As network-related services become more prevalent (because new services and applications are installed and network shares are created), traffic on a network can increase greatly. For example, a recent growth in web-based training in many large companies to keep travel costs down would have a huge impact on network bandwidth use. Network administrators must ensure that the network performs efficiently and reliably. By monitoring network performance, you can gather information that can be used for capacity planning, establishing a baseline that can help pinpoint changes in performance over time, and putting together performance-level reports. Two tools included with Windows Server 2003 can be used to monitor network traffic: Network Monitor and System Monitor. Network MonitorNetwork Monitor, which is included with Windows Server 2003, enables you to monitor and log network activity and then use the information to manage and optimize traffic. You can use the information you gather to identify unnecessary protocols and misconfigured workstations, and to detect problems with network applications and services. Some of the features of Network Monitor include the following:
Network Monitor consists of the following two components:
Installing Network MonitorNetwork Monitor is not installed with Windows Server 2003 by default, but it can be installed using the following process (installing Network Monitor automatically installs the Network Monitor Driver):
In some instances you want to install only the Network Monitor Driverfor example, if you want to capture traffic for multiple servers and view the captured data from your workstation. Installing the driver enables you to capture traffic on a network interface. You then need to use software such as Systems Management Server (SMS) to view the captured data. This is useful for capturing data from a number of different servers and viewing it from a central location. For example, a computer running Network Monitor Driver can capture the information and forward it to SMS. To install only the Network Monitor Driver component, perform the following steps:
Using Network MonitorAfter Network Monitor is installed, it is added to the Administrative Tools menu. To launch the console, click Start, point to Administrative Tools, and click Network Monitor (see Figure 6.1). Figure 6.1. The Network Monitor consoleNetwork Monitor can display a large amount of information about the frames captured to and from a network adapter card. When you first open Network Monitor, four panes are displayed within the console. The Graph pane, located in the top right of the window, displays the network activity in the form of a bar chart. As you can see from Figure 6.1, it includes statistics such as %Network Utilization, Frames Per Second, and Bytes Per Second. Below the Graph pane is the Session Statistics pane. The Session Statistics pane displays information about individual sessions, including statistics about the sessions in which the server is participating. The Station Statistics pane at the bottom of the window displays information about the frames sent and received, bytes sent and received, multicasts sent, and broadcasts sent. The Total Statistics pane along the left side of the window displays the summary statistics since the capture was started. To view statistics about network traffic, you must first start a capture to gather network traffic. To do so, click the Start option from the Capture menu. To view the captured data, click the Stop and View option from the Capture menu. Network Monitor displays all of the frames captured during the capture period with a Summary window. To view specific information about a frame, click the frame within the Summary window (see Figure 6.2). Figure 6.2. Viewing captured data within Network MonitorExam Alert You should be aware of the buffer size and the frame size. Both of these can be set by selecting the Buffer Settings option from the Capture menu. The default buffer size is 1MB. After Network Monitor has captured 1MB of data, it will begin to overwrite the trace. By altering this setting, Network Monitor can be configured to only capture the headers, instead of the entire frame. Using Capture FiltersNow when you run Network Monitor, all frames going to and from a computer are captured. During a capture, a large number of frames might be captured. If you're looking for specific types of traffic, you can create a capture filter to define which types of frames should be captured. To configure capture filters within Network Monitor, choose the Filter option from the Capture menu (see Figure 6.3). Figure 6.3. Configuring a capture filter
From the Capture Filter window, you can create filters based on the following criteria:
Note The Network Monitor supplied with Windows Server 2003 does not run in Promiscuous mode. This means that it intercepts only packets that are intended either to or from your computer. To get the full version of Network Monitor, which includes Promiscuous mode, you need SMS. Using Display FiltersWhen you capture network traffic, a large number of packets can be displayed when you view the captured data, making it difficult to look for specific information. Network Monitor enables you to configure display filters so that only specific types of traffic are displayed. To configure a display filter, select the Filter option from the Capture menu after you have run Network Monitor and captured the network traffic. Configuring TriggersBy configuring triggers, you can perform certain actions when specific conditions are met. When Network Monitor is capturing data, it examines the contents of the packets. Any packets that meet the defined conditions trigger a specific action to be taken. To configure a trigger, click the Capture menu and click Trigger (see Figure 6.4). When the trigger criteria are met, you can configure any of the following actions to occur: Figure 6.4. Configuring a trigger
System MonitorSystem Monitor can be used to monitor the real-time performance of the local computer or another computer on the network. System Monitor enables you to do the following:
Exam Alert You can control which users can capture and view data using the Performance Monitor Users and Performance Log Users groups. Be prepared to encounter exam questions pertaining to this topic. By adding a user account to the Performance Monitor Users group, he or she will be capable of viewing performance counter data within System Monitor locally or from across the network. Adding a user account to the Performance Log Users group will give the user permission to manage logs and alerts as well as view counter data. System Monitor enables you to monitor the performance of various server components, including hardware, services, and applications. System Monitor enables you to define the following:
Using System MonitorSystem Monitor is a tool that is installed with Windows Server 2003 by default. To open the Performance console, click Start, point to Administrative Tools, and click Performance. You will find the System Monitor utility within this console (see Figure 6.5). When System Monitor is initially opened, the following three counters are displayed by default: Figure 6.5. The Performance console
More than likely, you will also want to monitor other components and will need to add other countersfor example, if you want to monitor the performance of a service that has recently been installed. To add a counter to System Monitor, follow these steps:
Using the System Monitor properties window (see Figure 6.7), you can further customize the settings. To do so, click the Properties button located on the toolbar. Figure 6.7. Configuring System Monitor property settings
Note Before you can add a counter to a System Monitor, either you must be a member of the Administrators group, the Performance Logs Users group, or the Performance Monitor Users group, or you must be delegated the necessary permissions. You can use the General tab to configure such things as the view (graph, histogram, or report), the display elements, and the counter values for a report or histogram. By configuring the Sample Automatically Every option, you can define the sampling interval (the default value is every one second). Using the settings available on the Source tab, you can specify the data source that will be displayed (see Figure 6.8). You have three options: display values for the current activity, display data from an existing log file, or display data stored in an SQL database. The remaining tabs can be used to customize the display of information within System Monitor. Figure 6.8. Configuring the source of data displayed within System Monitor
Using System Monitor to Monitor Network TrafficIf TCP/IP is installed (it is installed by default), the Network Interface performance object is added to System Monitor. You can use this object to monitor data that is sent to and from a computer. When you select the performance object, you will notice that a number of counters are available. Some of the more useful counters for determining problems with a network card include these:
You can also use System Monitor to monitor TCP/IP performance. Counters are available for IP, TCP, UDP, and ICMP. You can use the TCP Segments/Sec counter to monitor the number of TCP segments that the computer sent and the Segments Retransmitted/Sec counter to monitor the number of segments that the computer must resend because of errors. The IP Datagrams/Sec counter can be used to monitor the amount of TCP/IP traffic on the network. A number of other counters are available for the various protocols in the TCP/IP suite. If your computer is functioning as a domain controller, you can use System Monitor to monitor the performance of the server service. In terms of network traffic, you should monitor the Logon Total and Logons/Sec counters, which determine the total number of logon requests the server has received since it was last restarted and the number of logon requests received per second. Using System Monitor to Establish a BaselineBefore you even delve into System Monitor, it's a good idea to become secure in the concept of baselining. A baseline is simply a set of data that depicts the norm for a particular object, event, or status. For example, the data contained within a baseline can tell you how your CPU behaves under normal circumstances. You can then compare future performance data against that of the baseline to help identify when bottlenecks may be occurring. The objects that you would normally generate your baseline from are outlined in the following list:
System Monitor AlertsAlerts are counter-based, and are generated once a set threshold has been met. After this threshold (or event) has been met, the system has some pretty powerful capabilities. First, it can generate an event in the Event Viewer. It can also send a network message to someone (usually an administrator), or run a program (any program actually) that will page or email someone with information. The true value in the Alerts option lies in the fact that once a threshold has been met, it has the ability to start a Counter Log that has already been saved and configured to handle further monitoring after the event has occurred. As an example, let's say that page faults are running high, and an alert has been created based upon your preexisting knowledge of what the norm is, and what you would perceive to be high based upon the specific system. Page faults can be due to disk problems or memory problems. Following the road toward the process of elimination, you can set up an alert to subsequently trigger a counter log that monitors both disk and memory performance. The result is that with little or no intervention from you, you can then view the counter log and determine where the offender is, and take the appropriate actions. You can set up an alert by completing the following steps:
|