Article ID: 110553 - Last Review: February 27, 2002 - Revision: 1.0

Stopping Sniffer Trace Automatically When LM WS Fails

Retired KB ArticleRetired KB Content Disclaimer
This article was previously published under Q110553

On This Page

Expand all | Collapse all

SUMMARY

READ THIS FIRST

NOTE: This article applies to Microsoft LAN Manager WORKSTATIONS only. If you are trying to stop a Sniffer trace automatically when a server or Windows for Workgroups or NT workstation fails, use article
110619  (http://support.microsoft.com/kb/110619/EN-US/ ) , Stopping a Sniffer Trace Automatically When a Server Fails
Back to the top

INTRODUCTION

A common problem when trying to capture network traces after LAN Manager workstation failures is that nobody is there to notice and stop the Sniffer. The Sniffer should be configured to filter out only packets sent to and from the workstation, but that may not be limiting enough.

This article explains how to trigger a Sniffer to stop automatically when there is a workstation failure. The method involves running a batch file that repeatedly attempts to send a packet to the failed workstation. When the batch file detects the failure, it sends a broadcast message (STOP THE SNIFF) to the domain, and the Sniffer triggers on it.

Obviously the batch file has to be run on a machine other than the one that is monitored for a crash.
Back to the top

"STOP THE SNIFF" BATCH FILE

rem   USAGE: stopsnif [workstation-name] [interval]
:start
rem   Make sure the LAN Manager workstation has started the MESSENGER
rem   service but NOT the NETPOPUP service. If NETPOPUP is running, the
rem   wksta gets bombarded with popup messages all the time; without
rem   NETPOPUP you should just hear a beep, and you can disable the
rem   speaker if you don't want to hear it.
rem
rem   The workstation should have NETBEUI on LANA 0(primary protocol)
rem   if the NET SEND is done over NETBEUI; otherwise the message won't
rem   be received.
rem
net send %1  Hello
if ERRORLEVEL 1 goto bailout

delay %2
rem   The utility program pauses execution of the batch file for the
rem   specified number of seconds. Any similar utility can be used
rem   instead. To obtain DELAY.EXE contact your MS Customer Support
rem   engineer.
rem
goto start
rem
rem   The connection attempt failed. Stop the sniffer!
:bailout
net send /d:mydomain STOP THE SNIFF
@echo
@echo Well, hopefully the sniffer stopped!
Depending on the protocol in use, the text string "STOP THE SNIFF" may appear at different offsets in your trace, so some other steps are necessary:

  1. Turn on Sniffer and trace broadcasts from your test machine.
  2. Type net send /d:mydomain STOP THE SNIFF. (Mydomain can be a non-existent domain if you want to avoid bothering people.)
  3. Stop Sniffer and examine the trace to find the offset of the string STOP THE SNIFF.
  4. On the top level of the Sniffer menu, make sure Trigger is checked.
  5. From the Trigger menu, select Pattern Trigger.
  6. Select "Match 1."
  7. From the Pattern menu, select "Pattern =" and press ENTER.
  8. Enter the pattern in HEX (53544F502054484520534E494646)and press ENTER.
  9. Select "Offset =", enter your offset (TCP/IP = E5) and press ENTER.
  10. On the main Trigger menu, make sure "Stop capture" is checked.
  11. From the main menu select filtering, being careful to include messages sent from your test machine to "broadcast" and "NetBIOS."
  12. Press F10 and test it out.
Once the Sniffer triggers, be sure to save the file to disk immediately-- in non-compressed format if you are going to mail it to Microsoft Product Support Services.
Back to the top
Keywords: 
KB110553
Back to the top
Retired KB ArticleRetired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations