Stopping Sniffer Trace Automatically When LM WS Fails

READ THIS FIRST

NOTE: This article applies to Microsoft LAN Manager WORKSTATIONS only. If you are trying to stop a Sniffer trace automatically when a server or Windows for Workgroups or NT workstation fails, use article Q110619, titled:

   Stopping a Sniffer Trace Automatically When a Server Fails

INTRODUCTION

A common problem when trying to capture network traces after LAN Manager workstation failures is that nobody is there to notice and stop the Sniffer. The Sniffer should be configured to filter out only packets sent to and from the workstation, but that may not be limiting enough.

This article explains how to trigger a Sniffer to stop automatically when there is a workstation failure. The method involves running a batch file that repeatedly attempts to send a packet to the failed workstation. When the batch file detects the failure, it sends a broadcast message (STOP THE SNIFF) to the domain, and the Sniffer triggers on it.

Obviously the batch file has to be run on a machine other than the one that is monitored for a crash.

"STOP THE SNIFF" BATCH FILE

rem USAGE: stopsnif [workstation-name] [interval] :start rem Make sure the LAN Manager workstation has started the MESSENGER rem service but NOT the NETPOPUP service. If NETPOPUP is running, the rem wksta gets bombarded with popup messages all the time; without rem NETPOPUP you should just hear a beep, and you can disable the rem speaker if you don't want to hear it. rem rem The workstation should have NETBEUI on LANA 0(primary protocol) rem if the NET SEND is done over NETBEUI; otherwise the message won't rem be received. rem net send %1 Hello if ERRORLEVEL 1 goto bailout

delay %2 rem The utility program pauses execution of the batch file for the rem specified number of seconds. Any similar utility can be used rem instead. To obtain DELAY.EXE contact your MS Customer Support rem engineer. rem goto start rem rem The connection attempt failed. Stop the sniffer! :bailout net send /d:mydomain STOP THE SNIFF @echo @echo Well, hopefully the sniffer stopped!

Depending on the protocol in use, the text string "STOP THE SNIFF" may appear at different offsets in your trace, so some other steps are necessary:

1. Turn on Sniffer and trace broadcasts from your test machine.

   non-existent domain if you want to avoid bothering people.)

   string STOP THE SNIFF.

    sent from your test machine to "broadcast" and "NetBIOS."

Once the Sniffer triggers, be sure to save the file to disk immediately-- in non-compressed format if you are going to mail it to Microsoft Product Support Services.