Recipe 10.11. Viewing Network Traffic Problem You want to view the network traffic a server sends and receives. This is useful when you need to troubleshoot or debug application problems or system communications failures. Particularly when you are having problems with a particular protocol, such as LDAP or DNS, looking at the associated network traffic can be helpful to see what is being transmitted and received. Solution Using a graphical user interface Open the Network Monitor tool (netmon.exe). Network Monitor is not installed by default. To install it: Go to the Control Panel and open the Add or Remove Programs applet. Click on Add/Remove Windows Components. Double-click on Management and Monitoring Tools. Check the box beside Network Monitor Tools and click OK. Click Next. Click Finish.
The first time you start Network Monitor, you will be asked from which network interface you want to capture data. On Windows Server 2003, Microsoft finally made the list of interfaces to choose easy to distinguish because they labeled each one by its connection name (e.g., Local Area Connection). With Windows 2000, it doesn't include that information in the label, so choosing an interface is almost a guessing game unless you know the MAC address prefix of your NIC card vendor. A trick you can use to narrow the list of interfaces is to disregard any that have a Dial-up connection setting marked as TRUE. After you've selected an interface, click OK. From the menu, select Capture  Network Utilization and Frames Per Second indicators fluctuating (a sign traffic is being captured), you likely picked the wrong interface in Step 2. If so, stop the capture by selecting Capture Capture When you want to stop the capture, select Capture Capture If the captured data is too much to look at, you can filter it by selecting Display Using a command-line interface The Windows Server 2003 Support Tools contains a new tool called netcap.exe that can capture packets to a file for viewing later in Network Monitor. Here is an example command line: > netcap /C:d:\netcap.cap /N:1
This command captures packets on interface #1 and stores the output in d:\netcap.cap. To make sure you are capturing on the correct interface, view the netcap help information: > netcap /?
At the very end, it displays the list of interfaces on the system and their associated numbers. To view the contents of the capture file, double-click it. This will launch the Network Monitor. Using VBScript None of the scripting interfaces allow you to get real-time network traffic information. Discussion Network Monitor (NetMon) is not the most user-friendly tool, but it offers powerful features for collecting, filtering, and analyzing a network capture. For more on how to use some of the features of NetMon, see the MS KB articles listed in the See Also section.  | If you are interested in an alternative to NetMon, Ethereal is one of the most popular network traffic analyzers and it is available free from the following site: http://www.ethereal.com/. |
|
One thing that is worth noting about NetMon is that it has a default buffer limit of 1 MB. After the data it captures exceeds 1 MB, it begins to overwrite the oldest packets using FIFO (first in, first out). You can increase the size of the buffer to a max of 1 GB. To increase the buffer, select Buffer Settings from the Capture menu. Enter the maximum number of megabytes and click OK. See Also MS KB 148942 (How to Capture Network Traffic with Network Monitor), MS KB 310875 (Description of the Network Monitor Capture Utility), and MS KB 812953 (HOW TO: Use Network Monitor to Capture Network Traffic)
|
