Abstract
This chapter explores in detail the built-in Windows NT Network Monitor, with instructions on how to use it to observer traffic moving in and out of any station where the Network Monitor Agent is installed. The chapter also covers Network Monitor graphs, statistics, and its use as a troubleshooting tool.
Windows NT Server is a network operating system (NOS) designed to be used in client/server network. It’s no surprise that Microsoft included with NT a network-oriented monitoring utility– appropriately called Network Monitor. Network Monitor is a network packet capture and analysis toool.
Network Monitor is not a full-featured network sniffer, but it does offer functionality well worth your time. In this chapter, I review Network Monitor’s features, functions, controls, and commands. in addition, I offer suggestions and examples on how to use this tool in a production environment.
NETWORK MONITOR OVERVIEW
Network Monitor is used to observe the traffic on a network. Its primary features include the ability to capture data packets and to inspect the contents of captured packets. Network Monitor is a fairly limited network sniffer. The version of Network Monitor found on the NT Server 4.0 distribution CD is a scaled down version of the Network Monitor that is part of the Systems Management Server (SMS) package. (Later in the chapter, I discuss the differences between these two versions.) The most significant difference between the two is that the NT Server version of Network Monitor is limited to capturing data packets sent to or from its host server; it cannot capture packets communicated between other network members.
Network Monitor is a flexible tool with numerous configuration dialog boxes, functions, features, and capabilities. Because real-world uses of Network Monitor involve several aspects of the tool, let’s first review the functions and capabilities of the utility itself. Later in the chapter, you’ll find examples and solutions.
Network Monitor is not installed as a default component of NT Server, but must be added manually after the initial installation. Installation is simple, but be aware that in the list of services, two items have the name “Network Monitor”: Network Monitor Agent and Network Monitor Tools and Agent. Network Monitor Agent lets administration software read information about the network segment. Agent is required to read network-related statistics for both Performance Monitor and Network Monitor. If Network Monitor Agent is selected for installation, Network Monitor Tools and Agent is not installed. Once Network Monitor Agent is installed, both local and remote instances of Performance Monitor and Network Monitor (SMS version only) can read network segment data remotely.
Selecting Network Monitor Tools and Agent installs both the Agent and the utility itself. If you wish to use Network Monitor locally, install Tools and Agent. If you do not wish to use Network Monitor locally, install only Agent. Both Network Monitor items are installed via the Services tab of the Network applet from the Control Panel.
Warning: Two items have the name “Network Monitor”: Network Monitor Agent and Network Monitor Tools and Agent. Make sure you install the right one for your network monitoring needs.
Network Monitor functions by capturing packets into a memory buffer. Captured data can be saved to disk only after capturing has stopped. Network Monitor uses a memory cache to store captured packets, so the fastest capture routine can be used. If packets were saved to disk, Network Monitor would not be able to intercept every packet received by the network interface, because the disk subsystem can cause performance delays. However, the benefit of a fast capture routine that doesn’t skip inbound packets is a limited buffer size. Network Monitor can only use a capture buffer up to 8 MB less than the total physical RAM installed on your server. By default, when the memory buffer is full, the oldest packet in the buffer is overwritten by newly captured data. The management defaults of the buffer are configurable to some extent. But in every case, you are limited to the size of data that can be captured and inspected.
Network Monitor Display
When Network Monitor is launched, it displays a blank four-pane capture window (Figure 3.1).
In the default display area, each pane displays different information about the network traffic that is being monitored and captured. The panes are called graph, session stats, station stats, and total stats.
The graph pane (Figure 3.2) displays five thermometer bars that measure network activity. The top graph is % Network Utilization.
This graph pane indicates how much of the total network capacity is being used currently. For stable bandwidth connections (i.e., typical network connections), this bar has a maximum of 100 percent. However, for variable bandwidth connections, such as modems or devices using compression, this bar can have a maximum value greater than 100 percent.
The next graph is Frames Per Second, which displays the number of frames transmitted per second over your network. The next graph, Bytes Per Second, displays the amount of data transmitted per second over your network. Broadcasts Per Second displays the number of network broadcasts performed on your network every second. A broadcast is a frame transmission that is delivered to all computers on the network. The last graph in the graph pane, Multicasts Per Second, displays the number of multicasts performed on your network every second. (A multicast is a frame transmission that is delivered to a subset of all computers on the network.)
These graphs are updated in realtime while capturing data. The number on the far right side on each graph indicates the maximum value achieved during the capture session; the middle number indicates the value of the last second of capture.
The session stats pane (Figure 3.3) tracks the number of sessions that occur during a capture.
A session is a period of time during which two computers transmit data from one to the other. The session stats pane displays statistics about all sessions that include the current host as either the source or the destination. The session statistics are displayed in a column format in which Network Address 1 and Network Address 2 contain the address of either the source or destination device. The Medium Access Control (MAC) address of the device’s network interface card is initially listed in these columns. When a NetBIOS name is encountered for that device, it replaces the MAC address to simplify the display. The 1 —> 2 and 2 <— 1 columns display the number of frames that were transmitted between the two devices. The sessions pane is able to record statistics about only the first 128 unique sessions it encounters. If you need to examine data within a specific session, you should use a capture filter to capture only the packets involved in the suspect session.
The station stats pane (Figure 3.4) displays a summary of device activity over the network.
Each identified unique network interface is listed with its own communications statistics. The station stats pane displays this information in a columnar display. The Network Address column initially lists the MAC address of the network interface until a suitable NetBIOS name is encountered. The Frames Sent and Frames Rcvd columns display the number of data frames sent and received by the network interface, respectively. Likewise, the Bytes Sent and Bytes Rcvd columns indicate the number of bytes transmitted by or accepted by the network interface. The Directed Frames Sent column displays the number of nonbroadcast and nonmulticast frames transmitted by the network interface. Multicasts Sent and Broadcasts Sent indicate the number of specialty transmissions the network interface initiated. Similar to the session stats pane, only the first 128 unique network interface addresses are listed. If data to or from a specific network address is important (i.e., you wish to inspect packet contents), you should use a capture filter.
For both the session stats pane and the station stats pane, you can alter the display properties of the columnar format. Double-clicking on a column head sorts the listed items in alternating ascending and descending order. To change the width of a column, place your mouse cursor over the dividing line between two header cells, click and hold, then drag left or right, and release.
The total stats pane (Figure 3.5) displays a wide range of realtime statistics about network activity during a capture.
At the top of this pane, the Time Elapsed counter indicates the length of time of the current capture session. This pane is divided into five sections: Network Statistics, Captured Statistics, Per Second Statistics, Network Card (MAC) Statistics, and Network Card (MAC) Error Statistics.
The Network Statistics area tracks the total number of frames, broadcasts, multicasts, and bytes transmitted over the network, as well as the number of dropped frames and the network status. For Ethernet networks, the status is always normal, but for Token-Ring networks this item reflects the state of the ring. The Captured Statistics area displays information about the packets in the capture buffer, as opposed to the network as a whole. The buffer information includes the total number of frames captured during the entire capture session and the number of frames that remain in the buffer.
Because the buffer is limited in size (the maximum is 8 MB less than total physical RAM), newly captured packets overwrite older packets by default. You can define triggers that stop capture when the buffer reaches a specified volume level (see the Capture Triggers section later in this chapter).
The area also lists the total size of all captured packets in bytes, the size of the packets currently held in the buffer, and the current percent utilization of the buffer. The final datum in this area is frames dropped. This item records the number of frames dropped that should have been captured; however, it does not list the number of frames overwritten in the buffer (i.e., old packets overwritten by new packets).
The Per Second Statistics area displays information about the changing activity level of the network per second. The information listed in this area includes percent network utilization, as well as the number of frames, bytes, broadcasts, and multicasts per second. The data recorded here matches the data displayed in the graph area. The Network Card (MAC) Statistics area records the average activity your network interface handled during the capture session. The data recorded here includes the total number of frames, broadcasts, multicasts, and bytes.
Tip: The method of gathering statistics that this area uses is not supported by all network interface cards (NICs) If this is true of your NIC, the numerical value are replaced with “Unsupported”.
The Network Card (MAC) Error Statistics area tracks errors related to your network adapter. The data recorded in this section includes cyclical redundancy check (CRC) errors — frames dropped due to buffer or hardware problems. A CRC error occurs when the CRC value in a packet’s header does not match the received packet’s length. A frame dropped due to the buffer occurs when a packet is detected but no space is available in the buffer to store the packet. A frame dropped due to hardware occurs when a packet is detected but some limitation or constraint on the hardware prevents it from capturing the packet.
Just as with Performance Monitor, Network Monitor offers lots of realtime statistic and graphical displays. But they are little more than entertainment while traffic is being captured. The usefulness of Network Monitor is its ability to capture network traffic packets. Captured packets, as discussed later, can be stored to disk and examined in great detail. The useful information from the displayed statistics becomes apparent when the capture session has stopped.
Critical Challenges of ESI & Email Retention Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro
Register
