Configuring Triggers
A trigger examines frames as Network Monitor collects them to determine whether the frames meet a condition that you have specified. When a frame meets the specified condition, the trigger causes the system to sound an alert, stop the capture, or execute a command line. You can configure a trigger to take action when the buffer becomes partially or completely full, when a frame matches a pattern, or a combination of the two.
A simple and useful trigger can make Network Monitor save the capture file and shut down when the buffer becomes full during a monitoring session. To create such a trigger, select Trigger from the Capture menu. In the Capture Trigger dialog box, which Figure 5 shows, select Buffer space from the Trigger on section. Choose 100% as the Buffer Space setting, and choose Stop Capture as the Trigger Action.
To take this trigger one step further, write a batch file to send a message informing you that the capture has stopped. This batch file could be as simple as
net send administrator The capture is complete.
You can write this command in Notepad and rename the resulting .txt file with a .bat extension. Then, in the Capture Trigger dialog box, select Execute Command Line as the Trigger Action and point the trigger to the file's location.
You can incorporate pattern offsets into triggers to have Network Monitor identify a variety of events. In response to a particular event, Network Monitor can do anything that you can do from a command line—including starting another instance of Network Monitor on another machine. Figure 5 illustrates how to configure a trigger that executes a batch file named keepaliveSpotted.bat, which alerts you when Network Monitor finds a KeepAlive frame.
Automatically Launching Network Monitor
You can use the Netmon command to launch Network Monitor from a batch file or use the Win2K Task Scheduler or At command to schedule a capture. To control the tool's actions, you can append switches to the Netmon command on the Win2K Task Scheduler command line or include switches in the batch file that you use the At command to schedule. The available switches are
- /autostart—causes Network Monitor to start capturing data immediately.
- /remote:computer—specifies the name of the remote computer you want the Network Monitor session to connect to. The specified computer must have the remote agent installed.
- /net:number—directs Network Monitor to connect to a specific network interface. To find the number for a particular network interface, select Networks from the Capture menu. The interface number isn't the MAC address; it's simply the ordinal number of the interface you want. For example, the command
netmon /net:2
uses the second network interface listed in the Networks dialog box to launch Network Monitor. If your machine has a modem, Network Monitor will see the modem as an additional network interface.
/capturefilter path—specifies a capture filter for Network Monitor to use. Path is the path to the capture filter.
/displayfilter path—specifies a display filter for Network Monitor to load upon startup.
/buffersize:number—indicates the size of the buffer in megabytes.
/quickfilter type, address—tells Network Monitor to begin capturing data immediately and to filter on the specified address.
/autostop—causes Network Monitor to stop capturing data when the buffer is full.
For example, the command
netmon /autostart /buffersize:5 /autostop
launches Network Monitor, sets the buffer size at 5MB, immediately begins capturing data, and stops the capture when the buffer is full.
A Network Administrator Must-Have
I don't have enough room to explain everything Network Monitor can do—you could spend quite a bit of time learning all its capabilities. But you don't need to master all the tool's ins and outs before you find it useful. Begin with this thorough introduction to Network Monitor's features. Then, reach for Network Monitor whenever you're facing a problem whose source you can't pin down. I recommend incorporating Network Monitor into your maintenance routine as well. You'll be glad you did.