Microsoft’s Network Monitor packs enough punch to satisfy most network administrators and designers. Use it to capture, filter, and analyze your network traffic.

Capturing the Essence of Network Communications

Microsoft’s Network Monitor packs enough punch to satisfy most network administrators and designers. Use it to capture, filter, and analyze your network traffic.

Last month, I discussed frames and how they help operating systems deliver information that provides a wide variety of services for network nodes. Knowing how these frames are transmitted and received is useful if you want to be able to troubleshoot higher-level services and network communications. As I mentioned in that column, the main tool to view frames on a Windows NT network is NETMON.EXE, otherwise known as Network Monitor or simply NetMon.

Additional Info
Read Paul Cernick's account of how to fight network fires with NetMon.

NetMon is a packet analyzer that captures, filters, and automates the analysis of network traffic through parsers. Although there are as many packet analyzers on the market as there are word processors, NetMon has the advantage. It’s essentially free (as a component of Windows NT) yet provides a level of functionality that will meet most communication analysis needs of network administrators or designers.

NT or SMS?

Two significantly different versions of this program have the same executable name. One version of NETMON.EXE comes with every copy of Windows NT, while the other comes with Systems Management Server (SMS). The Windows NT version is limited to capturing frames that are only being transmitted or received to and from the machine that has NETMON.EXE running. The SMS or full version can collect frames from any device on the subnet. The full version also has other features that I’ll discuss shortly.

If NetMon is already installed on your system, you can tell which version you’re running by looking at the Help | About menu. This displays, “SMS Retail,” in the full version and “Retail” in the limited version. In older releases, the limited Windows NT version displays V4.xx.xx; the full SMS version shows V1.x.

Up and Running

If NetMon isn’t already installed, you must choose which version to install. The installation process for the scaled-down Windows NT version is similar to any Network Service. Open Control Panel | Network and select the Services tab. Find NetMon Tools and Agent on the list, select it, and click OK. The service and the agent will be installed and you’ll be able to monitor traffic to and from that machine. The NetMon agent is necessary for any machine that’s used to capture network traffic. This is because, as I mentioned last month, when a node discovers that a frame’s address doesn’t match its own address, it discards the frame. On the machine running the agent, the NIC is put into a “local only” mode that allows the NDIS 4.x driver to collect all the frames that are on the wire. In previous versions of NDIS, the NIC had to support “promiscuous” mode, which also meant that the CPU had to look at every frame affecting performance.

Premium Packet Sniffing
The Mercedes of packet analyzers is the Network General (now Network Associates) Sniffer. This tool, and others like it that cost thousands of dollars, looks much deeper on the wire than simpler tools like NetMon. NetMon only captures healthy frames. Runts, fragments, and other frame abnormalities are discarded and therefore invisible to the administrator, although you can guess many of these anomalies by observing frequent retransmissions from the collisions they create. I’d argue that, unless you’re a low-level software or hardware developer in such areas as drivers or HALs, or unless you simply have the budget for the Mercedes, use NetMon instead. Learn more about Sniffer at www.networkassociates.com.
—Michael Chacon

Performance Monitor also uses the NetMon agent to collect general network segment utilization information. The agent can also collect and buffer traffic on one subnet and then be retrieved by NetMon running on another subnet for analysis across routers. This is conceptually similar to WINS Proxies and DHCP relay agents. As with all things NT, check the HCL to make sure that your adapter is on the list.

Although the NT version works, you should work with the real thing. If you have access to a copy of SMS, run Setup from the NETMON directory. It’ll create an \NM directory and install the full version of NETMON.EXE. During the installation, you’ll be asked to provide passwords to control who can capture frames and who has the ability to view captured files (see Figure 1). This provides a level of security to address NetMon’s potential exposure when looking inside data packets on the wire. If you value security on your network, only permit administrators to use these programs.

pw.GIF (6151 bytes)
Figure 1. Because NetMon lets you look inside data packets, it's important to set security so that only the proper administrators can use the tool.

Finally, at the end of the installation you’ll be prompted for your name. This will allow other people running NetMon to identify you while you’re capturing frames.

An SMS 2.0 Pitfall
One pitfall of installation involves the SMS beta CD. SMS beta 2.0 contains an updated version of NetMon as well as version 2 of the Network Monitor Agent. This new Agent isn’t compatible with the old NetMon utility, nor is the updated NetMon compatible with the old Agent.
—Paul Cernick

Capturing Frames

Once you’ve installed NetMon, you’re ready to start using the tool to capture frames. When you start the program, you’ll get a capture window screen (see Figure 2). In this case, the tool is already actively capturing frames. It can be activated by pressing the Capture | Start menu option or by clicking in the VCR-like control for play.

capstats.GIF (15257 bytes)
Figure 2. The capture window is the main display screen you'll see while NetMon is capturing frames.

A quick glance at the capture screen gives you quite a bit of information. The initial display is divided into four sections. The first section at the top left displays general network utilization per second in real time. The top right pane displays similar information in accumulative numeric terms. If you slide the bar down on that pane, you’ll see the same information that’s displayed on the top left but in numeric format. The two lower panes break the general information down further and map the traffic to each node. The middle pane adds the important piece of information about which nodes are communicating with one another. You can also control the size of the screen by closing panes you don’t need to view.

Notice the # Bytes in Buffer and % Buffer Utilized counters in the top right pane. You can see that this buffer is 53 percent utilized and that, after only a few minutes of collection, I’ve obtained more than 500K of data. Make sure that you have lots of memory on the machine running NetMon, and configure the buffer to use as much memory as you have available. This is easily done in the Capture | Buffer menu. If you overflow the buffer, you’ll lose frames—and chances are they’ll be the ones you wanted to find.

Filtering Your Data

The next configuration to consider is a more strategic one: filtering your capture data. You can filter the actual collection of frames based upon protocol, addresses, and patterns inside the frames themselves (see Figure 3). This greatly reduces the number of frames that need to be stored in the buffer.

addinfo.GIF (8118 bytes)
Figure 3. You can filter the collecton of frames based upon protocol, addresses, and patterns inside the frames themselves. In this example, the MAC address of Jim's workstation has been added.

After adding another address that matches Sally’s workstation, I can enable a filter that will collect only the traffic sent between their two stations. To make the capture even more granular, I’ve added a Pattern Match that looks for a certain word inside each frame (see Figure 4).

capfilt.GIF (7286 bytes)
Figure 4. The capture filter lets you capture a specific communication or type of communication.

With a filter set, NetMon will only collect frames that meet this criteria and discard the rest. The downside to this method is that I might miss something interesting I wasn’t looking for initially.

The general rule: If you’re looking for a specific communication or type of communication and you want to capture only that traffic, create a capture filter. If you aren’t sure what you’re looking for, leave the capture filter wide open. After the capture is completed, you can create a display filter to sift through all the traffic and find interesting communications. The display filter is configured in a similar manner to the capture filter (see Figure 5).

 

filter.GIF (7524 bytes)
Figure 5. Display filters allow you to sift through traffic and find interesting patterns.

In this case, we’re searching for a particular pattern inside any SNMP packet sent between Jim’s Machine and the Sales Hub. The filtering possibilities are almost endless, with nearly 100 protocol parsers included. These can be applied toward any address that you either capture on the wire and add to your database or add manually as you see fit.

Another useful capture feature in NetMon is a trigger. Triggers let you set up a filter used during the capture while still allowing you to collect every frame. This type of filter is used mainly either to stop the capture when the event you’re looking for happens or to execute another program or command when the event occurs (see Figure 6).

trigger.GIF (6585 bytes)
Figure 6. Triggers let you set up a filter during the capture while still collecting every frame.

Once you’ve determined if you want to filter during or after the capture process, you can begin collecting frames. When you’ve collected enough frames or if your trigger is set to stop, the capture NetMon will open the summary capture window (see Figure 7).

capmail2.GIF (45096 bytes)
Figure 7. Once you've collected enough frames or if your trigger is set to stop, the summary capture window appears. This shows all the frames you've received from your segment, indentifying them by both MAC and IP source and destination adresses, as well as the frame protocol.

The summary capture window shows all the frames I received from my segment. Each frame is displayed and identified by both the MAC and IP source and destination addresses along with the protocol responsible for the frame. Because I left the capture filter wide open and listened to a streaming audio radio program with RealPlayer, I captured much more than I really need. A simple display filter will let me focus on the frames that are of immediate interest.

Let’s say that I want to use this data to demonstrate why people should never send email across the Internet that they aren’t prepared to make public. I create a simple filter that will let me spy on email by viewing SMTP traffic (see Figure 8).

express.GIF (8268 bytes)
Figure 8. To help sift through information in the summary capture window, you can create a filter. In this case, I'm creating a simple filter to display SMTP traffic.

Applying this filter will narrow the number of frames displayed. Because only SMTP is going to be displayed and I don’t really care about the MAC addresses at this point, I can rearrange the display columns to suit myself.

What I have now are all the frames that are involved with a particular SMTP session between my workstation and my ISP—and it could be any SMTP mail server in your organization. I also could have set a trigger to wait for a message that had “mechacon” with the proper offset using the pattern matching within a trigger. Pretty cool tool!

Now that I’ve identified the session I want, I can drill down with the detail summary window by clicking on the frame to view (see Figure 9). The top frame is the summary pane, which I’ve rearranged to show the description field. The next pane down is the detail pane, which parses out all of the protocols within each frame and displays the contents. The lower pane is the same information, not parsed, in hexadecimal format on the left and ASCII on the right.

capmail.GIF (25212 bytes)
Figure 9. The detail summary window lets you drill down deeper into your session frames.

As you can see, my secret message really isn’t very secret. Not only does this demonstrate how deep NetMon lets you look into your network, but it also is a good lead-in to a future column on the benefits of public/private key encryption.

Featured