Stopping a Sniffer Trace Automatically When a Server Fails

Q110619

The information in this article applies to:
NOTE: This article applies only to failures of servers and Windows for Workgroups or Windows NT workstations. If you are trying to stop a Sniffer trace automatically when a Microsoft LAN Manager workstation fails, use article Q110553, titled:
"Stopping Sniffer Trace Automatically When an LM WS Fails"

SYMPTOMS

It is difficult to capture network traces at the time of a server failure when there is nobody there to notice and stop the Sniffer.


RESOLUTION

The following is one possible method to automatically trigger a Sniffer on server failure.

This method involves running a batch file on one machine that repeatedly attempts to establish a connection to the server(s) in question. Upon detecting a failure at the server, the batch file sends a broadcast message (STOP THE SNIFF) to the domain, which the Sniffer triggers on.

The batch file: 


rem USAGE: stopsnif [servername] [interval]
:start
net view \\%1
if ERRORLEVEL 1 goto bailout
delay %2
goto start
rem
rem The connection attempt failed.  Stop the Sniffer!
:bailout
net send /d:davemacd STOP THE SNIFF
@echo
@echo Well, hopefully the Sniffer stopped!
Depending on the protocol, the text string "STOP THE SNIFF" may appear at different offsets in your trace. It is therefore necessary to do the following:

  1. Turn on the Sniffer and trace broadcasts from your test machine.


  2. Type "net send /d:mydomain STOP THE SNIFF" where mydomain may be a non- existent domain to avoid bothering people.


  3. Stop the Sniffer and examine the trace to find the offset of the string "STOP THE SNIFF".


  4. Go to the top level of the Sniffer menu and make sure the Trigger option is selected.


  5. Use the RIGHT ARROW key to move to the Trigger menu, then use the RIGHT ARROW key again to select Pattern Trigger.


  6. Go to Match 1 and use the RIGHT ARROW key again to get to the Pattern menu.


  7. Move the insertion point to "Pattern =" and press ENTER.


  8. Enter the pattern in HEX (53544F502054484520534E494646), and then press ENTER.


  9. Move down one field to "Offset =" and enter your offset (with TCP/IP it's E5), and then press ENTER.


  10. Move back to the left to the main Trigger menu and make sure the Stop Capture option is selected.


  11. Move back to the main menu, and select any filtering you might want, being careful to include messages sent from your test machine to "broadcast" and "netbios."


  12. Press F10 and test it out.


Once the Sniffer triggers, be sure to save the file to disk before doing anything else.

Additional query words: wfw wfwg prodnt

Keywords : kbnetwork
Issue type :
Technology : kbWinNTsearch kbWinNTWsearch kbwin2000AdvServSearch kbWinNTW310 kbWinNTSsearch kbWinNTS310 kbwin2000Ssearch kbwin2000Search kbWinNTS310xsearch kbWinNT310xSearch kbWinNTW310Search


Last Reviewed: December 7, 2000
© 2001 Microsoft Corporation. All rights reserved. Terms of Use.