Tools
The Tools menu contains just four commands: Identify Network Monitor users, Find Routers, Resolve Addresses from Name, and Launch Performance Monitor. Two of the commands — Find Routers and Resolve Addresses from Name — are disabled for the NT Server version of Network Monitor. The fourth command launches the Performance Monitor.
The first command, Identify Network Monitor users, lets you determine what other instances of Network Monitor exist on your network. Why is this important? Anyone with a working version of Network Monitor can capture packets on your network. A version from NT can capture only packets sent to and from the host system, but a version from SMS can capture any packet on the network. This raises an important security issue. If someone can capture the packets on your network, they can extract the original contents of those packets — that is, they can steal your data! This simple command from the Tools menu lists all the active installations of the Network Monitor utility, including the version you are working from (Figure 3.12).
The listing of an active instance displays the following information:
Machine name — NetBIOS computer name of Network Monitor host.
User Name — The user name of the operator.
Current State — The current state of the Network Monitor installation:
— Driver installed — Network Monitor is installed but not running.
— Running — Network Monitor is active but not capturing.
— Capturing — Network Monitor is capturing data.
— Transmitting — Network Monitor is transmitting frames to the network.
Adapter Address — The MAC address of the network interface card Network Monitor is using.
Version — The version of Network Monitor in use. The version number for NT 4.0 with SP3 installed is 1.1.
At the top of the Network Monitor Installations dialog box are statistic summaries for the number of Network Monitors found, running, and capturing. The Add Names to Address Database checkbox adds the names discovered from this dialog box to the Default.adr file. Refresh List repolls the network for instances of Network Monitor.
Options
The Options menu contains six commands: Show Toolbar, Show Address Name, Show Vendor Names, Enable Tool Tips, Prompt to Save Data, and Default Parsers. The first four are used to display or hide the toolbar, address names, vendor names, and tool tips. The fifth command enables and disables the Prompt to Save Data when data in the buffer is in danger of being lost. For all of these commands, a checkmark beside their names in the Options menu shows whether they are enabled or displayed.
The sixth command in the Options menu is Default Parsers. The Default Parser command is used to enable and disable individual protocol parsers installed in Network Monitor. The Protocol Parsers dialog box (Figure 3.13) lists all of the installed parsers Network Monitor uses.
Through this dialog box, individual parsers can be enabled and disabled. A disabled parser prevents Network Monitor from even seeing a packet from that protocol type.
Warning: Disabling a parser is not the correct way to isolate or restrict the data packets captured by Network Monitor; a capture filter should be used for this function. Because parsers determine how packets are read into Network Monitor, changing a parser can result in incorrect inspection of packets.
When a parser type is disabled, all dependant parsers are also disabled. Any changes you make to this dialog box can be saved as the default set of parsers for all future Network Monitor sessions by selecting the Save as Default checkbox. (Otherwise, changes to the list of active parsers are only applicable to the current session of Network Monitor.) The next time Network Monitor is launched, any parsers stored in the \Winnt\System32\Netmon\Parsers directory are used.
Window
The Window menu contains display property commands. When Network Monitor is launched for the first time, it has only a single data capture window. After data has been captured, the Display Captured Data command (or the Stop and View command) opens a new data window to view the captured data. Multiple display data windows can be opened, but only a single data capture window ever exists. Before data is displayed, the Window menu contains the following commands:
Cascade (Shift + F5) sets all open windows to the same size (approximately one fourth the size of the main application window) and cascades them from the top left corner to the bottom right corner.
Tile Horizontally arranges all open windows so they are displayed simultaneously in such a way that each window stretches from the left side of the application window to the right side.
Tile Vertically (Shift + F4) arranges all open windows so they are displayed simultaneously in such a way that each window stretches from the top of the application window to the bottom.
Arrange Icons arranges all minimized windows within the application into a compact layout starting at the bottom left corner of the main application window.
Close All closes all data display windows. It does not close the data capture window.
Total Stats displays or hides the Total Stats pane. A checkmark appears by this item when display is enabled.
Session Stats displays or hides the Sessions Stats pane. A checkmark appears by this item when the display is enabled.
Station Stats displays or hides the Station Stats pane. A checkmark appears by this item when display is enabled.
Graph displays or hides the Graph pane. A checkmark appears by this item when display is enabled.
Zoom Pane (F4) expands the currently selected pane of the data capture window to its maximum size, which fills the main application window. Issuing this command a second time returns the display to normal.
Once captured data has been opened into a data display window, three changes are made to the Window menu. The Duplicate command, used to create an exact copy of the currently selected display window, is added. The Label command, used to provide a description for a captured data display window, is added. And a numbered list of active windows is added to the bottom of the Window menu. Selecting an item from this list displays that window.
Toolbar Commands
The toolbar is the row of buttons located just below the menu bar and just above the capture data window. The buttons are used to access menu bar commands with the ease of a single click. The buttons that appear on the toolbar when the capture window are displayed from left to right as follows:
File Open displays the Open file dialog box, which is used to load saved captured data.
File Save displays the Save Data as dialog box, which is used to save captured data.
Toggle Graph Pane displays or hides the graph pane.
Toggle Total Statistics Pane displays or hides the total statistics pane.
Toggle Session Statistics Pane displays or hides the session statistics pane.
Toggle Station Statistics Pane displays or hides the station statistics pane.
Zoom Pane toggles between zooming in on the selected pane and normal pane display.
Edit Capture Filter displays the Capture Filter dialog box.
Start Capture starts a capture session.
Pause/Continue Capture pauses and continues a capture session.
Stop Capture stops a capture session.
Stop and View Capture stops a capture session and then displays the captured data.
Display Captured Data displays the captured data.
Help Contents opens the online Help system.
When you view a captured data display window, the toolbar buttons change to the following:
File Open displays the Open file dialog box, which is used to load saved captured data.
File Save displays the Save Data as dialog box, which is used to save captured data.
Cut, which is used to cut data from packets, is not enabled in the NT version.
Copy copies the selected data into the Windows clipboard.
Paste, which is used to paste data into a packet, is not enabled in the NT version.
Print displays the Print dialog box via which all or some of the captured data can be printed.
Toggle Summary Pane toggles between displaying and hiding the Summary pane.
Toggle Detail Pane toggles between displaying and hiding the Detail pane.
Toggle Hex Pane toggles between displaying and hiding the Hex pane.
Zoom Pane toggles between zooming in on the selected pane and the normal display.
Previous Frame selects the previous frame listed in the Summary view.
Next Frame selects the next frame listed in the Summary view.
Edit Display Filter displays the Display Filter dialog box.
Disable/Enable Filter toggles between applying and not applying a Display Filter.
Edit Find Frame opens the Find Frame Expression dialog box.
Find Previous Frame locates the previous frame matching the defined frame expression.
Find Next Frame locates the next frame matching the defined frame expression.
Help Contents opens the online Help system.
CAPTURE FILTERS
A capture filter is a tool Network Monitor uses to reduce the number of packets captured and stored in the limited memory buffer. By default, the capture filter does not restrict any packet from being stored in the buffer. You can define and customize the capture filter to capture or restrict the packets of your choice. The Capture|Filter (F8) command brings up the Capture Filter dialog box (Figure 3.14). This dialog box displays the logical decision tree structure used to define capture filters.
A capture filter is similar to a database query — you provide the parameters for the item you desire, then the search utility searches the database for items that match your given parameters. A capture filter is a defined set of parameters that limits the packets stored in the memory buffer.
Capture Filters perform two functions simultaneously. First, they reduce the amount of data captured in the memory buffer. This provides several benefits, including reducing the amount of data to be inspected manually and reducing the speed at which the buffer is filled. Second, capture filters improve the performance of Network Monitor by discarding nonmatching packets rather than placing them in the buffer.
The capture filter’s decision tree has three main branches that offer three types of filters or restrictions you can use to limit or focus your capture sessions. You can filter by protocol, address, or data pattern matching. Each of these filter types can be used individually or in any combination of inclusion or exclusion.
Tip: Once a capture filter decision tree has been created, it can be saved for future use by clicking Save. Existing capture filters can be loaded by clicking Load.
New decision tree lines can be added to a capture filter by selecting the (Address Pairs) item or the (Pattern Matches) item and then clicking Address or Pattern, respectively, under the Add heading. Existing lines can be altered by selecting them in the decision tree and clicking Line under the Edit heading. Also, existing lines can be removed from the decision tree by selecting the line and clicking Line under the Delete heading.
A capture filter is a data reduction tool. By fine-tuning the capture filter to your current needs based on suspected problems or activities, protocols, sources, applications, and even data content, you can reduce your inspection time. A capture filter lets you capture only those packets that are most likely to contain useful information based on your filter definitions. Without a capture filter, your buffer would fill up too quickly to guarantee adequate data and you would have to examine many, many more packets.
Filtering by Protocol
Every capture filter has a “filter by protocol” decision line. By default, the capture filter’s protocol line enables all known protocol types.
By selecting the protocol line and clicking Line under the Edit heading, you display the Capture Filter SAPs and ETYPEs dialog box (Figure 3.15). This dialog box is used to define which protocols known by Network Monitor are to be allowed into the buffer and which are to be restricted.
As you see in Figure 3.15, all of the protocols are listed in the Enabled Protocols list by default. Selecting one or more protocols from the enabled list and clicking Disable disables those protocols. Likewise, selecting one or more protocols from the disabled list and clicking Enable enables those protocols. All protocols can be either enabled or disabled at once by clicking Enable All or Disable All, respectively. Once your protocol filter is defined, clicking OK returns you to the Capture Filter dialog box in which your new protocol filter is displayed. To discard all changes to the protocol filter, click Cancel to return to the Capture Filter dialog box.
Critical Challenges of ESI & Email Retention Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro
Register
