Monitoring Network Traffic

As network- related services become more prevalent (because new services and applications are installed and network shares are created), traffic on a network can increase greatly. For example, a recent growth in Web-based training in many large companies to keep travel costs down would have a huge impact on network bandwidth utilization.

Network administrators must ensure that the network performs efficiently and reliably. By monitoring network performance, you can gather information that can be used for capacity planning, establishing a baseline that can help pinpoint changes in performance over time, and putting together performance-level reports . Two tools included with Windows Server 2003 can be used to monitor network traffic: Network Monitor and System Monitor.

Network Monitor

Network Monitor , which is included with Windows Server 2003, enables you to monitor and log network activity and then use the information to manage and optimize traffic. You can use the information you gather to identify unnecessary protocols and misconfigured workstations, and to detect problems with network applications and services. Some of the features of Network Monitor include the following:

• Display filters Enable you to locate specific information within a capture

• Capture filters Enable you to specify the type of information that is captured

• Triggers Enable certain actions to be performed based on a packet's content

Network Monitor consists of the following two components :

• Network Monitor Driver The Network Monitor Driver is responsible for capturing the frames coming to and from a network adapter.

• Network Monitor tools The Network Monitor tools are used to view and analyze the data captured by the Network Monitor Driver.

Installing Network Monitor

Network Monitor is not installed with Windows Server 2003 by default, but it can be installed using the following process. Installing Network Monitor automatically installs the Network Monitor Driver.

1. Click Start, point to the Control Panel, and click Add or Remove Programs.

2. Click Add/Remove Windows Components.

3. Within the Windows Component Wizard, select Management and Monitoring Tools, and click the Details button.

4. Select the Network Monitor Tools check box. Click OK.

5. Click Next. Click Finish.

Network Monitor should be used only by authorized users. The version of Network Monitor that is included with SMS can detect other instances on the network and display information such as the computer name , where the instance is installed, and the user who is currently logged onto the computer.

In some instances you want to install only the Network Monitor Driverfor example, if you want to capture traffic for multiple servers and view the captured data from your workstation. Installing the driver enables you to capture traffic on a network interface. You then need to use software such as Systems Management Server (SMS) to view the captured data. This is useful for capturing data from a number of different servers and viewing it from a central location. For example, a computer running Network Monitor Driver can capture the information and forward it to SMS. To install only the Network Monitor Driver component, perform the following steps:

1. Within the Network Connections applet, right-click Local Area Connection and choose Properties from the pop-up menu.

2. From the properties window for the local area connection, click the Install button.

3. In the list, click Protocol and then click the Add button.

4. Within the Network Protocol window, click the Network Monitor Driver.

5. Click OK.

Using Network Monitor

After Network Monitor is installed, it is added to the Administrative Tools menu. To launch the console, click Start, point to Administrative Tools, and click Network Monitor (see Figure 6.1).

Network Monitor can display a large amount of information about the frames captured to and from a network adapter card. When you first open Network Monitor, four panes are displayed within the console. The Graph pane displays the network activity in the form of a bar chart. The Session Stats pane displays information about individual sessions, including statistics about the sessions in which the server is participating. The Total Stats pane displays the summary statistics since the capture was started.

To view statistics about network traffic, you must first start a capture to gather network traffic. To do so, click the Start option from the Capture menu. To view the captured data, click the Stop and View option from the Capture menu. Network Monitor displays all of the frames captured during the capture period with a Summary window. To view specific information about a frame, click the frame within the Summary window (see Figure 6.2).

Using Capture Filters

Now when you run Network Monitor, all frames going to and from a computer are captured. During a capture, a large number of frames might be captured. If you're looking for specific types of traffic, you can create a capture filter to define which types of frames should be captured. To configure capture filters within Network Monitor, choose the Filter option from the Capture menu (see Figure 6.3).

From the Capture Filter window, you can create filters based on the following criteria:

• Protocol Enables you to specify the protocols or the specific protocol properties that you want to capture

• Address Pairs Specifies the computer addresses from which frames should be captured

• Pattern Matches Enables you to configure different variables that captured frames should meet

The Network Monitor supplied with Windows Server 2003 does not run in promiscuous mode. This means that it intercepts only packets that are intended either to or from your computer. To get the full version of Network Monitor, which includes promiscuous mode, you need SMS.

Using Display Filters

When you capture network traffic, a large number of packets can be displayed when you view the captured data, making it difficult to look for specific information.

Network Monitor enables you to configure display filters so that only specific types of traffic are displayed. To configure a display filter, select the Filter option from the Capture menu after you have run Network Monitor and captured the network traffic.

Configuring Triggers

By configuring triggers, you can perform certain actions when specific conditions are met. When Network Monitor is capturing data, it examines the contents of the packets. Any packets that meet the defined conditions trigger a specific action to be taken. To configure a trigger, click the Capture menu and click Trigger (see Figure 6.4). When the trigger criteria is met, you can configure any of the following actions to occur:

• The computer will beep.

• Network Monitor will stop capturing frames.

• A command-line program will be executed.

System Monitor

System Monitor can be used to monitor the real-time performance of the local computer or another computer on the network. System Monitor enables you to do the following:

• Collect real-time performance data on various aspects of system performance

• Control which users can view performance data locally or across the network by using the Performance Monitor Users and the Performance Log Users groups

• View real-time data or save data in a log file for later analysis

• Display captured data in various forms such as a graph or histogram

• Create monitoring configurations that can be used on other computers

The capability to control which users can view data using the Performance Monitor Users and Performance Log Users groups is a new feature in Windows Server 2003. Be prepared to encounter exam questions pertaining to this topic.

System Monitor enables you to monitor the performance of various server components, including hardware, services, and applications. System Monitor enables you to define the following:

• The type of data you want to collect Performance objects enable you to select the various components you want to monitor. Each performance object has its own set of performance counters that determines what aspects of a particular counter you want to monitor. If multiple instances of an object exist (such as two network interfaces), you can select the counter instance you want to monitor.

• Where you will collect the data from System Monitor enables you to collect data from the local computer or from another computer on the network.

• How you will collect the data The sampling parameters enable you to define manual sampling, on-demand sampling, or automatic sampling.

Using System Monitor

System Monitor is a tool that is installed with Windows Server 2003 by default. To open the Performance console, click Start, point to Administrative Tools, and click Performance. You will find the System Monitor utility within this console (see Figure 6.5). When System Monitor is initially opened, the following three counters are displayed by default:

• Memory Pages/Sec

• Physical Disk Avg. Disk Queue Length

• Processor %Processor Time

More than likely, you will also want to monitor other components and will need to add other countersfor example, if you want to monitor the performance of a service that has recently been installed. To add a counter to System Monitor, follow these steps:

1. Click Start, point to Administrative Tools, and click Performance.

2. Right-click the System Monitor Details pane and click Add Counter (see Figure 6.6), or click the Add button on the toolbar (represented by a plus sign).

   Figure 6.6. Adding counters to System Monitor.

   

3. To monitor the local computer, select Use Local Computer Counters. To monitor another computer on the network, click Select Counters from Computer and specify the computer name or IP address.

4. Use the Performance Object box to select the specific object you want to monitor. After you select an object, the related counters are displayed.

5. Select All Counters to monitor all counters that are related to the performance object. To select specific counters, click Select Counters from List. Click each counter you want to monitor and click Add. You will also notice an Explain button that provides information about the various counters.

6. To monitor all instances associated with a counter, select All instances. Otherwise, click Select Instances from List and select the instance to monitor.

7. Click Close.

Before you can add a counter to a System Monitor, either you must be a member of the Administrators group, the Performance Logs Users group, or the Performance Monitor Users group , or you must be delegated the necessary permissions.

Using the System Monitor properties window (see Figure 6.7), you can further customize the settings. To do so, click the Properties button located on the toolbar.

You can use the General tab to configure such things as the view (graph, histogram, or report), the display elements, and the counter values for a report or histogram. By configuring the Sample Automatically Every option, you can define the sampling interval (the default value is every 1 second).

Using the settings available on the Source tab, you can specify the data source that will be displayed (see Figure 6.8). You have three options: Display values for the current activity, store data in an existing log file, or store information in an SQL database. The remaining tabs can be used to customize the display of information within System Monitor.

Using System Monitor to Monitor Network Traffic

If TCP/IP is installed (it is installed by default), the Network Interface performance object is added to System Monitor. You can use this object to monitor data that is sent to and from a computer. When you select the performance object, you will notice that a number of counters are available. Some of the more useful counters for determining problems with a network card include these:

• Packet Outbound Errors The number of outbound packets that could not be transmitted because of errors.

• Packet Received Errors The number of received packets that contained errors, preventing them from being delivered to a higher-level protocol.

• Packets Outbound Discarded The number of packets that have been discarded even though they did not contain errors. A possible cause for this scenario would be to free up buffer space.

• Packets Received Discarded The number of received packets that were discarded even though no errors were detected .

You can also use System Monitor to monitor TCP/IP performance. Counters are available for IP, TCP, UDP, and ICMP. You can use the TCP Segments/Sec counter to monitor the number of TCP segments that the computer sent and the Segments Retransmitted/Sec counter to monitor the number of segments that the computer must resend because of errors. The IP Datagrams/Sec counter can be used to monitor the amount of TCP/IP traffic on the network. A number of other counters are available for the various protocols in the TCP/IP suite.

If your computer is functioning as a domain controller, you can use System Monitor to monitor the performance of the server service. In terms of network traffic, you should monitor the Logon Total and Logons/Sec counters, which determine the total number of logon requests the server has received since it was last restarted and the number of logon requests received per second.