Abstract
This chapter will help you gain a deep understanding of the Network Monitoring tool included with Windows NT Server 4.0. You will learn about ongoing network monitoring, frame capture patterns, network analysis timing, and Network Monitor's artificial intelligence features.
In This Chapter Initial Network Monitor Network Monitor Basics Ongoing network monitoring Frame capture patterns Network analysis timing Network Monitor’s artificial intelligence features Network analysis resources for continued learning Windows NT Server Network Monitor versus System Management Server (SMS) Network Monitor
Some areas of the technology industry are still immature. When viewing that statement in the context of Windows NT Server, you will clearly see how it applies to Network Monitor’s role in helping you manage your Windows NT Server network. Few network testing standards exist, and even fewer technical texts explain the finer points of packet analysis. Unfortunately, it is still the Wild West when it comes to implementing a sniffer and analyzing frame captures.
This chapter will help you gain a deep understanding of the Network Monitoring tool included with Windows NT Server 4.0. By the end of this chapter, you will be more than adequately equipped to seize the day with your Network Monitor tool. Likewise, I hope your interests will have been piqued to discover more about frame trapping and packet analysis. But you are not left hanging. Several advanced resources, beyond the scope of this book, are listed for you to further study the mysterious world of network analysis via frame trapping and packet analysis.
INITIAL NETWORK MONITORING
The lesson learned from the Watergate era is that power is corrupting and absolute power is absolutely corrupting. So you want to be very careful with Network Monitor in Windows NT Server. This application is a reasonably powerful sniffer, warts and all. And “sniffer” is another way of spelling trouble on your network, when such a tool is used by unclean hands. Sniffers enable you to analyze network traffic at the packet level, potentially allowing others to trap packets and see unencrypted passwords. Let’s just say that, in the wrong hands, Network Monitor is absolutely corrupting.
But on a positive note, Network Monitor is an advanced tool that, while too often used as a last resort in problem solving, can save your bacon big time! Network Monitor is used to provide statistics regarding network utilization and packet traffic as well as capture frames for analysis. The version of Network Monitor included with Windows NT Server is a crippled cousin to the full-featured version included with Microsoft System Management Server (SMS).
Note: For comprehensive network analysis and monitoring, be sure to upgrade to SMS so that you can employ the full version of Network Monitor. In part, the reason for shipping a crippled edition of Network Monitor with Windows NT Server is to prevent unsavory users from trapping packets on a network-wide (actually segment-wide) basis. The crippled version of Network Monitor only allows you to capture frames sent to or from your computer (along with broadcast and multicast frames). At the end of this chapter, you will find a complete comparison between the Windows NT Server 4.0 version of Network Monitor and the SMS version of Network Monitor.
Network Monitor basics
Network Monitor is installed either during the setup of Windows NT Server 4.0 or from the Network applet in Control Panel. Select the Services tab sheet. Previously, in Windows NT Server 3.51, Network Monitor was installed as a service under the Protocols tab sheet on the Networks Properties dialog box. Known officially in Windows NT Server 3.51 as the “Microsoft Network Monitor Tool,” this application will consume 4.1MB of hard disk space. In Windows NT Server 3.51, you are only presented with the option to install Network Monitor Tool (it now includes the Network Monitoring Agent in Windows NT Server 4.0). When starting the Network Monitor application in Windows NT Server 4.0 (after you have installed it of course), you select Networking Monitor from the Administrative Tools (Common) program group. You will be presented with Network Monitor’s default Capture window (see Figure 23-1).
In Windows NT Server 4.0, you have the option to install just the Network Monitoring Agent or both the Network Monitor Tool and Agent. The new approach makes more sense and eliminates confusion about what each component accomplishes. For the record, the Network Monitor Agent allows for remote monitoring of a distant client’s network communications. The Network Monitor Tool is Network Monitor (pictured in Figure 23-1). Figure 23-2 shows you the configuration property sheet that is the interface to Network Monitor Agent. Note that the Network Monitor Agent Driver can be observed on the Protocols tab sheet of the Network Properties sheet.
Capture window components
Network Monitor provides several types of information in the Capture window (the default window at startup). The Capture window is divided into four parts (see Figure 23-3): Graph pane, Total Statistics pane, Session Statistics pane, and Station Statistics pane. Each of these four panes is discussed in the text that follows.
Graph
The upper-left pane is the Graph pane; it depicts current activity occurring on the network in a thermometer bar fashion.
Total statistics
The far upper-right pane is the Total Statistics pane, which displays total network activity detected since the capture process began. In the full-featured Network Monitor included with SMS, the frames depicted in the Total Statistics pane are the frames that are actually trapped, assuming no filtering is occurring (filtering will be discussed in a few pages). In the crippled Network Monitor included with Windows NT Server, the Total Statistics pane presents network statistics for the entire network but only traps the frames shown in the Captured Statistics area of the Total Statistics pane (again, assuming no filtering is occurring).
Session statistics
This pane displays information about individual sessions occurring between two nodes. It is interesting to note that “sessions” means literal sessions wherein Network Address 1 and Network Address 2 (nodes) have negotiated and established a session.
Station statistics
This shows generic statistics about frames sent and received on a per node basis. This pane is useful for determining, at a glance, who your worst offenders are on your network segment in terms of flooding the network with packets.
Capturing frames
Capturing frames is the art and science of trapping packets that will be meaningful to us. Typically this is commenced by clicking the Start Capture button on the Network Monitor tool bar in the Capture window. This button looks very much like the Play button on a typical audio cassette recorder. You may also press the F10 key to commence a frame capture.
Network Monitor will capture frames until system memory is filled. However, you typically capture enough frames to show the condition you are trying to analyze. For example, suppose a workstation cannot successfully log onto the Windows NT Server network. After troubleshooting the obvious causes, such as an unconnected workstation, you decide to trap frames for more analysis. The steps are to basically have the workstation try to log onto the domain while Network Monitor is running on the PDC.
Secret: Run the frame capture mode on Network Monitor on the PDC from the moment you power on the workstation you intend to use for logon testing. This workstation will generate client initialization traffic from its startup (just after the power on system test or “POST” phase). For example, client initialization traffic might include renewing the leased IP address from the DHCP server (in most small to medium-sized networks, the PDC is also the DHCP server). Do not wait to start capturing frames when the workstation in question is at the “Logon validation” stage (that is, showing the logon dialog box), or you will have missed some very important frame traffic that might help solve your problem.
The logon validation stage follows the acquisition of an IP address (assuming we are using the TCP/IP network protocol suite) and the NetBIOS names have been registered with a WINS server (see Figure 23-4). At this point the user can log on. The frame capturing session we undertake doesn’t need to be especially lengthy in this logon validation exercise. The minimum amount of packet traffic generated during logon validation is 24 frames, but traffic can be as high as 44 frames.
Required hardware
To utilize Network Monitor, you must be physically attached to the network. This states only the obvious, but if you are not attached to a network, you will not capture network traffic. To attach to a network, you must have some type of network adapter. This, of course, is typically a network adapter card placed in the computer and connected to the network media or cabling. If you have more than one network adapter card, you may select which network adapter card will be used with your current session of Network Monitor (see Figure 23-5).
Secret: Something that isn’t well known is that you may also run multiple editions of Network Monitor simultaneously to monitor multiple network adapter cards. If you run multiple editions of Network Monitor to accommodate multiple network adapter cards, be sure to tile the Network Monitor applications for easy viewing. To tile, right-click the taskbar and select either Tile Horizontally or Tile Vertically.
Secret: Use an NDIS 4.0 driver on your network adapter card. If you have an NDIS 4.0 (or greater) driver installed on your network adapter card, Network Monitor captures in “local mode.” This means only packets with the capturing computer’s destination address are accepted. Previously, the capturing computer was placed in promiscuous mode, meaning each frame was evaluated whether it was destined for the capturing computer or not. Promiscuous mode increased processor utilization by up to 30 percent. A true bottleneck! This discussion applies to the crippled edition of Network Monitor included in Windows NT Server 4.0. The full-version of Network Monitor contained in SMS supports captures of network-wide traffic. Note that the Hardware Compatibility List contains a list of network adapter cards successfully tested with Network Monitor.
As we approach the sunset of Windows NT Server 4.0 and the dawn of Windows 2000 Server, most network adapter card manufacturers now provide NDIS drivers without any questions asked. This statement is especially true if you purchase leading network adapter cards from such companies as 3COM and Intel.
Secret: If you have multiple network adapter cards, be sure to use the Network Monitoring Agent option in Control Panel to describe each card. Providing a friendly name facilitates easier identification.
Analysis
Network Monitor presents the information in the Frame Viewer window in such a way that some of the “analysis” has already been completed for you (see Figure 23-6). Assuming you are in the Capture window of Network Monitor, the Frame Viewer window is created by selecting the Stop and View Capture button on the Network Monitor toolbar (the eyeglasses button) or by selecting the Display Captured Data option from the Capture menu (or simply pressing F12).
The window is divided into three sections: Summary pane, Detail pane, and Hex pane.
Summary pane
The Summary pane lists frames captured, the elapsed time since time period zero, source and destination MAC addresses (hardware addresses from layer one and the MAC portion of layer two in the OSI model), the protocol being used, and a very useful text description. Double-clicking one of the frames creates the other two panes for this window.
Detail pane
Here is where Network Monitor really shines. The highlighted frame is presented in greater detail, showing the content of the frame and what protocols sent it, in English to assist your analysis. Even relative novices can educate themselves on the basics of packet analysis, based on the layout in the Detail pane. While it’s safe to say the devil is in the details, the Detail pane layout truly enables you to understand the basic structure of a packet and apply the conceptual knowledge you have of the OSI Model to the real world of network optimization via packet analysis.
Hex pane
This portion of the Capture window, on the far right in Network Monitor, allows you to see the actual data contained in a frame (as ASCII text).
Secret: Where this gets exciting is when clear text passwords are sent over the network and you trap the packets. For instance, you can see for yourself if you are using Windows NT Server on a network that has Macintosh clients that use the Eudora e-mail application. Start the frame capture session using Network Monitor. Walk over to a Macintosh client and force the Eudora e-mail application to check for new mail. Walk back to the Windows NT Server and halt the Network Monitor frame capture session. Press F12 to launch the Capture Viewer window and look at each frame individually. Soon enough, you will see the clear text password displayed as ASCII text in the Hex pane.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
Initial Network Monitor