Last active
August 29, 2015 14:18
-
-
Save bill-long/0bc8e13e5fcbb37fcc8b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$nmcapDataFolder = 'C:\CollectedData' | |
$wprDataFolder = 'C:\CollectedData' | |
$nicToCapture = '*' # Can be a number or * | |
$numberOfCapFilesToKeep = 5 | |
$localComputerName = [Environment]::MachineName | |
# Monitor counter for threshold | |
function WaitForCounter($counter, $value, $duration) | |
{ | |
"Started watching " + $counter + " to reach " + $value + " for " + $duration | |
$timeCounterReached = [DateTime]::MaxValue | |
Get-Counter -Counter $counter -Continuous | | |
% { | |
$_.CounterSamples[0].CookedValue; | |
if ($_.CounterSamples[0].CookedValue -ge $value) | |
{ | |
$now = [DateTime]::Now | |
if ($timeCounterReached -gt $now) | |
{ | |
"The counter reached the threshold. Waiting " + $duration + " before collection." | |
$timeCounterReached = $now | |
} | |
if ($timeCounterReached -le $now) | |
{ | |
$currentDuration = $now - $timeCounterReached | |
"Counter reached desired value " + $currentDuration + " ago." | |
if ($currentDuration -ge $duration) | |
{ | |
"Trigger hit! Starting WPR collection..." | |
wpr -start CPU -start Network | |
"Data collection running." | |
# Send-MailMessage -To user@contoso.com -From user@contoso.com -Subject "Alert on $localComputerName" -Body "CPU exceeded threshold." -SmtpServer mail.contoso.com | |
Start-Sleep 20 | |
"Stopping WPR collection..." | |
wpr -stop (Join-Path $wprDataFolder ($localComputerName + "-WPR.etl")) | |
"Stopping nmcap..." | |
ping -n 1 4.3.2.1 | out-null | |
"Done!" | |
break | |
} | |
} | |
} | |
else | |
{ | |
if ($timeCounterReached -lt $now) | |
{ | |
"Counter dropped below threshold." | |
$timeCounterReached = [DateTime]::MaxValue | |
} | |
} | |
# Check to see if we need to clean up old nmcap files | |
$capFiles = new-object 'System.Collections.Generic.List[string]' | |
$capFiles.AddRange([System.IO.Directory]::GetFiles($nmcapDataFolder, "*.cap")) | |
while ($capFiles.Count -gt $numberOfCapFilesToKeep) | |
{ | |
$oldestFileTime = [DateTime]::MaxValue | |
$oldestFileName = "" | |
foreach ($file in $capFiles) | |
{ | |
$fileTime = [System.IO.File]::GetLastWriteTime($file) | |
if ($fileTime -lt $oldestFileTime) | |
{ | |
$oldestFileTime = $fileTime | |
$oldestFileName = $file | |
} | |
} | |
"Deleting oldest cap file: " + $oldestFileName | |
[System.IO.File]::Delete($oldestFileName) | |
$capFiles.Remove($oldestFileName) | |
} | |
} | |
# End of script block | |
} | |
############################## | |
# | |
# Start the nmcap | |
"Starting nmcap..." | |
$capFileName = Join-Path $nmcapDataFolder ($localComputerName + ".chn") | |
$capFileName += ":500MB" | |
$nmcapArgs = @('/UseProfile', '2', '/network', $nicToCapture, '/capture', '/file', $capFileName, '/Disableconversations', '/StopWhen', '/Frame', 'IPv4.DestinationAddress==4.3.2.1') | |
$nmcapProcess = Start-Process "C:\Program Files\Microsoft Network Monitor 3\nmcap.exe" -ArgumentList $nmcapArgs | |
# | |
############################## | |
############################## | |
# | |
# Here's where we start monitoring. Adjust as needed. | |
# | |
WaitForCounter "\Processor(_Total)\% Processor Time" 10 (new-object TimeSpan(0, 0, 0)) | |
# | |
############################## |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment