Monitoring the Network

Another aspect of keeping your network healthy is monitoring network traffic and looking at the various processes and events related to network protocols. This means you actually have to be able to view the communication processes that actually take place on your network as data moves from servers to clients (and vice versa). Network monitoring is the process of viewing and analyzing network traffic, and network monitoring software packages are used to capture network data frames and examine them. A software package that can analyze protocol information in a data frame is often referred to as a protocol sniffer .



Protocol sniffers and network monitoring software can be a big help in managing a large network. The problem with these types of software packages, however, is that they can also be used to actually steal and read information on a network, such as usernames and passwords. Protocol sniffers are often used by hackers to gain information about networks they wish to steal information from. We will talk more about hacking/cracking in Chapter 20, "A Network Security Primer."

A number of software companies make network monitoring software and protocol analyzers. For example, Sniffer Technologies sells a range of network monitoring software for both the LAN and WAN environments. For the Unix/Linux environment and the Windows environment, a free network analyzer called Ethereal can be downloaded from

Windows Server 2003 provides the Network Monitor, which can be used to capture frames (a frame being a data packet) and monitor network activity. The Network Monitor provides many of the features that you would find in other network monitoring software packages. Most network monitoring and packet sniffing packages are geared for Ethernet networks because it is the most commonly used network architecture.

Let's take a quick look at the Windows Network Monitor and how it displays the information that it captures. The Network Monitor window is actually divided into a number of different panes that provide different types of information. Figure 19.9 shows the Windows Network Monitor. This data is collected when you (the network administrator) use the Capture command to begin a capture session.

Figure 19.9. Network Monitor provides information on network traffic and can sample data frames traveling on the network.


The Network Monitor provides statistics such as the percentage of network utilization and the number of frames per second (this would be the number of frames traveling by the computer running Network Monitor; data is sampled by the computer's NIC). These more general statistics are listed in the Graph pane, which resides in the upper-left area of the Network Monitor window. The Total Statistics pane to the right of the Graph pane provides summary information.

The Session Statistics pane provides information on each session captured (a session being communication between two computers or devices on the network). The first column in this pane provides the hardware address (the MAC address of the device's network interface card) of the device that is sending the packets (the packets you are capturing). The second column provides the number of frames (packets) sent to the receiving device from the sending device during the communication. The third column shows the number of frames sent back to the initiating device, and the last column in the Session Statistics pane provides the hardware address of the receiving device participating in the session.

The Station Statistics pane appears below the Session Statistics pane in the Network Monitor window. It provides statistics related to your computer's activity on the network. A number of different columns of information appear in this pane :

  • Network Address . This column provides the network address that frames were captured from.

  • Frames Sent . This column provides the number of frames that were sent from the network address appearing in the first column.

  • Frames Rcvd . This column shows the number of frames received (by the local computer) from the device hardware address appearing in the first column.

  • Bytes Sent . This column displays the number of bytes sent by the device whose hardware address is listed in the Network Address column (the first column in the pane).

  • Bytes Rcvd . This column tells you how many bytes were received from the network address listed in the Network Address column.

  • Directed Frames Sent . This column shows the number of non-broadcast and non-multicast frames that were sent over the network by the device whose hardware address is listed in the first column of the record.

  • Multicasts Sent . This shows the number of times the address listed in the Network Address column has sent frames to a subset of computers on the network (a multicast is a broadcast message to certain computers on the network).

  • Broadcasts Sent . This column shows the number of times the address listed in the Network Address column has sent broadcast messages to all computers on the network (a broadcast message is a message sent to all the devices on the network by a particular computer).

Data collected by monitoring software such as Network Monitor can often be saved to a log file that you can view at a later time. This allows you to capture information related to the network and save it as a baseline. Data collected over time can then be compared to the baseline information. If there is a great deal of disparity between your baseline (or benchmark ) readings and the new capture information, you know that there must be a problem with the network. For example, if there are tons of broadcast messages from a particular MAC address, a computer on the network might have a malfunctioning network card.



The version of Network Monitor that ships with Windows Server (2003 and 2000) is not a full-blown version of the product. You will find that some of the menu choices won't work, and to get all the features you must acquire a copy of the Microsoft Systems Management Server Network Monitor tool. While there are free LAN analyzer software packages available on the Web, if you are monitoring a network of any size (and your data has definite value to your company) you will want to research and then buy an appropriate network analyzer tool.

Absolute Beginner's Guide to Networking
Absolute Beginners Guide to Networking (4th Edition)
ISBN: 0789729113
EAN: 2147483647
Year: 2002
Pages: 188
Authors: Joe Habraken © 2008-2017.
If you may any questions please contact us: