Monitoring Network Traffic

As network-related services become more prevalent (because new services and applications are installed and network shares are created), traffic on a network can increase greatly. For example, a recent growth in web-based training in many large companies to keep travel costs down would have a huge impact on network bandwidth use.

Network administrators must ensure that the network performs efficiently and reliably. By monitoring network performance, you can gather information that can be used for capacity planning, establishing a baseline that can help pinpoint changes in performance over time, and putting together performance-level reports. Two tools included with Windows Server 2003 can be used to monitor network traffic: Network Monitor and System Monitor.

Network Monitor

Network Monitor, which is included with Windows Server 2003, enables you to monitor and log network activity and then use the information to manage and optimize traffic. You can use the information you gather to identify unnecessary protocols and misconfigured workstations, and to detect problems with network applications and services. Some of the features of Network Monitor include the following:

Display filters Enable you to locate specific information within a capture
Capture filters Enable you to specify the type of information that is captured
Triggers Enable certain actions to be performed based on a packet's content

Network Monitor consists of the following two components:

Network Monitor Driver The Network Monitor Driver is responsible for capturing the frames coming to and from a network adapter.
Network Monitor tools The Network Monitor tools are used to view and analyze the data captured by the Network Monitor Driver.

Installing Network Monitor

Network Monitor is not installed with Windows Server 2003 by default, but it can be installed using the following process (installing Network Monitor automatically installs the Network Monitor Driver):

1.	Click Start, point to the Control Panel, and click Add or Remove Programs.
2.	Click Add/Remove Windows Components.
3.	Within the Windows Component Wizard, select Management and Monitoring Tools, and click the Details button.
4.	Select the Network Monitor Tools check box. Click OK.
5.	Click Next. Click Finish.

In some instances you want to install only the Network Monitor Driverfor example, if you want to capture traffic for multiple servers and view the captured data from your workstation. Installing the driver enables you to capture traffic on a network interface. You then need to use software such as Systems Management Server (SMS) to view the captured data. This is useful for capturing data from a number of different servers and viewing it from a central location. For example, a computer running Network Monitor Driver can capture the information and forward it to SMS. To install only the Network Monitor Driver component, perform the following steps:

1.	Within the Network Connections applet, right-click Local Area Connection and choose Properties from the pop-up menu.
2.	From the properties window for the local area connection, click the Install button.
3.	In the list, click Protocol and then click the Add button.
4.	Within the Network Protocol window, click the Network Monitor Driver.
5.	Click OK.

Using Network Monitor

After Network Monitor is installed, it is added to the Administrative Tools menu. To launch the console, click Start, point to Administrative Tools, and click Network Monitor (see Figure 6.1).

Figure 6.1. The Network Monitor console

Network Monitor can display a large amount of information about the frames captured to and from a network adapter card. When you first open Network Monitor, four panes are displayed within the console. The Graph pane, located in the top right of the window, displays the network activity in the form of a bar chart. As you can see from Figure 6.1, it includes statistics such as %Network Utilization, Frames Per Second, and Bytes Per Second.

Below the Graph pane is the Session Statistics pane. The Session Statistics pane displays information about individual sessions, including statistics about the sessions in which the server is participating. The Station Statistics pane at the bottom of the window displays information about the frames sent and received, bytes sent and received, multicasts sent, and broadcasts sent. The Total Statistics pane along the left side of the window displays the summary statistics since the capture was started.

To view statistics about network traffic, you must first start a capture to gather network traffic. To do so, click the Start option from the Capture menu. To view the captured data, click the Stop and View option from the Capture menu. Network Monitor displays all of the frames captured during the capture period with a Summary window. To view specific information about a frame, click the frame within the Summary window (see Figure 6.2).

Figure 6.2. Viewing captured data within Network Monitor

Exam Alert

You should be aware of the buffer size and the frame size. Both of these can be set by selecting the Buffer Settings option from the Capture menu. The default buffer size is 1MB. After Network Monitor has captured 1MB of data, it will begin to overwrite the trace. By altering this setting, Network Monitor can be configured to only capture the headers, instead of the entire frame.

Using Capture Filters

Now when you run Network Monitor, all frames going to and from a computer are captured. During a capture, a large number of frames might be captured. If you're looking for specific types of traffic, you can create a capture filter to define which types of frames should be captured. To configure capture filters within Network Monitor, choose the Filter option from the Capture menu (see Figure 6.3).

Figure 6.3. Configuring a capture filter

From the Capture Filter window, you can create filters based on the following criteria:

Protocol Enables you to specify the protocols or the specific protocol properties that you want to capture
Address Pairs Specifies the computer addresses from which frames should be captured
Pattern Matches Enables you to configure different variables that captured frames should meet

Note

The Network Monitor supplied with Windows Server 2003 does not run in Promiscuous mode. This means that it intercepts only packets that are intended either to or from your computer. To get the full version of Network Monitor, which includes Promiscuous mode, you need SMS.

Using Display Filters

When you capture network traffic, a large number of packets can be displayed when you view the captured data, making it difficult to look for specific information.

Network Monitor enables you to configure display filters so that only specific types of traffic are displayed. To configure a display filter, select the Filter option from the Capture menu after you have run Network Monitor and captured the network traffic.

Configuring Triggers

By configuring triggers, you can perform certain actions when specific conditions are met. When Network Monitor is capturing data, it examines the contents of the packets. Any packets that meet the defined conditions trigger a specific action to be taken. To configure a trigger, click the Capture menu and click Trigger (see Figure 6.4). When the trigger criteria are met, you can configure any of the following actions to occur:

Figure 6.4. Configuring a trigger

The computer will beep.
Network Monitor will stop capturing frames.
A command-line program will be executed.

System Monitor

System Monitor can be used to monitor the real-time performance of the local computer or another computer on the network. System Monitor enables you to do the following:

Collect real-time performance data on various aspects of system performance
Control which users can view performance data locally or across the network by using the Performance Monitor Users and the Performance Log Users groups
View real-time data or save data in a log file for later analysis
Display captured data in various forms such as a graph or histogram
Create monitoring configurations that can be used on other computers

Exam Alert

You can control which users can capture and view data using the Performance Monitor Users and Performance Log Users groups. Be prepared to encounter exam questions pertaining to this topic. By adding a user account to the Performance Monitor Users group, he or she will be capable of viewing performance counter data within System Monitor locally or from across the network. Adding a user account to the Performance Log Users group will give the user permission to manage logs and alerts as well as view counter data.

System Monitor enables you to monitor the performance of various server components, including hardware, services, and applications. System Monitor enables you to define the following:

The type of data you want to collect Performance objects enable you to select the various components you want to monitor. Each performance object has its own set of performance counters that determines what aspects of a particular counter you want to monitor. If multiple instances of an object exist (such as two network interfaces), you can select the counter instance you want to monitor.
Where you will collect the data from System Monitor enables you to collect data from the local computer or from another computer on the network.
How you will collect the data The sampling parameters enable you to define manual sampling, on-demand sampling, or automatic sampling.

Using System Monitor

System Monitor is a tool that is installed with Windows Server 2003 by default. To open the Performance console, click Start, point to Administrative Tools, and click Performance. You will find the System Monitor utility within this console (see Figure 6.5). When System Monitor is initially opened, the following three counters are displayed by default:

Figure 6.5. The Performance console

Memory Pages/Sec
Physical Disk Avg. Disk Queue Length
Processor %Processor Time

More than likely, you will also want to monitor other components and will need to add other countersfor example, if you want to monitor the performance of a service that has recently been installed. To add a counter to System Monitor, follow these steps:

1.	Click Start, point to Administrative Tools, and click Performance.
2.	Right-click the System Monitor Details pane and click Add Counter (see Figure 6.6), or click the Add button on the toolbar (represented by a plus sign). Figure 6.6. Adding counters to System Monitor
3.	To monitor the local computer, select Use Local Computer Counters. To monitor another computer on the network, click Select Counters from Computer and specify the computer name or IP address.
4.	Use the Performance Object box to select the specific object you want to monitor. After you select an object, the related counters are displayed.
5.	Select All Counters to monitor all counters that are related to the performance object. To select specific counters, click Select Counters from List. Click each counter you want to monitor and click Add. You will also notice an Explain button that provides information about the various counters.
6.	To monitor all instances associated with a counter, select All Instances. Otherwise, click Select Instances from List and select the instance to monitor.
7.	Click Close.

Using the System Monitor properties window (see Figure 6.7), you can further customize the settings. To do so, click the Properties button located on the toolbar.

Figure 6.7. Configuring System Monitor property settings

Note

Before you can add a counter to a System Monitor, either you must be a member of the Administrators group, the Performance Logs Users group, or the Performance Monitor Users group, or you must be delegated the necessary permissions.

You can use the General tab to configure such things as the view (graph, histogram, or report), the display elements, and the counter values for a report or histogram. By configuring the Sample Automatically Every option, you can define the sampling interval (the default value is every one second).

Using the settings available on the Source tab, you can specify the data source that will be displayed (see Figure 6.8). You have three options: display values for the current activity, display data from an existing log file, or display data stored in an SQL database. The remaining tabs can be used to customize the display of information within System Monitor.

Figure 6.8. Configuring the source of data displayed within System Monitor

Using System Monitor to Monitor Network Traffic

If TCP/IP is installed (it is installed by default), the Network Interface performance object is added to System Monitor. You can use this object to monitor data that is sent to and from a computer. When you select the performance object, you will notice that a number of counters are available. Some of the more useful counters for determining problems with a network card include these:

Packet Outbound Errors The number of outbound packets that could not be transmitted because of errors.
Packet Received Errors The number of received packets that contained errors, preventing them from being delivered to a higher-level protocol.
Packets Outbound Discarded The number of packets that have been discarded even though they did not contain errors. A possible cause for this scenario would be to free up buffer space.
Packets Received Discarded The number of received packets that were discarded even though no errors were detected.

You can also use System Monitor to monitor TCP/IP performance. Counters are available for IP, TCP, UDP, and ICMP. You can use the TCP Segments/Sec counter to monitor the number of TCP segments that the computer sent and the Segments Retransmitted/Sec counter to monitor the number of segments that the computer must resend because of errors. The IP Datagrams/Sec counter can be used to monitor the amount of TCP/IP traffic on the network. A number of other counters are available for the various protocols in the TCP/IP suite.

If your computer is functioning as a domain controller, you can use System Monitor to monitor the performance of the server service. In terms of network traffic, you should monitor the Logon Total and Logons/Sec counters, which determine the total number of logon requests the server has received since it was last restarted and the number of logon requests received per second.

Using System Monitor to Establish a Baseline

Before you even delve into System Monitor, it's a good idea to become secure in the concept of baselining. A baseline is simply a set of data that depicts the norm for a particular object, event, or status. For example, the data contained within a baseline can tell you how your CPU behaves under normal circumstances. You can then compare future performance data against that of the baseline to help identify when bottlenecks may be occurring.

The objects that you would normally generate your baseline from are outlined in the following list:

Memory Memory is RAM. Memory is used in several different ways, and counters exist for this object that can tell you how efficiently your RAM is working for you. The two important memory counters are the Pages/sec and the Available Bytes.
Processor The processor object has the capability to monitor the health and welfare of a server's CPUs. As with any of these other objects, counters exist that will monitor things such as how many calculations are being performed, how many errors are being generated, and even how long the line of requests is for processes waiting to for CPU attention. You should monitor the % Total Processor Time counter. A continuously high value may indicate a bottleneck. You should also monitor the Processor Queue Length counter.
Disk Disk monitoring is divided into two sections: physical disk and logical disk. The physical hard disk is another object that should be monitored occasionally for obvious reasons: a bad hard disk will generate errors. An overloaded hard disk will also have problems and could very well slow down the overall server productivityespecially if the paging file is being heavily used. The two important physical disk counters are Physical Disk: Avg. Read Queue Length and Physical Disk: Avg. Write Queue Length. The values for both counters should be lower than 2. The Logical Disk counters are used to monitor specific volumes and partitions. This counter might indeed be more important than the physical disk because it can point to issues, corruptions, and performance issues that may be able to better allow you to isolate an offending application or piece of hardware. You should monitor the Logical Disk: %Free Space and the Logical Disk: %Disk Time counters. The %Disk Time value should be less than 50%.
Network This particular object will give you statistics on how many network packets are being sent and received by the NIC. It will also give you statistics about bad packets and data that are being sent and received by the same NIC. The important counters include Network Interface: Output Queue Length and %Network Utilization.

System Monitor Alerts

Alerts are counter-based, and are generated once a set threshold has been met. After this threshold (or event) has been met, the system has some pretty powerful capabilities. First, it can generate an event in the Event Viewer. It can also send a network message to someone (usually an administrator), or run a program (any program actually) that will page or email someone with information.

The true value in the Alerts option lies in the fact that once a threshold has been met, it has the ability to start a Counter Log that has already been saved and configured to handle further monitoring after the event has occurred. As an example, let's say that page faults are running high, and an alert has been created based upon your preexisting knowledge of what the norm is, and what you would perceive to be high based upon the specific system. Page faults can be due to disk problems or memory problems. Following the road toward the process of elimination, you can set up an alert to subsequently trigger a counter log that monitors both disk and memory performance. The result is that with little or no intervention from you, you can then view the counter log and determine where the offender is, and take the appropriate actions.

You can set up an alert by completing the following steps:

1.	Click Start and click Run.
2.	Type `perfmon.msc` and click OK.
3.	Expand Performance Logs and Alerts.
4.	Right-click Alerts and click New Alert Settings.
5.	Type in a name for the new alert and click OK.
6.	The properties dialog box for the new alert will appear. Click the Add button to specify the counters you want monitored in the alert.
7.	Click Close.
8.	Highlight each counter in the list and specify the value that will trigger an administrative alert.

9.	Use the Sample Data Every field to configure the sampling interval.
10.	Use the Run As field to specify a different user account under which the monitoring will occur.
11.	Click the Action tab.
12.	Choose the actions you want to occur when the alert is triggered.
13.	Use the Schedule tab to specify when to begin monitoring the counters and how long to monitor them.