Top 10 Topics for MSCOM Ops…The TOOL MAN Cometh!!!

  • Article

It is amazing to see what one little innocent question and two topic suggestions can generate.

 

Your question was:

Do you have any good LogParser tricks?

 

and your topic suggestions: Scripting, Tools and Utilities

 

This will most definitely span multiple posts as the answers generated by the MSCOM Ops team keep pouring in.

Lets start with NetCap.exe

Netcap provides capture abilities only from a command prompt; to open the resulting capture (.cap) files, you must use the full Network Monitor interface.

Netcap is installed when you install the Support tools that are on the Windows XP CD-ROM.

For additional information about how to install these tools, click the article number below to view the article in the Microsoft Knowledge Base:

306794 (https://support.microsoft.com/kb/306794/EN-US/) How to Install the Support Tools from the Windows XP CD-ROM

Network Monitor is provided with Windows Server products and Microsoft Systems Management Server (SMS).

Netcap provides capture abilities that are similar to the version of Network Monitor that is included with the Windows Server products; however, you must use Netcap at a command prompt. Netcap installs the Network Monitor driver and binds it to all adapters when you first run the Netcap command.

(From: https://support.microsoft.com/?id=310875)

This is real world example of how we use NetCap.exe

Capturing network traffic using netcap.exe and a capture filter (the example below is for outgoing GET, HEAD and POST HTTP requests).

‘Start netcap on Network Interface 0; using 500MB buffer size and capture filter called http_filter.cf; saving the file to e:\capture\temp.cap; and running the capture for duration of 1 hour.

netcap.exe /B:500 /N:0 /F:E:\capture\http_filter.cf /C:E:\capture\temp.cap /L:01:00:00

‘Sample capture filter saved as http_filter.cf

[CAPTURE FILTER]

VERSION=2

[SAPS ETYPES]

SAPS=1

ETYPES=1

[ADDRESSES]

NLINES=2

ADDRESSPAIR1=0, 0, 1, 192.168.100.60, 6, *ANY,[WEBSERVERONE][*ANY]

ADDRESSPAIR2=0, 0, 1, 192.168.100.40, 6, *ANY,[WEBSERVERONE][*ANY]

[ANDEXP1]

PATTERN1=0, 36, 5,4845414420

PATTERN2=0, 36, 5,504F535420

PATTERN3=0, 36, 4,47455420

Parse the netcap capture using logparser and export the data to a SQL database

logparser.exe -i:netmon -o:sql file:E:\capture\http.sql?logfile=E:\capture\temp.cap -server:SQLSEVER01 -database:NETWORKDATABASE

‘Logparser query saved in http.sql

select DateTime, SrcIP, SrcPort, DstIP, DstPort, PayloadBytes,

EXTRACT_TOKEN(Payload,0,' ') as RequestType,

EXTRACT_TOKEN(Payload,1,' ') as URI,

EXTRACT_TOKEN(EXTRACT_TOKEN(Payload,1,'Host:'),0,'..') as Host,

EXTRACT_TOKEN(EXTRACT_TOKEN(Payload,1,'User-Agent: '),0,'..') as User-Agent

into tableHTTP

from %logfile%

Stay tuned…MANY more of these types of post are on the way. We want to get you information that you can <deep breath> actually use! (What a concept.)