Finding errors that occur only a few times per day is difficult.
The small tutorial shows you how to automate Microsoft Network Monitor Traces to find the error.
Who hasn’t had this? An error occurring only sporadically every 10-14 hours?
I have such a problem at the moment and would like to run a Network Trace for a thorough analysis. A Trace covering more than 10 hours or more would produce enormous data and surely would not find the interesting spot.
For this I have a small trick I want to share with you.
How to set up automatic Network Monitor Traces
You can parameterize Microsoft NetMon 3.4 via command-line the way it reacts only to certain network packages.
And you can also preset that the trace file should not exceed 100 MB.
- Start NetMon and let it wait for a PING. As soon as the PING has been received, the Trace should be ended.
- A second small script searches the logfile of the application for the error code. As soon as it is found, a PING is send to the server.
- NetMon receives the PING and stops the Trace.
NetMon start script
NMCAP.EXE /Network * /DisableLocalOnly /RecordFilters /RecordConfig <span style="color: #ff0000;">/Capture ipv4.address==10.4.67.173</span> <span style="color: #0000ff;">/File c:\Traces\%COMPUTERNAME%_trace.cap:100M</span> <span style="color: #008000;">/StopWhen /Frame (icmp and ipv4.totallength==328)</span>
IP-address of the server on which NetMon is being performed
Location where the Tracefile is saved, size 100MB
Just react to ICMP-packages
/StopWhen /Frame (icmp and ipv4.totallength==328)
Logfile supervision script
findstr /I /C:"<span style="color: #ff0000;">Activation Handler finished</span>" "E:\Quest Software\Migration Manager\DSA\CONFIGS\<span style="color: #ff0000;">dsa.log</span>"
if %errorlevel% EQU 0 goto stop
<span style="color: #ff0000;">ping -4 -l 300 10.4.67.173</span>
The command Findstr searches for the term “Activation handler finished” in the file “dsa.log” (the term is not an error message just an example). As long as the term cannot be found, it runs in an endless cycle every 60 seconds. As soon as it is found there will be a pause of 5 minutes so that the Trace can receive data being exchanged after the error. Afterward a PING with a length of 300 is send to a random server which will end the Trace with its reply.
The tasks are started successively. As soon as the search term is found in the Logfile, the Trace ends itself automatically.