Microsoft KB Archive/110619

{|
 * width="100%"|

Stopping a Sniffer Trace Automatically When a Server Fails

 * }

Q110619

-

The information in this article applies to:


 * Microsoft Windows NT Server version 3.1
 * Microsoft Windows NT Workstation version 3.1
 * Microsoft Windows NT Advanced Server, version 3.1
 * Microsoft LAN Manager, version 2.x

-

NOTE: This article applies only to failures of servers and Windows for Workgroups or Windows NT workstations. If you are trying to stop a Sniffer trace automatically when a Microsoft LAN Manager workstation fails, use article Q110553, titled:

"'Stopping Sniffer Trace Automatically When an LM WS Fails'"

SYMPTOMS
It is difficult to capture network traces at the time of a server failure when there is nobody there to notice and stop the Sniffer.

RESOLUTION
The following is one possible method to automatically trigger a Sniffer on server failure.

This method involves running a batch file on one machine that repeatedly attempts to establish a connection to the server(s) in question. Upon detecting a failure at the server, the batch file sends a broadcast message (STOP THE SNIFF) to the domain, which the Sniffer triggers on.

The batch file:

rem USAGE: stopsnif [servername] [interval]
 * start

net view \\%1 if ERRORLEVEL 1 goto bailout delay %2 goto start rem rem The connection attempt failed. Stop the Sniffer!
 * bailout

net send /d:davemacd STOP THE SNIFF @echo @echo Well, hopefully the Sniffer stopped! Depending on the protocol, the text string "STOP THE SNIFF" may appear at different offsets in your trace. It is therefore necessary to do the following:


 * 1) Turn on the Sniffer and trace broadcasts from your test machine.
 * 2) Type "net send /d:mydomain STOP THE SNIFF" where mydomain may be a non- existent domain to avoid bothering people.
 * 3) Stop the Sniffer and examine the trace to find the offset of the string "STOP THE SNIFF".
 * 4) Go to the top level of the Sniffer menu and make sure the Trigger option is selected.
 * 5) Use the RIGHT ARROW key to move to the Trigger menu, then use the RIGHT ARROW key again to select Pattern Trigger.
 * 6) Go to Match 1 and use the RIGHT ARROW key again to get to the Pattern menu.
 * 7) Move the insertion point to "Pattern =" and press ENTER.
 * 8) Enter the pattern in HEX (53544F502054484520534E494646), and then press ENTER.
 * 9) Move down one field to "Offset =" and enter your offset (with TCP/IP it's E5), and then press ENTER.
 * 10) Move back to the left to the main Trigger menu and make sure the Stop Capture option is selected.
 * 11) Move back to the main menu, and select any filtering you might want, being careful to include messages sent from your test machine to "broadcast" and "netbios."
 * 12) Press F10 and test it out.

Once the Sniffer triggers, be sure to save the file to disk before doing anything else.

Additional query words: wfw wfwg prodnt

Keywords : kbnetwork

Issue type :

Technology : kbWinNTsearch kbWinNTWsearch kbwin2000AdvServSearch kbWinNTW310 kbWinNTSsearch kbWinNTS310 kbwin2000Ssearch kbwin2000Search kbWinNTS310xsearch kbWinNT310xSearch kbWinNTW310Search