Display
The Display menu is a new menu that replaces the Capture menu. The commands in this menu are grouped by general function.
The first three commands are used to change frames. Next Frame (Ctrl + Down) and Previous Frame (Ctrl + Down) select the next or previous frame listed in the Summary pane. The Goto Frame (F5) command lets you jump to a frame by providing its frame number.
The next three commands are used to find frames. The Find Next Frame (Alt + F3) command reveals the Find Frame Expression dialog box, which operates exactly like the Display Filter dialog box (for details, see the Display Filters section later in this chapter). When a frame expression is defined, clicking OK takes you to the next frame in the capture buffer matching the criteria. Once a Find expression is defined, the next two commands — Repeat Find Next Frame (F3) and Repeat Find Previous Frame (Shift + F3) — use the same Find expression to locate the next or previous matching frame.
The next two commands in the Display menu are Filter (F8) and Disable Filter (F7). These commands are used to access and define a display filter and disable the currently active display filter. For more details on display filters, please see the Display Filters section later in this chapter.
Next in the Display menu are Addresses and Find All Names. These two commands perform the same functions that they performed in the Capture menu.
The next three commands are Font, Colors, and Options. The Fonts command opens the Fonts dialog box where the font used to display the packet contents can be selected. The Colors command opens the Protocol Colors dialog box in which a unique foreground and background display color can be defined for each known protocol type. The Options command opens the Display Options dialog box. This dialog box offers two configuration options as radio buttons.
The first radio button defines the style used in the Summary pane to display the time. The options are time of day, milliseconds from the start of the capture session, or milliseconds from the capture of the previous packet. The second radio button defines what the Description column of the Summary pane displays. The options are display information about the last protocol in the frame or about the protocol deemed most important by the display filter.
The final command in the Display menu is Save Configuration. The Save Configuration command saves the current layout and all settings for displayed data. The next time Network Monitor is launched, it uses the saved configuration state for displayed data.
Tools
The Tools menu contains several items that are accessible only with the SMS version of Network Monitor. These include the packet transmission commands: Find Top Users, Find Routers, Resolve Address From Name, and Protocol Distribution. The Performance Monitor command in this menu launches the Performance Monitor.
The Insert Comment Frame command in the Tools menu creates a new packet. This new packet is known as a comment frame. The Insert Comment Frame dialog box (Figure 3.21) is used to define the contents of this new frame.
The new frame can be inserted anywhere in the buffer by defining the frame number it is to assume. The numbers of the existing frame and all subsequent frames are incremented to make room for the added frame. A comment field is provided in which contents of this new packet are defined. The Frame can be set to be a Comment or a Bookmark Frame. If statistics are not desired for this frame, the No Statistics checkbox should be checked. The Apply Current Filter to Statistics checkbox should remain checked so the current Display filter is used to calculate statistics.
Options and Window
The Options and Window menus do not contain any new items. The only change is that the the display or hide controls for Total Stats, Session Stats, Station Stats, and Graph have been switched with the new panes of Summary, Detail, and Hex.
DISPLAY FILTERS
A display filter is little more than a capture filter, but instead of limiting which packets are allowed into the buffer, it limits which packets are displayed in the Summary pane. Display filters can greatly simplify the process of locating specific items within a large bank of captured data. The Display Filter dialog box (Figure 3.22) is accessed via the Filter command in the Display menu.
Display filters comprise the second level of data reduction Network Monitor supports. With the right display filter, you can encourage the packets you need to reveal themselves to you — simply by matching the filter and showing up in a very short list of packets.
A display filter is constructed using an interface very similar to the one used by the Capture Filter. A decision tree is used to define the display filter. A display filter uses three filters: protocol, address, and property. You add new expressions to a display filter via the Expression dialog box (Figure 3.23). It is accessed by clicking Expression on the Display Filter dialog box.
Unlike capture filters, the display filter is not limited to four expressions. But like the capture filters, the defined expressions can be fine-tuned in a function using AND, OR, and NOT logic.
The Expression dialog box has three tabs: Address, Protocol, and Property. The Address and Protocol tabs operate in exactly the same way as the capture filter’s Address Expression and SAPs and ETYPEs dialog boxes. The Property tab operates in a significantly different way from the capture filter’s pattern matching equivalent.
The Property tab lists all known protocols and their properties in alphabetical order by protocol. Double-clicking on a protocol expands its properties. Selecting a property makes the right side of the Property tab into an interface matching the qualities and values possible with the selected property. Typically, a property can be associated with a value. The association is called a Relation and can be one of several which include ==, <>, <, >, >=, <=, contains, and exists. The value can be a predefined exact value from a selection list, a known address type, or a freely defined pattern in hex or decimal format. Once an expression is defined, clicking OK adds that expression to the list on the Display Filter dialog box.
NETWORK MONITOR: NT vs. SMS
The version of Network Monitor that is included as part of Microsoft SMS is a full-featured network sniffer. The SMS capabilities SMS not present in the NT version comprise the ability to
capture frames between any two computers on a network
edit and retransmit frames
capture remote frames over RAS connections
monitor systems remotely
interact with routers
perform name resolution
The SMS version of Network Monitor is able to pull network communications information from any computer running the Network Monitor Agent. This includes NT Server, NT Workstation, and Windows 95/98. The Network Monitor Agent is the same in both the free version included with NT as that available from SMS. The difference is in the capture tool itself — namely Network Monitor.
MONITORING AGENT
When the Network Monitor Agent is installed, a new applet, Monitoring Agent, is added to the Control Panel. This tool is used to define network monitoring security, define comments, and reset defaults. Double-clicking on the Monitoring Agent applet opens the Configure Network Monitoring Agent dialog box. This dialog box comprises three buttons: Change Password, Describe Net Cards, and Reset Defaults.
Change Password opens the Network Monitoring Password Change dialog box. By default, any installation of Performance Monitor and the SMS version of Network Monitor can access the data gathered by the Network Monitor Agent (i.e., no passwords are defined). The data collected by Network Monitor Agent can be protected by defining a display and/or capture password. A display password lets users view only those captures saved before the password was enabled. The display password does not grant users the ability to record new capture sessions. A capture password grants a user the ability to create new capture sessions and display the captured files. If both the Agent and the Tools (i.e., the Network Monitor utility itself) are present on the same system, the passwords apply to both the Agent and the Tools. Passwords can be eliminated by clicking No Passwords at the bottom of the dialog box.
Describe Net Cards displays a list of installed network interfaces. By selecting an interface and clicking Edit Description, you can provide a description or comment. The text you supply is displayed in the interface’s comment field in Network Monitor.
Reset Defaults returns the Network Monitor user interface layout to its default settings, such as enabled protocols.
REAL-WORLD USE OF NETWORK MONITOR
The benefits of using Network Monitor depend upon your knowledge of the network technologies and protocols in use. Network Monitor doesn’t do much more than capture the traffic occurring on your network and grant you sight into the packets. It is an elegant tool, but one that is useless if you don’t know what to look for. Unfortunately, the range and scope of network technologies and protocols that can be deployed on an NT network are vast. You should consult vendor references and Internet standards documents for details about identifying and troubleshooting protocol-level problems.
Every protocol, especially those proprietary to a device, application, or service, has its own unique and specific operational eccentricities. Network Monitor can be used to examine the contents of any packet captured in its buffer. Detailing the errors, problems, differences, and even normal operation of every protocol NT, and consequently Network Monitor, supports is not only beyond the scope of this book, but it would fill thousands of pages of text. Here are several specific references you can use to start your protocol investigations:
TCP/IP: Teresa Bisaillon and Brad Werner. TCP/IP with Windows NT Illustrated. McGraw-Hill, 1998, ISBN: 0-07-913648-6.
IPX/SPX: Laura Chappell. Novell’s Guide to LAN/WAN Analysis: IPX/SPX. IDG Books Worldwide, 1998, ISBN: 0-7645-4508-6.
AppleTalk: Mark Dickie. Routing in Today’s Internetworks: The Routing Protocols of IP, Decnet, Netware, and Appletalk. John Wiley & Sons, 1997, ISBN: 0-471-28620-6.
Tip: Network Monitor is used primarily to capture and analyze network traffic. you can trace problems, such as session initialization failures, broadcast storms, and corupt packets. Because data is captured into the buffer before it is sent on to applications on the host server, you can often trace the cause of protocol-based application failures.
Tip: Network Monitor can be used to determine whether your current hardware is sufficient to handle the traffic load. if the # Frames Dropped in the Total Stats pane increases steadily over time, this is evidence that your network adapter cards are unable to manage the traffic load.
Tip: You can also use Network Monitor to locate network cards locked into broadcast mode. This typically results in slower network performance and a network utilization greater then 60. Simply watch the Broadcasts and Multicasts columns in the Station Stats pane.A machine with a steadily increasing number of broadcasts may be in error. Typically, a rate of broadcasts over 100 per second indicates a problem.
Tip: If you need a list of all active IP addresses on the network, you can use Network Monitor to capture all TCP packets and retain only the header. Then, you can view each packet and create a list of all IP addresses from which packets were sent. The IP address of the source and destination systems are listed under the IP subset in the capture detail pane. You can also use theis method to locate IP addresses which should not exist with your network (i.e., are not within your subnet or are addresses which have yet to be officially assigned to a system).
Warning: The presence of IP addresses which are unauthorized can indicate an intruder or a employee hacker.
Tip: If you need to track what TCP-supported application/service specific protocols, such as HTTP, FTP, POP, and SMTP, are being used, you can examine the TCP section ot TCP packets in the capture detail pane. The Source Port field displays the application/service ptotocol encapsulated by TCP.
Network Monitor can help you determine the activity level of servers or clients for a specific protocol, application, or service. First, capture packets on a protocol basis for the protocol or service in question. You only need to retain the headers. Then, use a display filter to sort each machine so that only the specific packet types from one machine are shown. Count the number of packets. Make a comparison chart for each machine for each protocol type. This information can help you distribute application loads across servers or locate active clients.
Tip: If you suspect traffic is bypassing your firewall or proxy server, you can capture traffic and examine the source and destination addresses. the firewall/proxy appears as the destination address for outbound packets, and the source for inbound packets. if any othre address appears, you can use the protocol/service information to figure out what port is being used. Once you Know the path used to subvert the control mechanism, you can close it.
Tip: Network Monitor can tell you which workstation a user is currently using on the network. Use Network Monitor on a PDC or BDC (or use the SMS version to capture traffic to and from a PDC or BDC). Use a capture filter that includes the SMB protocol only. Set a large buffer. Periodically, stop the capture and apply a display filter (protocol:SMB; proterty: Account Name; Relation: exist). This displays only the packets used to setup communication sessions. Viewing the Summary pane, you can quickly see which users are logged onto which workstations.
OPTIMIZING NETWORK MONITOR
The following techniques should help you get the most out of Network Monitor:
Run Network Monitor on a system that is not running any other applications or production services.
Instead of using the default maximum limit of 8 MB less than physical RAM, limit the maximum buffer size to 16 MB less than physical RAM.
Always use a capture filter to slim down the collection of packets.
Use a display filter to quickly search and locate packets of interest.
Avoid performing any other tasks on the Network Monitor host while capturing data.
Use the dedicated capture mode whenever the realtime statistics are not required.
Always save your capture sessions.
Always save your capture filters and display filters for future use.
Don’t alter the protocol parsers. Use a capture filter.
When just the information in the header is necessary, set the frame size capture level so the least amount of frame body is saved in the buffer.
Network Monitor is a powerful tool, even with its limitations. Familiarity with the utility and your network can provide you with a wealth of insight and information that no other native NT tool can provide.
Critical Challenges of ESI & Email Retention Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro
Register
