Network capture tool that works on events
Event Log Driven Network Capture Tool:
Download and copy the tool to the terminal server.
Install network monitor on the terminal server.
Download and copy the nm3eventcap.exe to the server.
Open a command window with run as administrator, run command,
Nm3eventcap.exe 56.cap –o 56 –f “tcp.port==3389″ –b 1000
NOTE: above command will keep capturing the logs until event 56 appears and the maximum log file size is 1G. Please keep it running and please do not close the command window and log off the session until the event 56 happens again.
(note that was in a partner post about TS debugging but it’s a great tip for debugging something in the event logs in general)