Capturing Network Logon Without Spanning A Port (Part 2 of 2)

  • Article

When I first started this blog I thought I'd be blogging all the time. Then life got in the way. Flights to both coasts, what seems like only two outlets in every terminal in O'Hare, and an MBA class later, it's been a month before I sat down to write this out. Alright folks well in the first bog post we talked about how to make a network capture in Windows XP without having to span a port. For Windows Vista/7 we really have two different ways to do this.

 

The first way or the messy way. You can install Network Monitor as a service. I hate this way.

How To Configure network monitor started as a service

a. Install network monitor

b. Download instsrv.exe and srvany.exe https://www.microsoft.com/downloads/en/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd\&displaylang=en

c. Copy srvany.exe to c:\netmon (create a new folder named c:\netmon)

d. Run the following command (run as administrator) to add a service Instsrv NetmonService c:\netmon\srvany.exe

e. Run services.msc and ensure that NetMonService will start automatically.

f. Run regedit.exe, unfold HKLM\System\CurrentControlSet\Services\NetMonService, add a sub Key: Parameters

g. Under Parameters, add the following value

h. Type: REG_SZ, name: Application, value: <path to program files folder>\Microsoft Network Monitor 3\nmcap.exe

i. Type: REG_SZ, name: AppParameters , value: /network * /capture /file c:\netmon\netmon.cap:100M /DisableConversations /stopwhen /timeafter 900 (NOTE: 900 means netmon would stop capturing after 15 minutes)

j. Restart the machine to reproduce the problem, after you log on, hold on for about 15 minutes, then find out netmon.cap under c:\netmon.

 

Look at all that. Are you serious, I'll just go find a hub. Fair enough.

 

The second way, use built in tool that you've ignored, netsh

1.) open a command prompt  and enter netsh trace start capture=yes persistent=yes

(That's what took you a month to write about? I know I'm sorry.)

That's it, log out and log back in with the problem user, load that .elt file up into network monitor and you are good to go. That's actually where I saw this amazing hint from last year. https://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx

 

Mark "can I get me some of that sweet sweet outlet action" Morowczynski