Stopping a Sniffer Trace Automatically When a Server Fails

 Last reviewed: April 11, 1997
Article ID: Q110619
The information in this article applies to:
  • Microsoft Windows NT operating system version 3.1
  • Microsoft Windows NT Advanced Server version 3.1
  • Microsoft LAN Manager version 2.x

NOTE: This article applies only to failures of servers and Windows for Workgroups or Windows NT workstations. If you are trying to stop a Sniffer trace automatically when a Microsoft LAN Manager workstation fails, use article Q110553, titled: 

   "Stopping Sniffer Trace Automatically When an LM WS Fails"

SYMPTOMS

It is difficult to capture network traces at the time of a server failure when there is nobody there to notice and stop the Sniffer.

RESOLUTION

The following is one possible method to automatically trigger a Sniffer on server failure.

This method involves running a batch file on one machine that repeatedly attempts to establish a connection to the server(s) in question. Upon detecting a failure at the server, the batch file sends a broadcast message (STOP THE SNIFF) to the domain, which the Sniffer triggers on.

The batch file:

rem USAGE: stopsnif [servername] [interval] :start net view \\%1 if ERRORLEVEL 1 goto bailout delay %2 goto start rem rem The connection attempt failed. Stop the Sniffer! :bailout net send /d:davemacd STOP THE SNIFF @echo @echo Well, hopefully the Sniffer stopped!

Depending on the protocol, the text string "STOP THE SNIFF" may appear at different offsets in your trace. It is therefore necessary to do the following:

  1. Turn on the Sniffer and trace broadcasts from your test machine.

  2. Type "net send /d:mydomain STOP THE SNIFF" where mydomain may be a non- existent domain to avoid bothering people.

  3. Stop the Sniffer and examine the trace to find the offset of the string "STOP THE SNIFF".

  4. Go to the top level of the Sniffer menu and make sure the Trigger option is selected.

  5. Use the RIGHT ARROW key to move to the Trigger menu, then use the RIGHT ARROW key again to select Pattern Trigger.

  6. Go to Match 1 and use the RIGHT ARROW key again to get to the Pattern menu.

  7. Move the insertion point to "Pattern =" and press ENTER.

  8. Enter the pattern in HEX (53544F502054484520534E494646), and then press ENTER.

  9. Move down one field to "Offset =" and enter your offset (with TCP/IP it's E5), and then press ENTER.

  10. Move back to the left to the main Trigger menu and make sure the Stop Capture option is selected.

  11. Move back to the main menu, and select any filtering you might want, being careful to include messages sent from your test machine to "broadcast" and "netbios."

  12. Press F10 and test it out.

Once the Sniffer triggers, be sure to save the file to disk before doing anything else.

Additional query words: wfw wfwg prodnt
Keywords : kbnetwork ntprotocol NTSrvWkst
Version : 3.1
Platform : WinNT

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: April 11, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.