Using Network Monitor

Previous page
Table of content
Next page

You use Network Monitor to capture and display statistics about the frames that a server receives from the LAN. Network Monitor troubleshoots networking problems and helps you analyze network traffic. You can install Network Monitor only on a server.

Network Monitor consists of two components—Network Monitor itself and the Network Monitor driver—both of which must be installed on the server that is running Network Monitor so that you can capture frames. The Network Monitor driver enables Network Monitor to receive frames from the network adapter. The driver can be installed only on machines running Windows 2000 Server or Windows 2000 Professional.

The Systems Management Server (SMS) of Network Monitor 2.0 puts the network adapter in promiscuous mode, which means that the adapter reads all of the frames (packets) it receives over the network, instead of just the ones addressed to itself.

Network Monitor and the Network Monitor driver can be installed in one of two ways. You can install them both when you install the Windows 2000 Server operating system; or, at a later time, you can install Network Monitor by opening Add/Remove Programs in Control Panel and selecting Add/Remove Windows Components. You'll then need to install the Network Monitor driver separately by pointing to Network And Dial-up Connections on the Settings menu and then choosing Local Area Connection Properties.

A frame is a portion of information from the network data stream that has been divided into smaller pieces by the networking software and is sent out across the wire. Network Monitor makes it possible to capture frames directly from the network. It enables you to display, filter, save, and print the captured frames to help identify network traffic patterns and network problems. A frame contains the following items:

  • The source address of the machine that sent the frame. The source address is a unique hexadecimal number that identifies the sending machine.
  • The destination address of the machine that received the frame. The destination address is a unique hexadecimal number that identifies the receiving machine.
  • The header information for the protocol that sent the frame.
  • The actual data that was sent to the destination computer.

Network Monitor for Windows 2000 stores data captures to a temporary capture file. When you save the capture file, it is given the .CAP extension, and you can view the capture files within Network Monitor.

To isolate a specific subset of frames, you need to design a capture filter. The capture filter behaves like a database query used to isolate specific information. Frames can be filtered on the basis of several options that include protocols, protocol properties, and source and destination addresses. You can also set up a capture to respond to specific conditions by designing a capture trigger that is detected by Network Monitor.

Viewing the Frame Viewer Window

Before you start capturing frames, you must choose the correct network interface. It is important to note that all network interfaces, including modems, are included in the network interface list. To specify the network interface, in the Capture window, choose Networks from the Capture menu.

To capture frames from the Capture window, you have three options: you can click the Start Capture button on the toolbar, choose Start from the Capture menu, or press the F10 function key. To examine the frames, you need to stop the capture of the current session in one of three ways: by selecting Stop And View from the Capture menu, by clicking the Stop Capture button on the toolbar, or by pressing the F11 function key. If you don't select Stop And View, you can view the Frame Viewer window by pressing the F12 function key.

The Frame Viewer window is used to view the contents of the captured frames (Figure 33-17). You can view captured information by choosing Stop And View from the Capture menu during data capture. You can zoom into a specific pane in the Frame Viewer window by selecting the pane and then choosing Zoom Pane from the Windows menu. This action places a check mark next to the Zoom option in the Windows menu.

Figure 33-17. The Frame Viewer window.

The Frame Viewer window has three panes:

  • The summary pane displays general information about the captured frames in the order in which they were captured.
  • The detail pane displays the frames' contents, including the protocols used to send them.
  • The hex pane displays the ASCII and hexadecimal representation of the data that is captured.

Viewing the Capture Window

The statistics for the captured frames are displayed in the Capture window (Figure 33-18).

Figure 33-18. The Capture window.

The Capture window has four panes that display frame statistics:

  • The graph pane (the upper left pane in Figure 33-18) graphically displays the total capture statistics of current network activity, such as percentage of available network resources in use by the current capture and the number of frames, bytes, broadcasts, and multicasts that the network transmits every second. This pane is displayed in the upper left corner of the Capture window by default.
  • The session statistics pane (the middle left pane in the figure) displays statistics for current individual network sessions. Both participants in a session are identified, and information relating to the amount of information passed between them in either direction is displayed. The session statistics pane includes information such as the first participant's network address, labeled Network Address 1; the second participant's network address, labeled Network Address 2; the number of frames sent from the address listed as Network Address 1 to the address listed as Network Address 2, labeled 1—>2; and the number of frames sent from the address listed as Network Address 2 to the address listed as Network Address 1, labeled 1<—2. Only the first 128 unique addresses are reflected in this pane, so it is best to design a capture filter if you need to capture statistics on a specific workstation. This pane is displayed in the center left section of the Capture window by default.
  • The station statistics pane (the bottom pane in the figure) displays statistics about activities that occur from or to the local machine running Network Monitor. This pane is displayed at the bottom of the Capture window by default and includes the network address from which the frames were captured; the number of frames and bytes sent from the network address; the number of frames and bytes received by the network address; and the number of directed frames, multicasts, and broadcasts sent from the network address to other computers on the network. As with the session statistics pane, only the first 128 unique addresses are reflected in this pane.
  • The total statistics pane (the right pane in the figure) summarizes statistics about overall network activity detected by Network Monitor from the time the current capture process began. Not all network adapter cards support all of the statistics displayed by this pane. The label for a statistic is replaced by the word "Unsupported" if the network adapter card doesn't support it. This pane is displayed in the upper right corner of the Capture window by default. The total statistics pane consists of five panels:
    • Network Statistics displays statistics about the total amount of traffic that has occurred since the current capture on Network Monitor began. These statistics include the total number of frames dropped and the total number of frames, broadcasts, multicasts, and bytes sent to the network. The network status is also displayed. The status is always Normal on an Ethernet network and reflects the status of the ring on a token ring network.
    • Captured Statistics displays statistics regarding the current capture that is running. These statistics include the total number of captured frames and bytes, the total number of frames and bytes in the temporary capture file, the percentage of allotted buffer space that is being utilized, the number of frames that were dropped by Network Monitor, and when the allotted buffer space was exceeded.
    • Per Second Statistics displays averages of current activity and is constantly updated to reflect per-second activity. All frames, even those excluded by a filter, are included in these statistics. The statistics displayed in this panel include the average percentage of network utilization and the average frames, bytes, broadcast messages, and multicast messages detected per second from the time the current capture process began.
    • Network Card (MAC) Statistics reflects the average activity detected by the network adapter from the time the current capture session began. These statistics include the total number of frames, broadcast frames, multicast frames, and bytes detected by the network adapter card.
    • Network Card (MAC) Error Statistics displays network adapter card errors that have occurred from the time the current capture session began. These statistics include the number of errors that occurred because the actual bytes received did not match the cyclical redundancy check (CRC) and the number of frames that were detected but dropped by the network adapter card, either because insufficient buffer space was available to Network Monitor or as a result of hardware constraints.

Configuring and Customizing Network Monitor

You must be logged on as a user with administrative rights to run Network Monitor. You can customize Network Monitor in a number of ways to meet your needs, as described in this section.

Modifying the Capture Buffer

The size of the capture buffer affects how much data is available for viewing in Network Monitor. If you set the buffer to 1 MB, Network Monitor will store only the last 1 MB of data.

To adjust the size of the capture buffer in Network Monitor, choose Buffer Settings from the Capture menu. You can adjust the Buffer Size (MB) or Frame Size (Bytes) options in the Capture Buffer Settings dialog box (Figure 33-19). The buffer size or frame size can be reduced if you find that your system becomes low on resources while you are capturing data with Network Monitor. Make sure that your buffer setting does not exceed the amount of physical memory you have available on your system because memory swapping can cause frames to be dropped.

Figure 33-19. The Capture Buffer Settings dialog box.

Displaying Address Names

To see address names instead of hexadecimal network addresses in Network Monitor, choose Show Address Names from the Options menu. A check mark appears next to Show Address Names when this option is active. This option is very helpful to the administrator because it causes Network Monitor to replace the hexadecimal network addresses of the computers from which the frames have been captured with their user-designated machine names.

Creating an Address Database

You might often need to capture frames that originated with or were sent to specific computers. To do this, you must know the addresses of the computers on the network. You can find the IP address of a computer in one of two ways: using the Ping command or using the mechanism that Network Monitor provides for associating the addresses of the network computers with their user-defined names. If you use the mechanism provided by Network Monitor, you can save the information to an address database once the association is made and later use the database to design display or capture filters.

To create an address database, choose Find All Names from the Display menu in the Frame Viewer window. The system might take a few minutes to process the information from the current frames. To display the addresses, choose Addresses from the Display menu of the Frame Viewer window (Figure 33-20). Save the database to a file if you want to use the addresses to design filters in the future.

Figure 33-20. The Address Database dialog box.

Displaying Adapter Card Vendor Names

To replace the hexadecimal computer addresses with the names of the vendors of the adapter cards on the computers from which frames have been captured, in Network Monitor, choose Show Vendor Names from the Options menu. When this option is active, a check mark appears next to it.

Adding a Protocol Parser

Network Monitor uses programs called protocol parsers to separate protocol information into smaller pieces to be able to act on the information. Each parser can parse one protocol or family of protocols. Parser DLLs from Network Monitor 1.2 can be added to Network Monitor 2.0. To add a protocol parser, take the following steps:

  1. While Network Monitor is not running, copy the parser file to the %SystemRoot%\System32\Netmon\Parsers folder. The parser file should have a .DLL extension.
  2. In the %SystemRoot%\System32\Netmon folder, find the Parser.ini file and open it. Enter the information about the parser you are adding in this file.
  3. Start Network Monitor, close any open Frame Viewer windows, and then choose Default Parsers from the Options menu.
  4. A window warning about disabling protocols through this option appears. Click Yes to continue.
  5. The currently enabled protocols are listed under Enabled Protocol Parsers in the Protocol Parsers dialog box (Figure 33-21). All of the parsers present in your %SystemRoot%\System32\Netmon\Parsers subfolder are enabled by default.

    Figure 33-21. The Protocol Parsers dialog box.

  6. The name of the parser you just added to the %SystemRoot% \System32\Netmon\Parsers folder appears under Disabled Protocol Parsers. Select the name, and then click Enable. The name of the protocol should move to the Enabled Protocol Parsers box.
  7. If you want the new parser to be included in the default configuration, select the Save As Default check box.

It is important to verify that the parser is working correctly. If the parser is handling frames properly, the Protocol column of the summary pane in the Frame Viewer window lists the protocol.

Adding a Comment Frame to a Capture

A comment frame is a very useful tool that you can use to add comments or other information to a capture file within the Network Monitor Frame Viewer. For example, you can use comment frames to mark the beginning and ending points for a group of packets. The Trail protocol is contained in the comment frame and includes such information as the bandwidth and the number of frames consumed.

To add a comment frame, choose Insert Comment Frame from the Tools menu, or right-click the Frame column at the point where you want to insert the comment frame and choose Insert Comment from the shortcut menu. The Insert Comment Frame dialog box appears (Figure 33-22). The options in this dialog box are as follows:

  • Frame Number The frame position where Network Monitor places the comment frame within the capture. The default frame number is the current location.
  • Type Of Frame To Insert The Comment or Bookmark protocol parser used to process the comment frame after the Trail protocol runs. The default parser is Comment.
  • No Statistics Disables statistical generation for the comment frame. This check box is selected by default.
  • Apply Current Filter To Statistics Calculates statistics using the current display filter. This check box is selected by default.
  • Enter In A Comment For This New Frame Indicates the comment text that you want to attach to the frame by using the protocol parser chosen in Type Of Frame To Insert.

Figure 33-22. The Insert Comment Frame dialog box.

Printing Captured Frames

To print captured frames, choose Print from the File menu in the Frame Viewer window. Select the desired output options in the Netmon tab in the Print dialog box (Figure 33-23). The Output Detail area enables you to specify the amount of detail you want to print for each of the frames. The choices presented to you include Print Frame Summary Lines, Print Protocol Details, and Print Hex Data. You can also set filters and add page breaks to the output.

Figure 33-23. The Netmon tab of the Print dialog box.

Capturing Network Data

To begin the process of capturing frames, you must open the Capture window of Network Monitor and choose Start from the Capture menu. Network Monitor then begins to capture frames sent from the local machine or sent to the local machine from the network data stream and copies those frames to a temporary capture file. To halt the data capture temporarily, choose Pause from the Capture menu. To stop the capture and display the captured frames, you must choose Stop And View from the Capture menu. This displays the Frame Viewer window so that you can examine the contents of the captured frames. Network Monitor displays the session statistics for only the first 100 unique network sessions. To view information for the next 100 unique network sessions, you must choose Clear Statistics from the Capture menu.

Designing a Capture Filter

A capture filter must be designed when Network Monitor is not running and no frames are being captured. You specify capture criteria to identify frames you want captured on the network. To design a capture filter, choose Filter from the Capture menu of the Capture window. You specify criteria to be used in the design of a capture filter expression through capture filter protocols, address pairs, and data pattern matches.

Specifying Capture Filter Protocols

You use filter protocols when you want to capture frames sent using a specific protocol. To design filter protocols, choose Filter from the Capture menu in the Capture window. Double-click the default line SAP/ETYPE = Any SAP Or Any ETYPE in the decision tree. As you disable protocols, the information in this line changes to reflect those changes. For example, if you disable the AppleTalk Address Resolution Protocol (ARP), the line changes to SAP/ETYPE = Other SAPs Or Other ETYPEs Or NOT AppleTalk ARP. You enable and disable protocols for use in the capture filter in the Capture Filter SAPs And ETYPEs dialog box. The default is to enable all of the protocols.

Specifying Address Pairs

You designate address pairs to capture only traffic sent to and from the specified computers or to exclude traffic between the specified computers. (One of the computers in an address pair must be the computer running Network Monitor.) You can specify up to three address pairs.

To designate address pairs, choose Filter from the Capture menu in the Capture window. Double-click the AND (Address Pairs) line in the decision tree, and specify address pair properties in the Address Expression dialog box. When an address pair is added, it is displayed under the AND (Address Pairs) line in the decision tree. You can edit or delete an address pair at any time by selecting the address pair name and then choosing Edit or Delete from the Capture Filter dialog box. You specify address pair properties in the following manner:

  1. Choose whether to include or exclude capture data that travels between the members of the address pair you want to create.
  2. Choose the first address from the Station 1 list box and the second address from the Station 2 list box. Which address becomes the originating address and which becomes the destination address depends on the arrow you select in the Direction list box.
  3. Choose one of the three arrows from the Direction list box to indicate the direction of the traffic between the two addresses:
    • <—> This arrow specifies capturing frames that travel in either direction between the Station 1 and Station 2 computers. This arrow is the default.
    • > This arrow captures frames that travel from Station 1 to Station 2.
    • <— This arrow captures frames that travel from Station 2 to Station 1.
  4. You can modify the existing address database by clicking Edit Addresses and then adding, editing, or deleting information.

Broadcast and Multicast are always destination addresses.

Defining Pattern Matches

Pattern matches enable you to capture frames that consist of a specific pattern at a specified offset. You can define up to four pattern matches.

To specify data pattern matches, choose Filter from the Capture menu in the Capture window. Double-click the AND (Pattern Matches) line in the decision tree, and specify data pattern match properties in the Pattern Match dialog box (Figure 33-24). When you add a pattern match, it is displayed under the AND (Pattern Matches) line in the decision tree. You can edit or delete the pattern matches at any time by selecting the data pattern match name and then choosing Edit or Delete from the Capture Filter dialog box.

Figure 33-24. The Pattern Match dialog box.

To define pattern matches, enter the hexadecimal or ASCII data pattern that you want the captured frames to match. Then, in the Offset box, enter the hexadecimal number that specifies the byte where the pattern begins. Network Monitor interprets the number depending on whether you specify the From Start Of Frame option or the From End Of Topology Header option. The topology header is the section of the frame that is added by the network topology to identify the network type. Information such as the source and destination address of the frame is included in the topology header. For example, 14 bytes are added to the frame at the Ethernet layer for an Ethernet network. The number of topology header bytes varies in a token ring environment.

Setting a Capture Trigger

A capture trigger is used to set conditions that, when met, initiate an action. For example, you can set a trigger to stop data capture and cause a program or command file to execute when certain criteria are met. To set a capture trigger, follow these steps:

  1. Launch Network Monitor from the Administrative Tools folder and choose the area to monitor.
  2. Choose Trigger from the Capture menu to open the Capture Trigger dialog box (Figure 33-25).

    Figure 33-25. The Capture Trigger dialog box.

  3. Choose from the options in the Trigger On area:
    • Pattern Match When a specified hexadecimal or ASCII pattern match occurs, the trigger is engaged.
    • Buffer Space When a capture fills a specified percentage of the capture buffer, the trigger is engaged.
    • Pattern Match Then Buffer Space Causes Network Monitor to monitor the buffer space after the specified data pattern match occurs and then to engage the trigger function when both of the specified conditions exist.
    • Buffer Space Then Pattern Match Causes Network Monitor to detect when a capture has filled the specified percentage of buffer space and then to perform the trigger action when the specified data pattern match is detected.

    If you choose the Pattern Match Then Buffer Space option and set Buffer Space to 100 percent, the frame that has the data pattern match is overwritten by Network Monitor, because Network Monitor doesn't start counting the buffer space until after the pattern match has been found.

  4. In the Trigger Action area, choose the action you want to have occur when the trigger criteria are met:
    • Audible Signal Only When the trigger condition is met, the computer beeps and continues to capture frames. This is the default option.
    • Stop Capture When the trigger condition is met, the capture process ends.
    • Execute Command Line Enabling this check box causes a command line to execute or a file to open when the trigger condition is met. The command can be up to 259 characters.
  5. Click OK when you're finished.

Designing a Display Filter

A display filter acts on information that has already been captured and behaves in much the same way as a database query because it is used to specify the types of captured data you want to examine. You can indicate how much of the captured data you want displayed in the Frame Viewer window or what types of displayed data you want to save to a file, such as protocols and computer addresses.

The Display Filter dialog box helps you make changes to the display filter decision tree for the Frame Viewer window. The expression option is added to the display filter decision tree when you click OK. There are two default branches on the decision tree: the Protocol branch, which lists the protocols you want to display, and the Computer Address Pairs branch, which lists the computer address pairs you want to display. The sections that follow describe the various options available in the Display Filter dialog box.

Adding an Expression

The Expression option is found in the Add group of the Display Filter dialog box and is used to write or edit an expression to specify the protocols, protocol properties, and computer address pairs you want to display. Only one expression at a time can be added in the Expression dialog box. If you click the Protocol tab or the Property tab before you have saved the specified expression to the decision tree by clicking OK, you lose the expression. You can specify options for three categories, each of which is represented by a tab:

  • Address tab The Address tab, shown in Figure 33-26, is used to specify an address that you want to find or to add or edit an address expression within a display filter decision tree. You can also display this tab by double-clicking the default ANY line in the decision tree. Refer to the section entitled Specifying Address Pairs earlier in this chapter for information on how to design address pairs.

    Broadcast, Functional, and Multicast should be specified only as destination addresses. You filter out all frames if Broadcast or Multicast is used in the construction of an expression because they are always destination addresses.

    Figure 33-26. The Address tab of the Expression dialog box.

  • Protocol tab This tab, shown in Figure 33-27, is used to specify protocols you want to display in Frame Viewer or to specify protocols in the display filter decision tree. The Enabled Protocols and Disabled Protocols list boxes display the protocol names. You choose the protocols you want displayed by clicking the Disable, Enable, Disable All, and Enable All buttons. You can also see this tab by double-clicking the default Protocol line in the decision tree. The default is to enable all protocols.

    Figure 33-27. The Protocol tab of the Expression dialog box.

  • Property tab This tab, shown in Figure 33-28, specifies the protocol properties you want to find or allows you to add or edit a protocol property expression within the display filter decision tree. Follow these steps to design protocol properties:
    1. Choose the desired properties from the Protocol:Property box. If a plus sign appears next to a protocol name, you can expand the protocol to choose a property from its list.
    2. Choose a relational operator from the Relation list box. A relational operator is used to specify the connection between the protocol property and its possible values.
    3. Type the value that you want to use as a comparison to the selected property into the Value (Address) box.

Inserting Operators

The Insert group box defines logical operators for the decision tree. The operators available to you are And, Or, and Not. Using them, you can specify up to 4000 decision tree operators.

Editing Expressions/Changing Operators

Edit Expression is used to edit an operator expression listed in the decision tree. It is not intended to edit address pairs, protocols, or protocol property expressions that are defined with the Add Expression option. The Edit Expression button changes to read Change Operator if you have an operator selected on the decision tree. This option allows you to toggle through the operator values.

Figure 33-28. The Property tab of the Expression dialog box.

The Hex Offset box appears for some properties. This box is used to specify the number of hex digits from the beginning of the frame to the point where you want to look for the specified property.

Deleting Criteria

The Delete group box deletes decision criteria from the decision tree. The options available here are to delete a specific line, a specific branch, or the entire decision tree.


Previous page
Table of content
Next page
Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320
Authors: Charlie Russel, Sharon Crawford, Jason Gerend
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Java How to Program (6th Edition) (How to Program (Deitel))
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy