Troubleshooting Lab

Previous page
Table of content
Next page

Network Monitor is one of the main tools used in Windows Server 2003 and Exchange Server 2003. It lets you see exactly what is happening on your network, right down to the bit level. You can identify the types of frames that are being transmitted or received by any computer, determine if a computer is excessively loaded, and analyze the traffic that is loading it. You can determine the proportions of broadcast, unicast, and multicast traffic on a network.

In this lab, you install the version of Network Monitor that comes with Windows Server 2003. This enables you to look at packets received or sent by the server (Server01) on which it is installed. You then use the tool to capture and examine packets between Server01 and Server02 and set up display filters to display the information you require. You can use a similar technique to set up a capture filter so that you capture only the information you want to look at.

You can view a subset of the data that you captured using Network Monitor by using a control known as a decision tree, which lets you specify what you want to see using Boolean logic. This process is not as complex as it sounds. For example, you can specify that you only want to view frames that use Transmission Control Protocol (TCP), or you can specify that you want to see all the captured frames except those that use TCP. You can specify that you want to view only the frames sent to a specified host or received from that host. You can combine conditions so that, for example, you view only TCP frames that are sent to the specified host.

Decision trees and Boolean logic are best explained by using them. This lab introduces you to both.

Before you begin this lab, ensure that your test network is set up as described in the "Before You Begin" section of this chapter. You also need to have a Windows Server 2003, Enterprise Edition installation CD in hand.

Exercise 1: Install and Use Network Monitor

To install and use Network Monitor, perform the following steps:

  1. On Server01, insert the Windows Server 2003, Enterprise Edition, installation CD.

  2. Open the Command console, type ipconfig /all and then press ENTER. Note the Physical or Media Access Control (MAC) address of Local Area Connection.

  3. Open Add/Remove Programs in Control Panel.

  4. Select Add/Remove Windows Components.

  5. In the Windows Components Wizard, select Management And Monitoring Tools, and then click Details.

  6. Select the Network Monitor Tools check box, and then click OK. When Network Monitor is installed, close Add/Remove Programs.

    Note

    Installing Network Monitor tools automatically installs the Network Monitor driver.

  7. Access Start\Programs\Administration Tools, and then select Network Monitor.

  8. Because this is the first time Network Monitor has been accessed, you are prompted to select a network. Expand Local Computer, click Local Area Connection, check that the MAC address is as recorded, and then click OK.

  9. The Network Monitor capture window appears. On the Capture menu, click Start.

  10. Open Outlook on Server01.

  11. Send an e-mail to administrator@contoso.com (where contoso.com is the domain in which you have installed Server02). In the body of the message, type Now is the time for all good men to come to the aid of the party.

  12. Ping Server02 by fully qualified domain name (FQDN) and by IP address.

  13. On the Network Monitor Capture menu, click Stop And View. The Network Monitor capture summary window appears.

  14. On the Display menu, click Colors. Select ICMP, choose a foreground color (for example, red) and then click OK. All ICMP frames are then displayed in that color.

  15. Double-click the first frame on the list. Your screen should look similar to Figure 13-15. This shows (from the top) the Summary, Detail, and Hex panes.

    click to expand
    Figure 13-15: The Summary, Detail, and Hex panes in Network Monitor

  16. Scroll down through the entries in the Summary pane. You will find the e-mail message you sent on the Hex pane in a TCP frame, as shown in Figure 13-16.

    click to expand
    Figure 13-16: Frame containing e-mail message text

  17. In the Detail pane, expand IP and scroll through the details. You can, for example, identify the source and destination addresses in the frame.

  18. Save your capture by clicking Save As in the File menu and specifying a file name. By default, the capture is saved as a .cap file. If you start a new capture or attempt to exit Network Monitor without saving your capture, you will be prompted to save it.

    Note

    Only a small number of frames are captured in this procedure. If you had captured a large number, possibly over an extended period, then color highlighting might not be an adequate method of viewing the frames associated with a particular protocol. In this case, you can specify a display filter so that only frames that meet specific criteria are displayed. You can use the capture you saved to demonstrate this technique.

  19. To configure a display filter, open the capture file you have just created from the Network Monitor File menu. Note that you could have continued the exercise without saving and reloading the file, but it is good practice to save the files you are working with.

  20. On the Display menu, click Filter.

  21. In the Display Filter dialog box, click Expression and select the Protocol tab.

  22. Click Disable All.

  23. In the Disabled Protocols box, select TCP.

  24. Click Enable.

  25. Click OK. Click OK again to close the Display Filter dialog box. Network Monitor will now display only TCP frames, as shown in Figure 13-17.

    click to expand
    Figure 13-17: Filtering out all frames except TCP frames

    Note

    Disabling a protocol does not always result in that protocol's frames not appearing in Network Monitor capture screens. A protocol that contains subprotocols, for example, the Service Message Block (SMB) protocol, will still be displayed if its subprotocols remain enabled.

  26. If you want to display all the frames except TCP frames at this point, access the Display Filter dialog box, select the TCP protocol in the decision tree, and click NOT, and then click OK. To return to the previous filter, access the Display Filter dialog box and double-click the NOT box beside the protocol until it displays AND.

  27. To refine the protocol filter still further by filtering by specific properties, such as source IP address or source MAC address, select Filter from the Display menu on the Network Monitor capture summary screen.

  28. In the Display Filter dialog box, click Expression.

  29. Select the Address tab, and set the condition that Station 1 is specified by the IP address of Local Area Connection on Server01. Also highlight the single arrow in the Direction pane, as shown in Figure 13-18.

    click to expand
    Figure 13-18: Filtering by IP address and direction

  30. Click OK. Click OK again to exit the Display Filter dialog box. Network Monitor will now display only the TCP frames that Server01 transmits on to the internal network. It will not, for example, display frames sent from Server02 to Server01.

  31. On the Display menu, select Filter and highlight the filter condition that you created. In the Delete section, click Line, and then click OK. The capture summary screen will now display all captured frames.

  32. To display all the traffic between your server and one particular host on the network, whatever protocols are used, and to filter out traffic to and from other hosts, click Filter on the Display menu.

  33. In the Display Filter dialog box, click Expression.

  34. In the Expression dialog box, select the Address tab, and then click Edit Addresses.

  35. Click Add, and add the IP address of Server02, as shown in Figure 13-19. Click OK, and then click Close.


    Figure 13-19: Specifying an address for filtering

  36. Select two-way traffic where Station 1 is specified by the MAC address of Local Area Connection on Server01 and Station 2 by the host IP address that you've just added, as shown in Figure 13-20. Click OK. Click OK again to close the Display Filter dialog box.

    click to expand
    Figure 13-20: Specifying two way traffic between Server01 and Server02

  37. Check that the frames displayed contain traffic between Server01 and Server02.

  38. On the Display menu, click Filter. Highlight and delete the line you've just added to the decision tree.

  39. Repeat the filter setup to display the broadcast traffic that your server puts on your subnet. Select the MAC address of Local Area Connection on Server01 for Station 1, the single arrow, and the broadcast address for Station 2. Check that only broadcast frames are displayed.

  40. Close Network Monitor.

    Tip

    The display filter decision tree is a very powerful and flexible tool. If you are familiar with Boolean logic, you can set up some very sophisticated filter criteria using this tool. The only way to learn this technique is by practice.



Previous page
Table of content
Next page
MCSA/MCSE Self-Paced Training Kit (Exam 70-284(c) Implementing and Managing Microsoft Exchange Server 2003)
MCSA/MCSE Self-Paced Training Kit (Exam 70-284): Implementing and Managing MicrosoftВ® Exchange Server 2003 (Pro-Certification)
ISBN: 0735618992
EAN: 2147483647
Year: 2003
Pages: 221
Authors: Will Willis, Ian McLean
BUY ON AMAZON
Java I/O
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Mapping Hacks: Tips & Tools for Electronic Cartography
Twisted Network Programming Essentials
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy