Windows IT Pro
Windows IT Library
  - Advertise        
Windows IT Pro Logo

  Home  |   Books  |   Chapters  |   Topics  |   Authors  |   Book Reviews  |   Whitepapers  |   About Us  |   Contact Us

search for  on    power search   help
  






Windows NT Network Monitor in Depth
View the book table of contents
Author: James Stewart
Published: April 1999
Copyright: 1999
Publisher: 29th Street Press
 


Filtering by Address
The default capture filter included with Network Monitor does include a single address-related filter. This filter lets all types of transmissions aimed toward the host computer be accepted into the buffer. This and any other address filter can be edited by selecting it and clicking Line under the Edit heading. You can add a new address filter by selecting the (Address Pairs) item or any item within its context and clicking Address below the Add heading. This reveals the Address Expression dialog box (Figure 3.16).

The Address Expression dialog box is used to define an address pair. An address pair is the syntax used by the capture filter to include or exclude address specific packets. An address pair comprises
  • The address of the source and destination computers (the MAC address is used unless a NetBIOS name is known; broadcasts and multicasts are also valid address selections)
  • The direction of communication traffic ( < — >, < —, or — >)
  • Information about whether to include or exclude the defined traffic type
Once you have defined an address pair using the Address Expression dialog box, clicking OK adds it to the list of Address Pairs in the Capture Filter dialog box. You can define only three address pairs.

Regardless of the order in which the address pairs are listed in the Capture Filter dialog box, all Exclude pairs are processed first, then all Include pairs are processed. This means that if a frame matches the exclude parameter it is discarded before it is tested against the include pairs. With this in mind, define your address pairs carefully.

Warning: No matter what order the Capture Filter dialog box lilsts the address pairs in, all Exclude pairs are processed before include pairs. A frame may match the exclude parameter and be discarded before it is tested against the Include pairs.

Filtering by Data Pattern Matching
The default capture filter does not include a data matching filter. You can add your own Pattern Matching filer by selecting the (Pattern Matches) item and clicking Pattern under the Add heading. This reveals the Pattern Match dialog box (Figure 3.17).

This dialog box is used to define
  • the pattern to match within the packet. The pattern can be defined as hex or ASCII.
  • where the pattern should be found. An offset can be defined to start the search so many hex bits into the start of the frame (i.e., in the header and the body), or after the end of the header (i.e., only in the body).
Only packets matching the defined pattern are allowed into the buffer. Up to four pattern-matching filters can be defined. By default, all pattern matches are used in an AND function. Thus, if four patterns (A, B, C, D) are matched, only those packets that meet the A and B and C and D conditions are allowed into the buffer. When two or more pattern matches are defined, you can set individual pattern matches to be conditioned as OR or NOT functions. Thus, you can define a pattern of A and B or C not D.

Tip: Once a pattern filter is set to OR, it can only be deleted or set to NOT. Once a pattern filter is set to NOT, it can only be deleted. To return a pattern filter to AND, it must be redefined.


CAPTURE TRIGGERS

A capture trigger is a defined threshold or pattern matching event that is launched when the defined conditions are met. Capture triggers are a part of Network Monitor that enable automated capture termination or batch file launches when a defined event occurs. This lets administrators initiate captures then let the system operate without ongoing human management. The Capture Trigger dialog box (Figure 3.18) is accessed through the Capture|Trigger command.

A trigger is defined using one of following five selections:
  • None — The default selection indicating that no trigger exists.
  • Pattern match — Similar to the pattern matching filter. This setting triggers the action event when a packet contains a match with the defined hex or ASCII value (with an offset from the start or after the header).
  • Buffer space — This setting triggers the action event when the buffer reaches 25 percent, 50 percent, 75 percent, or 100 percent capacity.
  • Pattern match then buffer space — This setting triggers the action when the pattern match is first made, then the buffer reaches a defined capacity.
  • Buffer space then pattern match — This setting triggers the action when the buffer first reaches a defined capacity, then the pattern match is made.
The trigger event that is initiated when the trigger conditions are met can be defined in the area under the heading Trigger Action, which has two settings. The first is a radio button that has a default setting of No Action and an alternate setting of Stop Capture. The second is a checkbox that can execute a command line when the trigger event occurs. This command line can be an application with parameters or a batch file. Clicking Browser can help you quickly locate the path and file name of the desired file.

A capture trigger helps to automate the capture process and reduce the amount of time you must spend directly managing the capture. With the properly defined trigger, you can continue capturing until the exact packet you are looking for is intercepted or until the desired amount of buffer space is used. In either case, once the trigger event is reached, you can choose to stop the capture or to launch a command line. The command line can be used to launch batch files to perform any activity from launching applications to sending out e-mail notifications.


DISPLAYING CAPTURED DATA

Once data has been captured in the buffer and the capture session has stopped, the captured data can be viewed. You can open a data display window for the captured data by selecting the Stop and View command while a capture session is active or by selecting Display Captured Data after a capture session has been terminated. In either case, all of the packets in memory are listed in the order in which they exist in the buffer (i.e., chronological order from the oldest to the newest).

Viewing captured data is the whole point of using Network Monitor in the first place. Once you have used a capture filter to reduce the seized data, the display capabilities of Network Monitor let you look into every aspect (in fact, every bit) of the data in the buffer. If what you need or want to look at is in the buffer, you can view it.

The Data Display Window
The initial data display window contains a single pane that lists only the summary information for the packets. By double-clicking on any packet, you divide the display window into three panes (see Figure 3.19). The top pane is the Summary pane, the middle is the Detail pane, and the bottom is the Hex pane.

The Summary pane lists the following details about each captured packet:
  • Frame — This is the number assigned to the frame/packet in the order it was stored in the buffer (chronologically).
  • Time — This is the time at which the frame was captured. This column displays the time as an absolute time of day, as milliseconds from the start of the capture session, or as milliseconds from the capture of the previous packet.
  • Src MAC Addr — This is the network address of the source computer.
  • Dst MAC Addr — This is the network address of the destination computer.
  • Protocol — This is the protocol type used by the frame.
  • Description — This is a brief description of the frame’s contents.
  • Src Other Addr — This is the IP or IPX/XNS address associated with the Src MAC Addr.
  • Dst Other Addr — This is the IP or IPX/XNS address associated with the Dst MAC Addr.
  • Type Other Addr — This defines the type of addresses defined in the Other Addr columns.
The Detail pane displays the contents and related protocol information for the frame/packet selected in the Summary pane. Each of the protocol items within the frame is displayed on a separate line within the Detail pane. Selecting one of these lines in the Detail pane causes the associated hexadecimal strings for the time to be highlighted in the Hex pane. Beside each detail line is typically a plus sign. This indicates sub-contents or protocol-specific details. Clicking on the plus sign or double-clicking on the detail line expands the item.

The Hex pane displays the raw data that comprises the frame. It is displayed in both hexadecimal and ASCII formats. Double-clicking on any data item in the Hex pane automatically selects the associated protocol or expanded protocol property line in the Details pane.

The Data Display Menu
When you view captured data, the menu bar items change. Each of the following sections has the same title as the menu bar drop-down menu it discusses. I discuss only the items that have changed or are new. For other items, see the menu list earlier in this chapter or consult the tool’s own Help system or the Microsoft Windows NT Resource Kit.

File
The items added to the File menu for displaying captured data are Close and Print (Figure 3.20).

The Close command closes the currently active data display window and the Print command opens the Print dialog box . Through this interface you can instruct Network Monitor to print the captured packets to a printer (any printer local or networked) or to a file. The Print Range can also be defined by selecting All or a Frame range.

Clicking Advanced reveals several Output Detail selections. These include printing of summary lines, protocol details, and hex data. You can also create a display filter to apply to this printing only or to use the currently active display filter.

Edit
The Edit menu is a new menu altogether. It contains four commands. The Cut, Paste, and Read only commands are available only in the SMS version of Network Monitor. The Copy (CTRL + C) command copies the contents of the currently selected frame into the Windows clipboard. This data can be pasted into nearly any Windows application, such as Notepad or Microsoft Word.



Page: 1, 2, 3, 4, 5
next page



ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Critical Challenges of ESI & Email Retention
Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Sustainable Compliance: Are You Having a Resource Crisis?
Read this white paper to examine trends in compliance and security management and review approaches to reducing the cost and operational burden of compliance.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro Home Register About Us Affiliates / Licensing Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing