nuxx.net – Page 76 – Making, baking, and (un-)breaking things in Southeast Michigan.

Network Capture During Boot on Windows 7 (and Server 2008 R2)

Published August 17, 2010

When working on network issues it’s often useful to have a network capture (or trace) illustrating the startup of the computer. As a tap, a switch with spanning ports, or wireless capture equipment is rarely available it’s nice to do this right in the OS. Thanks to some improvements in both Windows 7 and Windows Server 2008 R2’s netsh it’s now possible to do just this. Most of the information in this post is gleaned from this article at TechNet Blogs Event Tracing for Windows and Network Monitor, but here I wish to present a simplified version of how to get and save a capture.

While there are more advanced methods available by running Microsoft Network Monitor (eg: capture filtering, remote shutdown via specially crafted packets, etc), this method will accomplish the majority of boot time network capture needs. This is also often much more useful than performing a capture via an external tap as it includes the ID and name of the process responsible for sending or receiving the given traffic.

To start a basic promiscuous mode capture listening on all interfaces with a 250 MB ring buffer (the defaults) and writing the trace file to the default location, use the following command, run as Administrator:

netsh trace start capture=yes persistent=yes

The capture will then run until stopped, even through reboots. To stop the capture and write the capture file out to disk, use the following command:

netsh trace stop

Consult the output from netsh trace start help to determine the other options you may want to set. Here are what I find to be the most-useful options:

maxSize=250 MB: Maximum capture size.
overwrite=yes: If there’s an existing trace of the same name, should it be overwritten?
traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace.etl: The output network Event Trace Log (ETL) file.

After an .ETL is obtained it needs to be opened and filtered with Microsoft Network Monitor to remove the extra headers. To do this ensure that you’re using the Windows set of parsers (Parser Profiles → NetworkMonitor Parsers → Windows), use the display filter:

NDISPacCap_MicrosoftWindowsNDISPacketCapture

From here additional filters can be used, such as the example screenshot above which uses the following filter to display all captured ARP traffic:

NDISPacCap_MicrosoftWindowsNDISPacketCapture
and
arp

While I normally prefer Wireshark for capture analysis, I’ve found a number of cases where Network Monitor is more useful. The PID and Process Name capture, the IntelliSense-like autocompletion in the Display Filter, and the seemingly better decoding of a few protocols (SMB in particular) are great, even if the default layout is a bit crap and there aren’t as many built-in analysis tools. While obtuse to many It’s also quite a bit easier to get apprehensive customers to install a single Microsoft-provided tool on their devices than something they view as simply “a freeware tool from online”.

Leave a Comment

DRICCNOW.COMA.FLOWER Investigation

Published August 16, 2010

A few months back a bunch of unauthorized charges appeared on my credit card resulting in my receiving a new card and having to dispute a bunch of transactions as fraudulent. One of these, listed as DRI*CCNOW.COM*A.FLOWER, billed via CCNow, had information sent back from the processor resulting in me having to affirm that I did not make these charge for a 4.4L rice cooker. Specifically, this rice cooker, from http://www.amchiemumbai.com/electrical.htm (PNG mirror).

Specifically, I had to affirm that:

In addition, you have further stated that you are not affiliated with any of the information on the merchant’s rebuttal, as you did not order 4.4 Ltrs Rice Cooker from National online. Furthermore you also have stated that you are not affiliated with Sameer N Punnyai, the e-mail address: indiaflowerplaza@yahoo.com and vigneau.steve@yahoo.com and you did not authorize shipment to Rachana Apt No. 241 Al Surendra Nagar Nagpur Maharashtra, India 440015 with Tracking Number 190955283. You also have advised us that you did not give this merchant your name or address for any such charge.

Along with this I received a faxed screenshot (seen above or full res here) apparently from CCNow’s administrative interface, showing that they processed a charge on my card, despite:

· It being a US credit card.
· Shipping going to India.
· The order coming from India, IP address 210.212.179.136, which they know to be an Indian ISP.
· A phone number of (989) 074-8588, which isn’t a valid number.

I’m not sure what about this transaction looked to CCNow as something that they should have allowed to go through.

Oh, and that vigneau.steve@yahoo.com email address? That’s not me either, but it’s interesting to see. An in-person transaction would only use my full name (as taken from the card) but I’ll commonly have things shipped to “Steve”, so this pretty much guarantees that the info was acquired from somewhere online.

6 Comments

Time Machine Works!

Published August 15, 2010

After roughly twenty four hours of working and waiting on Danielle’s computer I have the hard drive uncorrupted and Time Machine working! It turns out that despite my previous thought that the corrupt drive was preventing backups from happening it was actually something else: the entries for the shared drive on the AirPort in the System Keychain somehow weren’t working right. Deleting them and allowing them to be recreated fixed things.

Since I have syslog on the AirPorts logging to pfSense (on the alix2d1). By using that along with logs on the Mac I could see that everything was pointing to an authentication issue. The user account could access the drive just fine, but Time Machine sets the shared drive’s password in the System Keychain during setup, so I then looked there. Seeing a number of entries for Core, the name of the AP, I removed them all and set things up again. Suddenly Time Machine created its .sparsebundle, mounted it, and set off backing things up. While I don’t know exactly what was wrong (conflicting Keychain entries? wrong one getting read? defective Keychain?) at least I know what got things working again.

I’ve plugged the machine into a wired connection to hurry things along, but hopefully the remaining ~107GB of data will be backed up before Danielle gets here. Then hopefully it’ll keep working…

Leave a Comment

Broken Time Machine

Published August 14, 2010

This is not good.

Danielle’s computer has been failing to back up properly to an AirPort-connected Time Machine volume, so with her volunteering at the 3-Day this weekend I figured I’d spend some time getting to the bottom of why.

First I thought the issue might be the questionable USB enclosure that the backup hard drive was in, so I swapped to another. No luck. Then I figured maybe the backup volume was corrupt, so I wiped that, but that didn’t help either; the backup still wouldn’t run. Next I thought that perhaps the local drive might be having issues, so I ran the Verify Disk function in Disk Utility, which promptly informed me that the volume was so damaged that I’d have to boot some install media and do an offline test. I did this, started the check, and received the message shown above informing me that the volume is so corrupt that it cannot be repaired. It will now not boot, sitting only at the Apple logo / spinning progress indicator screen.

This is not good.

Now I will have to back up all the accessible data by hand, and hopefully I’ll be able to get all of her music, documents, and photos along with config files needed to restore them. I’m hoping that this can be accomplished by hanging an FireWire disk off of the machine, installing OS X there, using Migration Assistant to pull data over, wipe (and test) the main drive, reinstall the OS there, then again migrate all data from the FW drive.

While it’s difficult to say what caused this, I strongly suspect it’s related to an alarm clock application that she’s been using for a while. This application will wake a Mac from sleep and sound an alarm. As her machine is a Macbook, which is not designed to run while closed (since they dissipate heat through the keyboard area), a program waking the machine from sleep while the machine is closed results in the machine immediately putting itself back to sleep. This would repeat over and over until the alarm was canceled or timed out. With this app in use for the last year or so, odds are good that this super-fast wake/sleep cycle has happened hundreds or thousands of times.

Due to the extremely complex things that happen when a machine is sleeping and waking, I strongly suspect that some things didn’t get read from or written to disk quite properly during the wake/sleep cycle and the disk became quite corrupt. Then, the software designed to repair this corruption couldn’t deal with how bad things were, left the disk in a less-usable state, and the machine is then left where it now is: failing to boot.

UPDATE: This corrupt disk problem was fixed as I hoped it would be above, with the external FW disk. Unfortunately Time Machine still isn’t working. Time to keep digging…

Leave a Comment

Stuff For Sale: Gary Fisher X-Caliber 29er and Wet Saw

Published August 10, 2010

I have some things for sale. Anyone want to buy them?

The first is the wet saw seen above, which I used to tile my kitchen, laundry room, and foyer. I no longer need it, so I’d like to sell it. Asking price is US$30.

One is my sister’s Gary Fisher X-Caliber 29er, size 17.5″ / medium. Asking price is US$1000 or best offer. It’s barely used, and has seen very little time on trails since she has found that she prefers road biking. Please check out this post on the MMBA Forum for more details and photos.

UPDATE: Both items have sold.

Leave a Comment

Dusty August

Published August 9, 2010

Here is a photo of a dusty Kenda Small Block 8 from the rear of my Titus after doing two laps of Maybury State Park with Erik and Kristi on Sunday.

This has been a nice weekend for riding, with things working out so I could rack up 40.31 miles on Saturday (Home to Stony Creek, River Bends, then back), 29.09 miles yesterday (2x Maybury, 2x Addison Oaks), and 20.1 miles today (Home to Sherwood Brewery, River Bends, Sherwood, then Home). I’d like to continue this throughout the week, but I suspect that weather and other obligations will preclude this.

Leave a Comment

Broken Edge 305 Screen

Published August 8, 2010

With coming bad weather cancelling this morning’s planned ride at Maybury I instead fixed the GPS that I collected yesterday. This one was crashed and had a broken screen, and due to my recently gaining access to a good screen out of one with a bad mainboard I was able to swap parts around and make a working Edge 305 again.

Leave a Comment

Busy Day, Good Day

Published August 8, 2010

This morning was fairly non-stop busy. I woke up, ate breakfast, set out on a bike ride that ended up being a bit over 40 miles (and just shy of three hours), came home, showered, then set out for my sister and brother in law’s place for dinner for my sister’s birthday. Lots of driving was involved, but it was a good day.

Along the way I ran into a bunch of people that I knew, rode with some, and talked with others. I picked up another GPS to repair, tried out a Banana Hammer-brand gel (it’s good, but a bit thick even when hot), and generally had a good time. Now I just have to wait for bike clothes to finish washing and then I can hang them up and go to bed. Currently I’ve got two rides scheduled for tomorrow, each on opposite ends of the Metro Detroit area, and each likely a bit over 15 miles of single track each. Yay!

Leave a Comment

Edge 305: Crashed Hard

Published August 2, 2010

I’m working on a Garmin Edge 305 for a friend’s boss which was reported to have a problem finding satellites. After reproducing the problem I opened it up, only to find the body of one of the tactile switches missing and apparently nowhere to be found. This was quite a mystery, as the case had supposedly never been opened before.

After opening and closing the case the not-finding-satellites problem appeared remedied (likely by the full power cycle), but I was confused by the apparently missing button. Rob’s boss had reported that the missing button had been “acting up”, but with all these parts missing the button simply wouldn’t have worked. With the underside of the battery the only place the pieces could have possibly gone I popped out the battery only to find all three pieces stuck in the adhesive which normally holds the battery to the chassis. While they are the size of (large) grains of rice I was able to get the switch reassembled and functioning. Unfortunately, the not-finding-satellites problem is back.

This means that the owner had to have crashed hard enough to blow apart a tactile switch through the rubber housing, bounced it around enough to get all the pieces under the battery, then squished (squeezed?) it all back together. I suspect that in the process a (quite inaccessible) solder connection on the GPS module broke, the metal bits bouncing around the case shorted something out, or something else in the case broke leading to the issue of satellites not being found. It’s too bad I can’t fix that part.

Leave a Comment

8 Hours of Bloomer

Published August 1, 2010

Today some friends (who are also team mates) and I made a four-person go at Fun Promotions’ 8 Hours of Bloomer race, another one of the Michigan Cup Endurance Racing series which also included the 6 & 12 Hours of Stony Creek race from back in May. Our team ended up placing second out of a pool of two, coming in only a couple minutes behind the winning team. I started out the race, then Erik followed, with Marty and then Nick taking their turns. All of us got in four laps, save for Nick who only ended up with three due to rain starting up just before Marty’s final lap and the cutoff time for leaving on a final lap being pushed back half an hour.

This was my first long ride at Bloomer, and I found this route to be rather enjoyable. I’d previously visited the park, but didn’t like it either of those times. One time was with an MMBA group, and the riding of a (very eroded) trail along the upper part of a very steep ridge (photo) scared me so much that I stopped tens of feet into it. The second time was with Derek, the guy currently responsible for overseeing trail maintenance at the park, and the route he took us on was very difficult and simply not much fun. This time the route was a bit shorter, but quite enjoyable. It also included the chute / switchbacks mentioned here (that photo doesn’t do it justice) which were a bit intimidating at first, but were much better after a few goes.

In the end with my four laps I racked up 23.15 miles over 2:00:32, for an average speed of 11.52 MPH. At some point I hit a max of 21.95 MPH, which isn’t particularly quick. Also, that total mileage is easily eclipsed by what Joe, Kelly, and Bill did during their solo races, with Joe approaching 100 miles, Kelly at 80-some, and Bill with a bit less than that.

Leave a Comment

nuxx.net Posts