locked
NMCAP Command line Filter with IP AND / OR Adding two filters to one trace ??? RRS feed

  • Question

  • I like the way the command line is.  For some reason I can not do a filter with more than one option example:

    Works in GUI

    IPv4.Address == 123.1.12.12 AND Protocolname=="DNS") OR (IPv4.Address == 123.2.12.12 AND Protocolname=="DNS"

    Using nmcap

    It starts but never logs?  Is it invalid ?   I have tried using Quotes fot the whole "xx filter=xx " and () for the filter (xx filter=xx xx) and get the same results.  

    If I just use /capture DNS I will get all DNS OK.

    I only want DNS traffic to/from the DNS server and to the SOA for Dynamic updates.

    Example of command line that IS NOT working.
    nmcap /network * /capture IPv4.Address == 123.1.12.12 AND Protocolname=="DNS" OR IPv4.Address == 123.2.12.12 AND Protocolname=="DNS"  /file d:\temp\DNS-watch.cap:100m

    The issue I am tring to capture DNS traffic that this 2008 Domain Controler send/receives for any Dynamic update sent/reply from DNS and to the SOA. (the Primary and Secondary DNS servers on the interface are not).  I am running this on the DC.

    Is this possible ?

    Thanks again for any help

    Al

    Wednesday, January 20, 2010 8:15 PM

Answers

  • When you have quotes, you have to find the right combination of single quotes and double quotes so you don't confuse the command line.  I assume when you say "never logs" you mean NMCap fails with an error? 

    Using your first example, I was able to make NMCap work with the following:

    nmcap /network * /capture "(IPv4.Address == 123.1.12.12 AND Protocolname=='DNS') OR (IPv4.Address == 123.2.12.12 AND Protocolname=='DNS')" /file test.cap

    Paul
    • Marked as answer by Al T. _ Wednesday, January 20, 2010 10:53 PM
    Wednesday, January 20, 2010 9:27 PM

All replies

  • When you have quotes, you have to find the right combination of single quotes and double quotes so you don't confuse the command line.  I assume when you say "never logs" you mean NMCap fails with an error? 

    Using your first example, I was able to make NMCap work with the following:

    nmcap /network * /capture "(IPv4.Address == 123.1.12.12 AND Protocolname=='DNS') OR (IPv4.Address == 123.2.12.12 AND Protocolname=='DNS')" /file test.cap

    Paul
    • Marked as answer by Al T. _ Wednesday, January 20, 2010 10:53 PM
    Wednesday, January 20, 2010 9:27 PM

  • Thanks!

    Yep that did it.  Syntax is everything!  It would start but never log / create the file.  I was hoping that the command line would tell me the syntax was bad.
    Wednesday, January 20, 2010 10:55 PM
  • What happen is that the command line parses the info before NMCap see's it. So NMCap is unaware of the problem and therefor doens't have anything to report.  Unfortunately command line utilies are vunerable to these types of problems.

    Glad you got everything working.


    Paul

    Thursday, January 21, 2010 1:24 AM