It is often needful to take a long and persistent network capture to collect data from a server or set of servers. Often you are looking for a problem and cannot predict its occurrence. In these cases it can sometime be difficult to find the right methods to capture this data without over whelming you servers. I will attempt to give suggestions on how to best do this to get the data needed. My preferred method is by using the command-line version (though the UI works well too) of the new Microsoft Network capturing tool Netmon 3 since it can capture on all interfaces, and use the same filters as though found in the UI.
Microsoft’s new network capture utility, Network Monitor 3, comes with a command line tool that is very helpful at grabbing needed network traffic, while maintaining a very small footprint on the server itself. The premise of this article will cover the need to capture all DNS queries sent to a server. These captures need to be persistently captured so the there is not stop mechanism built into the syntax (stop with ctrl-c). The concepts and example given below can be used in similar scenarios with little changes to the filter itself (if you are unsure of what filter to use you can find the correct filter in the gui version of Netmon 3 by right clicking on any captured packet attribute and selecting the “filter on this attribute” selection. The display filter will now be the filter to use to see this data in the future, in most cases) .
How to use the command line version (NMcap):
Here is the NMcap syntax (at minimum) to use to capture DNS data on any interface. Note that you will have to have local admin writes to run this, so in 2008/Vista/Win7 you need to use the administrative context:
nmcap /network <networkID> /capture <filter> /recordfilters /disableconversations /mindiskquotapercentage <percent> /file <DiretoryFile>:<File size>
Example for our case:
nmcap /network * /capture (dns.flags.qr ==0x0 ) /recordfilters /disableconversations /mindiskquotapercentage 20 /file d:dnscap.chn:25M
Breakdown of syntax:
- -“/network” – Specifies the adapter to capture network data on. “*” means all adapters. If you need to use a specific adapter use “NMcap /DisplayAdapters” to view the adapter data.
- -“/capture” – This switch enables us to set a capture filter on the data. The filter used in the example “dns.flags.qr == 0x0” refers to the flag in network packets that are DNS queries only. So using this, you will only see that initial data that is requested, not the responses to these. This means that the data will be much smaller and much easy to read. If needed you can use “dns” to see all DNS related traffic
- -“/recordfilters” – This is just for documentation purposes. This will add the filter used to create the file to the file itself, so that during review you will be aware that it was filtered, and how. This is very low overhead, simply writing the text in the filter field.
- -“/disableconversations” – By default NMcap keeps track of conversations in the network capture. This takes up more memory so I would recommend disabling this function, and making these associations in the capture review.
- -“/mindiskquotapercentage” – By default NMcap will capture and capture without thought for the amount of disk space needed to store the data. Setting this value will enable us to say that “If the available disk space becomes less than 20% then stop the capture”. 20% is just used in the example and use can use any value you feel is appropriate. Also, if you feel more comfortable setting a disk space minimum instead of a percentage you can use “/mindiskquota 20m” where 20m refers to 20mb of free space, or whatever value you feel is appropriate.
- -“/file” – The directory and file location to save the captured data. Normally the file extension is “.cap”. Use of the “.chn” extension tells NMcap to create multiple files or to “chain” the files. The value after the “:” indicates the size of each file in the chain (I used 25mb here to keep the files relatively small, since the time to load network captures have more to do with “how many packets are in a trace” than “how big is each packet” and the filter we are using will ensure that we are capturing very small packets). Whenever the captured data equals that file size NMCap completes that file, and begin with a new. I have one correction here to an earlier statement I made; we do not add the timestamp to the name of these files using NMCap, and I cannot find a way to make it do so. Others capture methods can grant this, but without the functionalities provided by the nmcap tool.
Other helpful syntax examples can be found by entering “nmcap /examples”, and help with syntax can be had with “nmcap /?”.
Other Helpful links: