Lesson 2: Network Monitor

Previous page
Table of content
Next page

Unlike System Monitor, which is used to monitor anything from hardware to software, Network Monitor focuses exclusively on network activity. Network Monitor allows you to view network activity and detect problems on a network. For example, you can use Network Monitor to diagnose hardware and software problems when two or more computers cannot communicate. You can also copy a log of network activity into a file and then send the file to a professional network analyst or support organization. Network application developers can use Network Monitor to monitor and debug network applications as they are developed.

After this lesson, you will be able to

  • Use Network Monitor to capture and display network frames

Estimated lesson time: 35 minutes

Overview of Network Monitor

Network Monitor tracks network throughput in terms of captured network traffic. Network Monitor monitors traffic only on the local network segment. To monitor remote traffic, you must use the version of Network Monitor that ships with Microsoft Systems Management Server (SMS) version 1.2 or 2.0.

Network Monitor monitors the network data stream, which consists of all information transferred over a network at any given time. Before transmission, this information is divided by the network software into smaller pieces, called frames or packets. Each frame contains the following information:

  • The source address of the computer that sent the message
  • The destination address of the computer that received the frame
  • Headers from each protocol used to send the frame
  • The data or a portion of the information being sent
  • A trailer that usually contains a CRC to verify frame integrity

The process by which Network Monitor copies frames is referred to as capturing. You can use Network Monitor to capture all local network traffic or you can single out a subset of frames to be captured. You can also make a capture respond to events on your network. For example, you can make the network start an executable file when Network Monitor detects a particular set of conditions on the network. This is similar to the system Alerts feature in the Performance Logs And Alerts snap-in.

After you have captured data, you can view it in the Network Monitor user interface. Network Monitor does much of the data analysis for you by translating the raw capture data into its logical frame structure.

For security, Windows 2000 Network Monitor captures only those frames, including broadcast and multicast frames, sent to or from the local computer. Network Monitor also displays overall network segment statistics for broadcast frames, multicast frames, network use, total bytes received per second, and total frames received per second.

To help protect your network from unauthorized use of Network Monitor installations, Network Monitor detects other installations of Network Monitor that are running on the local segment of your network. Network Monitor also detects all instances of the Network Monitor driver being used remotely (by either Network Monitor from SMS or the Network Segment object in System Monitor) to capture data on your network.

When Network Monitor detects other Network Monitor installations running on the network, it displays the following information:

  • The name of the computer
  • The name of the user logged on at the computer
  • The state of Network Monitor on the remote computer (running, capturing, or transmitting)
  • The adapter address of the remote computer
  • The version number of Network Monitor on the remote computer

In some instances, your network architecture might prevent one installation of Network Monitor from detecting another. For example, if an installation is separated from yours by a router that does not forward multicasts, your installation cannot detect that installation.

Network Monitor uses a network driver interface specification (NDIS) feature to copy all frames it detects to its capture buffer, a resizable storage area in memory. The default size is 1 MB; however, you can adjust the size manually as needed. The buffer is a memory-mapped file and occupies disk space.

NOTE

Because Network Monitor uses the Local-only mode of NDIS instead of Promiscuous mode (in which the network adapter passes on all frames sent on the network), you can use Network Monitor even if your network adapter does not support Promiscuous mode. Networking performance is not affected when you use an NDIS driver to capture frames. (Putting the network adapter in Promiscuous mode can add 30 percent or more to the load on the CPU.)

Installing Network Monitor Tools

Network Monitor Tools include both the Network Monitor console and the Network Monitor driver. These tools are not installed by default on Windows 2000 Server. You can install them from the Control Panel Add/Remove Windows Programs application. From the Add/Remove Programs window, choose Add/Remove Windows Components and from the Windows Components wizard that appears, choose Management And Monitoring Tools. The Management And Monitoring Tools item contains Network Monitor Tools. Once installed, the Network Monitor console appears in the Administrative Tools program group and Network Monitor Driver is listed in the Local Area Connection Properties dialog box.

Capturing Frame Data

To capture frame data, Network Monitor and the Network Monitor driver must be installed on your Windows 2000 computer. The Network Monitor driver (also called the Network Monitor agent) enables Network Monitor to receive frames from a network adapter and allows the Network Monitor provided with SMS to capture and display frames from a remote computer, including those with a dial-up network connection. When the user of a computer running SMS Network Monitor connects remotely to a computer on which the Network Monitor driver has been installed, and that user initiates a capture, network statistics are captured locally on the computer running the network monitor driver and the data from the capture is viewed from the managing computer.

NOTE

Network Monitor drivers for other Windows operating systems other than Windows 2000 are provided with SMS. When you install Network Monitor on a Windows 2000 computer, the Network Monitor driver is automatically installed.

To capture data, open Network Monitor and select Start from the Capture menu. As frames are captured from the network, statistics about the frames are displayed in the Network Monitor Capture window, as shown in Figure 26.6.

Figure 26.6 Capture window of the Network Monitor interface

Network Monitor displays session statistics from the first 100 unique network sessions it detects. To reset statistics and see information on the next 100 network sessions detected, select Clear Statistics from the Capture menu.

Using Capture Filters

A capture filter functions like a database query. You can use it to specify the types of network information you want to monitor. For example, to see only a specific subset of computers or protocols, you can create an address database, use the database to add addresses to your filter, and then save the filter to a file. By filtering frames, you save both buffer resources and time. Later, if necessary, you can load the capture filter file and use the filter again.

To design a capture filter, specify decision statements in the Capture Filter dialog box (Figure 26.7).

Figure 26.7 Capture Filter dialog box

To open the Capture Filter dialog box, select Filter from the Capture menu, click the funnel toolbar icon (Figure 26.7), or press F8. The dialog box displays the filter's decision tree, which is a graphical representation of a filter's logic. When you include or exclude information from your capture specifications, the decision tree reflects these specifications.

Filtering by Protocol

To capture frames that use a specific protocol, specify the protocol on the SAP/ETYPE= line of the capture filter. For example, to capture only IP frames, disable all protocols and then enable IP ETYPE 0x800 and IP SAP 0x6. By default, all the protocols that Network Monitor supports are enabled.

Filtering by Address

To capture frames from specific computers on your network, specify one or more address pairs in a capture filter. You can monitor up to four specific address pairs simultaneously.

An address pair consists of the following:

  • The addresses of the two computers between which you want to monitor traffic between
  • Arrows that specify the traffic direction you want to monitor
  • The INCLUDE or EXCLUDE keyword, indicating how Network Monitor should respond to a frame that meets a filter's specifications

Regardless of the sequence in which statements appear in the Capture Filter dialog box, EXCLUDE statements are evaluated first. Therefore, if a frame meets the criteria specified in an EXCLUDE statement in a filter containing both an EXCLUDE statement and an INCLUDE statement, that frame is discarded. Network Monitor does not test that frame by INCLUDE statements to see if it also meets that criterion.

Filtering by Data Pattern

By specifying a pattern match in a capture filter, you can do the following:

  • Limit a capture to only those frames containing a specific pattern of ASCII or hexadecimal data
  • Specify how many bytes (offsets) into the frame the pattern must occur

When you filter based on a pattern match at a specific point in the data, you must specify where the pattern occurs in the frame (how many bytes from the beginning or end). If your network medium uses variable-sized frames, specify to begin counting in for a pattern match from the end of the topology header.

Displaying Captured Data

To simplify data analysis, Network Monitor interprets raw data collected during the capture and displays it in the Capture window. To display captured information in the Capture window, click Stop And View on the Capture menu while the capture is running. You can also display the Capture window by opening a file with the .cap extension. If you have stopped a capture, you can view the data in the Capture window by selecting Display Captured Data from the Capture menu, clicking the glasses toolbar icon, or pressing F12.

Figure 26.8 shows the key elements in the Capture window.

Figure 26.8 Capture window in Network Monitor

Using Display Filters

You can use a display filter to determine which frames to display. Like a capture filter, a display filter functions like a database query, allowing you to single out specific types of information. But because a display filter operates on data that has already been captured, it does not affect the contents of the Network Monitor capture buffer.

You can filter a frame using the following information:

  • The source or destination address of the frame
  • The protocols used to send the frame
  • The properties and values contained in the frame (A property is a data field within a protocol header. A protocol's properties indicate the purpose of the protocol.)

The capture window must have the focus in Network Monitor for the Display Filter dialog box to appear. Figure 26.9 shows the Display Filter dialog box, which is accessed from the Display menu, by pressing F8, or by clicking the funnel toolbar icon.

Figure 26.9 Display Filter dialog box

To design a display filter, specify decision statements in the Display Filter dialog box. Information in the Display Filter dialog box is in the form of a decision tree, which is a graphical representation of a filter's logic. When you modify display filter specifications, the decision tree reflects these modifications. You must click OK to save the specified decision statement and add it to the decision tree before adding another decision statement.

Although capture filters are limited to four address filter expressions, display filters are not. With display filters, you can also use AND, OR, and NOT logic. When you display captured data, all available information about the captured frames appears in the Frame Viewer window. To display only those frames sent by a specific protocol, edit the Protocol line in the Display Filter dialog box.

Protocol properties are information that defines a protocol's purpose. Because the purpose of protocols varies, properties differ from one protocol to another. Suppose, for example, that you have captured a large number of frames that use the Server Message Block (SMB) protocol but you want to examine only those frames in which the SMB protocol was used to create a directory on your computer. In this instance, you can single out frames where the SMB command property is equal to the Make Directory command.

When you display captured data, all addresses from which information was captured appear in the Frame Viewer window. To display only those frames originating from a specific computer, edit the ANY < - > ANY line in the Display Filter dialog box.

Network Monitor Performance Issues

Network Monitor creates a memory-mapped file for its capture buffer. For best results, make sure you create a capture buffer large enough to accommodate the traffic you need.

In addition, although you cannot adjust the frame size, you can store only part of the frame, thereby reducing the amount of wasted capture buffer space. For example, if you are interested only in the data in the frame header, set the frame size (in bytes) to the size of the header frame. Network Monitor discards the frame data as it stores frames in the capture buffer, thereby using less capture buffer space.

Running Network Monitor in the background is a way to reduce the amount of system resources necessary to operate the program. To run Network Monitor in the background, choose Dedicated Capture Mode from the Capture menu. This is one strategy to reduce resource use if network packets are being dropped rather than captured.

Lesson Summary

In this lesson you learned that Network Monitor allows you to view and detect problems on networks. It tracks network throughput in terms of captured network traffic. Network Monitor monitors the network data stream on the local segment, which consists of all information transferred over the network segment at any given time. To capture frame data, Network Monitor and the Network Monitor driver must be installed on your Windows 2000 computer. The Network Monitor driver enables Network Monitor to receive frames from a network adapter. A capture filter functions like a database query. You can use it to specify the types of network information you want to monitor. To simplify data analysis, Network Monitor interprets raw data collected during the capture and displays it in the Frame Viewer window. You can use a display filter to specify what information you want to view in the Frame Viewer window. Like a capture filter, a display filter functions like a database query, allowing you to single out specific types of information.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Mapping Hacks: Tips & Tools for Electronic Cartography
Special Edition Using Crystal Reports 10
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy