to detect the traffice.
Stop Capture: How does nmcap stop?
======================================
I think it is important to understand how nmcap works in such an context. in addition to the verification parameters, the first thing that happens here is to let nmcap run with a lot of parameters. let's go through these parameters clearly.
First,"/NetworkIndicates on which network card we want to capture the network package. in this example, we specify "*", that is, all NICs are captured. if you need it, you can easily narrow down to a network card.
The next parameter is"/Capture/file % 1"Tell nmcap what to filter out (nothing is filtered, because no filter is provided to it after the/capture parameter), and how to name the trace capture result file. the file name comes from the first parameter passed to the CMD batch file. by default, the maximum size of captured files is 20 mb and it is a circular buffer. you can change the size to a larger point by adding a modifier after the file name. for example, mystuff. cap: 200 MB. This will create a two hundred MB ring buffer to capture the result file. you can see the help of nmcap to get more information about nmcap parameters by entering "nmcap /? ",
The last part of the parameter,"/Stopwhen"Command, Let us determine when nmcap stops capturing. So we give him a"/Frame"Parameter, telling it to find a traffic record that meets a filter condition, stop capturing and exit nmcap. we pass it a filter, which is used to find the packet whose destination IPv4 address is 4.3.2.1. when the vbs script ends, the CMD file is pinged to 4.3.2.1. therefore, this action causes the end of the packet capture action.
Finally, there is a"/DisableconversationsIt will tell nmcap to ignore conversation information. because our filter does not rely on conversation to work normally. we can save memory for long-running traces. if conversations is started, we will save the status information forever, which will adversely affect the machines that run nmcap packet capture for a long time.
Translated from:
Eventmon: stopping a capture based on an EventLog event
http://blogs.technet.com/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx