Network Monitoring in Windows Server 2003 | Microsoft Windows Server 2003 Unleashed (R2 Edition)

Windows Server 2003 comes with a tool called Network Monitor that is used to perform network communications traffic analysis. Network Monitor, also known as Netmon, provides network utilization statistics and packet traffic as well as captures frames for analysis.

Note

In addition to the Network Monitor, as well as some of the tools already mentioned, such as EventCombMT and Checkrepl.vbs, There are other utilities in the Windows Server 2003 Resource Kit that can assist in analyzing and diagnosing network-related functions. Two tools, called the Link Check Wizard and Chknic, should be added to your arsenal especially for troubleshooting purposes.

Data is transferred all the time from one point to another in the form of network traffic that is divided into frames. A frame contains information such as the address of the machine to which it is destined, the source address, and protocols that exist within the frame. Besides having bottlenecks on the server, bottlenecks can also occur on the network when it is overwhelmed. For example, a network adapter can fail and flood the network with invalid network transmissions that can slow down the rate of data transfer between other devices on the network. When the network becomes slow, the network can be said to have reduced available network bandwidth.

Netmon can be viewed as both a network troubleshooting tool and a packet analysis tool. The version of Netmon that comes with Windows Server 2003 allows only the capture of frames sent to and from your local server. The full-featured version of Network Monitor that provides enterprisewide network monitoring, allowing network traffic to be monitored or analyzed to and from any computer in the network, can be found in the Microsoft Systems Management Server (SMS).

Understanding How Netmon Works

All computers on a network segment can receive and send frames within their segments. Network adapters on these computers process only frames meant for them; they discard all frames not addressed to them. These network adapters also retain broadcast and multicast frames.

After Netmon is installed, you can capture to a file all the frames sent to or retained by the adapter on which Netmon was installed. These captured frames can then be used for later analysis. It is possible to set up a capture filter so that only certain frames are captured. Frames can be filtered based on criteria such as source address, destination address, type of information captured, or the like. Capture triggers can also be set up to initiate certain actions such as starting a program, starting a capture, or ending a capture based on a specific event occurring on the network.

Installing Netmon

Before Netmon can be used, it must be installed from the Control Panel. To install Netmon, follow these steps:

1.	Open the Control Panel.
2.	Click Add or Remove Programs.
3.	Click Add/Remove Windows Components to open the Windows Components Wizard.
4.	Select Management and Monitoring Tools and click Details.
5.	Check Network Monitor Tools and then click OK.
6.	Click Next and if prompted for additional files, insert the installation CD.
7.	Click Finish at the end of the installation.

Go to the Administrative Tools and select Network Monitor to open the utility. After Netmon is loaded, you can capture all frames sent to or retained by the network adapter of the machine on which it is installed. These captured frames can then be saved or viewed for further analysis.

The Netmon application, shown in Figure 34.10, provides several types of information. The capture window display is divided into three parts: system statistics, network and captured statistics, and station statistics.

Figure 34.10. The Network Monitor console.

In the upper-left pane is the Netmon graph. It shows current activities on the network in a horizontal bar-like fashion. The Total Statistics pane located in the upper right displays the total network activity detected since a capture began. The Session pane located in the lower left shows the established session between two nodes. The Station Statistics pane located in the bottom pane shows statistics about frames sent and received on a per-node basis. The Station Statistics pane has several fields such as Frames and Bytes Sent and Received, Directed Frames Sent, Multicasts Sent, Broadcasts Sent, and the network (local server) responsible for the traffic. The Station Statistics pane can also help you identify the largest broadcaster in a network; to do so, right-click the Broadcasts Sent column and then click the Sort button.

Capturing Frames Within Netmon

Before you start capturing frames, make sure to select a network adapter from the Capture menu (typically the primary network adapter of the system being monitored). Also select buffer settings from the Capture menu. To begin capturing, click the Start Capture button (it looks like a play button on a cassette tape recorder). Alternatively, press the F10 key. Capture will proceed to fill the memory with frames until it is full, so capture only the frames needed and over a short duration of time. This decreases the effect that Network Monitor will have on the performance of the server being monitored. To stop, pause, or display captured data from the Capture menu, simply select Stop, Pause, or Display Captured Data. You also can stop and display the capture by clicking Stop and View. To save a captured frame for future analysis, select File, Save As and specify a path and filename to store the captured frame.

To set a capture trigger, select Capture, Trigger to open a property page similar to the one shown in Figure 34.11. On the Capture Trigger property page, select Pattern Match to initiate a trigger action when a specific hexadecimal or ASCII string appears in a frame. In the Pattern text box, type a string and specify ASCII or Hex. It is possible to have an action occur whenever there is a trigger. To do so, select Audible Signal Only to have the machine beep, select Stop Capture to stop the capture, or check Execute Command Line and specify the command or program that runs when a trigger occurs.

Figure 34.11. The Capture Trigger property page.

To initiate a trigger based on the size of the buffer, select Buffer Space and then choose the percentage. It is also possible to have an action occur whenever there is a trigger. To initiate a trigger when a specific pattern in a frame is detected, select Buffer Space Then Pattern Match and specify the percentage and pattern needed.

Using the Capture Filter

Filtering can help reduce the amount of data being reviewed and analyzed. A capture filter can be specified based on addresses, protocols, and frame data patterns. To set up a filter, select File, Capture, Filter.

To capture data based on specified frame data patterns, double-click the AND (Pattern Matches) line in the Capture Filter decision tree and then specify the hexadecimal or ASCII data pattern that captured frames should match.

To specify captured filters based on address pairs similar to the ones shown in Figure 34.12, double-click the AND (Address Pairs) line in the decision tree or double-click the address pair to edit. In the Address Expression dialog box, specify address pair properties, and then click OK.

Figure 34.12. Selecting address pairs on the capture filter.

Captured data can be displayed by selecting File, Capture, Display Captured Data. You'll see a summary page similar to the one shown in Figure 34.13. The captured data displays the frame, time duration, source MAC address, destination MAC address, protocol, and so on.

Figure 34.13. The Capture summary page.

Note

In a capture filter, the EXCLUDE statement takes precedence over the INCLUDE statement regardless of the order in which statements appear in the Capture Filter property page. If a filter contains both the INCLUDE and EXCLUDE statements, the frame is discarded if it meets the criteria specified in the EXCLUDE statement. Network Monitor does not check whether the frame meets the INCLUDE statement criteria.