Microsoft KB Archive/110553

= Stopping Sniffer Trace Automatically When LM WS Fails =

Article ID: 110553

Article Last Modified on 2/27/2002



This article was previously published under Q110553



READ THIS FIRST
NOTE: This article applies to Microsoft LAN Manager WORKSTATIONS only. If you are trying to stop a Sniffer trace automatically when a server or Windows for Workgroups or NT workstation fails, use article

110619, Stopping a Sniffer Trace Automatically When a Server Fails

INTRODUCTION
A common problem when trying to capture network traces after LAN Manager workstation failures is that nobody is there to notice and stop the Sniffer. The Sniffer should be configured to filter out only packets sent to and from the workstation, but that may not be limiting enough.

This article explains how to trigger a Sniffer to stop automatically when there is a workstation failure. The method involves running a batch file that repeatedly attempts to send a packet to the failed workstation. When the batch file detects the failure, it sends a broadcast message (STOP THE SNIFF) to the domain, and the Sniffer triggers on it.

Obviously the batch file has to be run on a machine other than the one that is monitored for a crash.

"STOP THE SNIFF" BATCH FILE
rem  USAGE: stopsnif [workstation-name] [interval]
 * start

rem  Make sure the LAN Manager workstation has started the MESSENGER rem  service but NOT the NETPOPUP service. If NETPOPUP is running, the rem  wksta gets bombarded with popup messages all the time; without rem  NETPOPUP you should just hear a beep, and you can disable the rem  speaker if you don't want to hear it. rem rem  The workstation should have NETBEUI on LANA 0(primary protocol) rem  if the NET SEND is done over NETBEUI; otherwise the message won't rem   be received. rem net send %1 Hello if ERRORLEVEL 1 goto bailout

delay %2 rem  The utility program pauses execution of the batch file for the rem  specified number of seconds. Any similar utility can be used rem  instead. To obtain DELAY.EXE contact your MS Customer Support rem  engineer. rem goto start rem rem  The connection attempt failed. Stop the sniffer!
 * bailout

net send /d:mydomain STOP THE SNIFF @echo @echo Well, hopefully the sniffer stopped! Depending on the protocol in use, the text string "STOP THE SNIFF" may appear at different offsets in your trace, so some other steps are necessary:


 * 1) Turn on Sniffer and trace broadcasts from your test machine.
 * 2) Type net send /d:mydomain STOP THE SNIFF . (Mydomain can be a non-existent domain if you want to avoid bothering people.)
 * 3) Stop Sniffer and examine the trace to find the offset of the string STOP THE SNIFF.
 * 4) On the top level of the Sniffer menu, make sure Trigger is checked.
 * 5) From the Trigger menu, select Pattern Trigger.
 * 6) Select "Match 1."
 * 7) From the Pattern menu, select "Pattern =" and press ENTER.
 * 8) Enter the pattern in HEX (53544F502054484520534E494646)and press ENTER.
 * 9) Select "Offset =", enter your offset (TCP/IP = E5) and press ENTER.
 * 10) On the main Trigger menu, make sure "Stop capture" is checked.
 * 11) From the main menu select filtering, being careful to include messages sent from your test machine to "broadcast" and "NetBIOS."
 * 12) Press F10 and test it out.

Once the Sniffer triggers, be sure to save the file to disk immediately-- in non-compressed format if you are going to mail it to Microsoft Product Support Services.

Additional query words: wfw wfwg sniffer trace trigger 2.00 2.0 2.10 2.1 2.10a 2.1a 2.20 2.2

Keywords: KB110553

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.