Capturing Basics
Network Monitor has a default configuration that directs it to capture all packets of any type sent to the host’s network adapter(s) or transmitted by the host’s network adapter(s). Initiating a capture is as simple as issuing the Capture|Start command from the menu bar or clicking Start Capture on the toolbar (it looks like a CD player’s play button). While capture is occurring, you can watch the multiple panes of Network Monitor display statistics about the capture and the ongoing network activity in realtime.
A capture session can be paused and resumed or stopped entirely. When a capture session is paused, it can be restarted without clearing out the buffer. It simply starts capturing new packets and adding them to the existing buffer. Stopping a capture session prevents you from continuing to add new packets to the current buffer. And, once a capture is stopped, you must save the captured packets to a file or lose the data when a new capture session is started.
Warning: If you stop a capture session, you must save captured packets to a file or lose the data when a new capture session is started.
Most of your use of Network Monitor will focus around capturing data. There are several parameters used to fine-tune the amount, source, and type of data captured, all of which are discussed later. But keep in mind that it is captured data that helps you discover essential information about your network.
MENU AND TOOLBAR COMMANDS
Before delving into using Network Monitor in the real world, let’s explore the features, controls, and commands the menu and toolbar offer you. Each of the following sections has the title of the menu bar drop-down menu it discusses. The Help menu is not discussed because it contains the standard Windows Help and About items. If you are unfamiliar with the Windows Help system, please read the information accessed via the Help|How to Use Help command.
File
The File menu contains three commands: Open, Save As, and Exit.
The Open command is used to open a saved capture session for review. Issuing this command reveals the Open file dialog box (Figure 3.6).
Because all saved captures are stored in \Winnt\System32\Netmon\ Captures by default, the dialog box automatically selects that directory context. Any saved capture files are listed in the left central display area. Network Monitor can open four types of data files: .cap, .enc, .trc, and .fdc, which refer to the Network Monitor, Network General Ethernet, Network General Token-Ring, and Network General FDDI formats respectively.
The Save As command is used to save captured packets currently in memory buffer to a file on a storage device. Issuing this command reveals the Save Data as dialog box (Figure 3.7).
The dialog box automatically selects the default directory context of \Winnt\System32\Netmon\Captures. However, you can select an alternate storage location as with any other Save As dialog box from Windows. Captured data can only be saved in a .cap file, which means that Network Monitor cannot export data into alternate storage formats. The dialog box is used to define the file name, provide a comment, and select the range of packets in the buffer to save. By default, the Range area lists the packet numbers of the first and last packets in the buffer. Altering these values reduces the number of packets saved.
The Exit command is used to terminate a Network Monitor
session. If packets in the buffer currently have not been saved to a file, you are prompted to save or discard the data. If a capture session is currently active, you are asked whether you would like to stop the capture. If you select OK, the capture is stopped and you are asked whether you would like to save the buffer.
Capture
The Capture menu contains commands that control and manage the capture process. Each of the commands listed in the Capture menu is discussed in the following paragraphs.
The first five commands in the menu are Start, Stop, Stop and View, Pause, and Continue. The Start (F10) command starts a capture session. The Stop command (F11) terminates a capture session. The Stop and View (SHIFT + F11) command stops a capture session and switches Network Monitor into Display mode (see the Display Captured Data command). The Pause (F9) command temporarily interrupts capture, which can be restarted with the Continue (SHIFT + F9) command.
The Display Capture Data (F12) command is used to switch Network Monitor into Display mode (see Display Captured Data). This command is available only when a capture session is not active and when there is data in the buffer.
The Find All Names command instructs Network Monitor to examine the contents of all captured frames to search for NetBIOS names. If any names are found that were not already discovered during the course of the original capture, these names are added to the address database. The process of searching the captured frame buffer can take several minutes. Once the search is completed, a message appears that states how many names were discovered in the buffer and how many new names (listed as nonduplicate) were added to the address database. The address database maintains an association list of MAC network interface addresses with NetBIOS-friendly names. This list can be viewed using the Capture|Addresses command.
The Clear Statistics command clears the buffer and resets the statistics in all four of the display panes. Once this command is issued, all unsaved packets in the buffer are lost. This command does not have a confirmation warning.
The Addresses command reveals the Address Database dialog box (Figure 3.8). This dialog box is used to manage the address database used by Network Monitor.
The address database is a file used by Network Monitor to store the associations between a MAC address and a NetBIOS name — in addition to a technology or protocol type, vendor name, and a user customizable comment. This file is stored as an .adr file in the \Winnt\System32\Netmon directory. The default address database used by Network Monitor is named Default.adr. The default database contains generic items that are common to all NT networks.
Addresses are added manually to the address database in memory each time a capture session encounters a new name and when the Find All Names command is issued. New addresses can be added manually by clicking Add. This reveals the Address Information dialog box in which you can define the name type (Ethernet, FDDI, IP, IPX/XNS, Token-Ring, or Vines IP), the hexadecimal address, the NetBIOS-friendly name, and a comment. The Address Database dialog box also offers Edit and Delete to alter an existing name or remove a name from the database. To use changes or alterations in future Network Monitor sessions, you must save the database manually. To do this click Save. Click Load to load existing .adr files.
The Buffer Settings command reveals the Capture Buffer Settings dialog box (Figure 3.9). During a capture session, the buffer stores all captured packets.
Network Monitor has a maximum buffer size of 8 MB less than the amount of physical RAM installed on the Server. This means that a machine with 64 MB of RAM can use a capture buffer of up to 56 MB. The default size of the capture buffer is 1.0 MB. The Buffer Size pull-down list can be used to select a buffer size from .5 MB to 8 MB less than the total RAM, in half megabyte increments. The Frame Size pull-down list is used to set how much of each packet is actually stored in the buffer. By default, Network Monitor captures the entire packet. You can adjust this value from 64 bytes to 65,472 bytes in 64-byte increments.
The Filter (F8) command is used to define capture filters, the tools that inspect each packet as it is received by the network interface. If the packet matches a defined set of parameters, it is placed in the capture buffer. If the packet does not match the defined set of parameters, it is discarded. For more details about capture filters, see the Capture Filters section later in this chapter.
The Networks command is used to select the network from which to capture data when a server is multihomed. The Select Capture Network dialog box (Figure 3.10) lists all known networks to which the host server is connected.
The listing of the networks includes the following details about the network:
Node name — This is either LOCAL or REMOTE. If the SMS version of Network Monitor is used to attach to a remote installation of Network Monitor Agent, the name of the remote computer is displayed.
Connect State — Lists the condition of the network connection as either Connected or Disconnected.
Type — Lists the type of network, such as Ethernet or Token-Ring.
Current Address — The current address of the network interface. This is the same as the address listed under Permanent Address, unless the permanent address has been overwritten.
Card Description — Displays the comment associated with this network as defined through the Network Monitor Agent.
Link Speed — Displays the bits per second (bps) speed of the network connection.
Permanent Address — The MAC address of the interface card assigned by the manufacturer.
Connect, Disconnect, and Suspend on the Select Capture Network are disabled for the NT version of Network Monitor. On the SMS version of Network Monitor, these buttons are used to connect, disconnect, and suspend communications with a remote installation of Network Monitor Agent.
The Trigger command is used to define a capture session trigger. When the defined conditions are met, Network Monitor can automatically stop the capture or execute a command line. For more details, see the Capture Trigger section later in this chapter.
The Dedicated Capture Mode command switches Network Monitor into a capture-only mode, which does not display realtime statistics as it captures packets. This feature is useful on slower servers or on networks with heavy traffic. When this command is selected, a check box appears beside this item in the Capture menu. When a capture session is started, Network Monitor changes its appearance to display a dialog box with only a captured frame counter and a few buttons (Figure 3.11).
Stop, Stop and View, and Pause operate in the same fashion as when in normal mode. Normal Mode returns Network Monitor to its realtime statistics display layout without interrupting the capture session. If a capture session is already started while in normal mode, issuing the Dedicated Capture Mode command switches Network Monitor into the dedicated mode without interrupting the capture.
Tip: When in Dedicated Capture Mode, Network Monitor demands less video processing and fewer CPU cycles. This ultimately improves its performance and reduces the number of dropped frames.
The Save Configuration command saves the current layout and all settings. The next time Network Monitor is launched, it is returned to the saved configuration state.
Critical Challenges of ESI & Email Retention Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro
Register
