install question

[wybnormal]

Not a terribly big problem but troublesome. I installed the new version of sniffer.. 4.5 on Win2K. The install was under my user name with admin privilages and in my home office domain. I used as admin logged in locally up yesterday when I had a crash and rebooted. Now when I run sniffer, the history works.. everything works *except* for viewing capture. It crashes sniffer and leaves a sniffer.exe process hanging in memory. Sniffer works fine under my loging with my domain so I'm guessing there is a corrupted INI file somewhere?

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[SpenceP]

Hi Mike,

I will try to recreate the problem in the lab and see if I can reproduce it. Have you got Win2K SP1 installed? Sniffer doesn't really rely on INI files any more. Most of the settings are now in the registry. On WIN2K I recommend that you back up the HKEY_LOCAL_MACHINE\Software\Network Associates, Inc keys in case of this.

Spencer Parker
Axial Systems

 

[wybnormal]

I do have SP1 installed. Sniffer was install *before* SP1. Like I said, sniffer runs under my loging and domain. I am domain equiv and I installed it under my own login. I logged in as admin and local to the machine and sniffer worked until a crash. Once that occured, Sniffer will do everything fine *except* showing the decode. It generates an error and dies. It also leaves sniffer.exe hanging as a dead process which I can not kill unless I log out.

Let me know what you find out.

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[DaiSr]

I had a similar problem with version 4.5 on NT4. It happens when I filtered the capture and then tried to close the capture when in the decode screen. Its a known fault with sniffer thanks to Spence. To kill of the process use "kill -f PIDno" from the NT resource kit. It usually but not always clears the process, anything to prevent ANOTHER reboot.

 

[wybnormal]

Ahhh.. it's a "feature" ? great ..

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Guest_imported]

Has anyone experienced NAI Sniffer pro 4.5 crashes on NT server 4.0 SP6

When NT server boots into the login mode the sniffer will attempt to load after the ntoskernl loads thus causing the server to crash.

You will get a Blue Screen pointing to Sniffer.sys as the last item that caused the crash. Unfortunately this crash haapens so quickly that you do not have time to kill the process and eventually the memory dumps.

Does anyone know how to stop the Sniffer.sys module from loading before the ntoskrnl safely loads so that you can remove the sniffer program?

Thanks in advance.

 

[wargfn]

I am experiencing the smae problem. After I close a filtered trace Sniffer.exe reports an error and has to be closed. I am using Sniffer 4.5 on Windows 2K SP1.

 

[alail]

Got this out of Sniffer Tech's KnowledgeBase:

SolutionID: nai13762 Printer-Friendly Page
Problem Description:
CPU utilization hits 100% and you can't exit or control Sniffer.

After clicking "stop and display" during a capture, Sniffer hangs and displays a blank decode.


Problem Environment:
DSS/RMON 4.x

Sniffer Distributed

Sniffer Pro 4.x


Cause of this problem:
If a protocol forcing rule has been invoked and the number of bytes to skip is incorrect, the decode engine will run for several hours trying to decode it. The resulting decode will be incorrect.
Here's a Screeny:

http://sncwebprimus2.nai.com/solution/sniffer1/nai13762.jpg

Changes affecting this problem:
Protocol forcing rule has been invoked.


Solution:
If you are unable to determine the encapsulation scheme on a particular topology, run a very small trace and subjected it to the protocol forcing rule in an attempt to determine the appropriate number of bytes to skip.