Microsoft’s Network Monitor packs enough punch to satisfy most network administrators and designers. Use it to capture, filter, and analyze your network traffic.
Capturing the Essence of Network Communications
Microsoft’s Network Monitor packs enough punch to satisfy most network administrators and designers. Use it to capture, filter, and analyze your network traffic.
- By Michael Chacon
- June 01, 1999
Last month,
I discussed frames and how they help operating systems
deliver information that provides a wide variety of services
for network nodes. Knowing how these frames are transmitted
and received is useful if you want to be able to troubleshoot
higher-level services and network communications. As I
mentioned in that column, the main tool to view frames
on a Windows NT network is NETMON.EXE, otherwise known
as Network Monitor or simply NetMon.
NetMon is a packet analyzer that captures, filters, and
automates the analysis of network traffic through parsers.
Although there are as many packet analyzers on the market
as there are word processors, NetMon has the advantage.
It’s essentially free (as a component of Windows
NT) yet provides a level of functionality that will meet
most communication analysis needs of network administrators
or designers.
NT or SMS?
Two significantly different versions of this program
have the same executable name. One version of NETMON.EXE
comes with every copy of Windows NT, while the other comes
with Systems Management Server (SMS). The Windows NT version
is limited to capturing frames that are only being transmitted
or received to and from the machine that has NETMON.EXE
running. The SMS or full version can collect frames from
any device on the subnet. The full version also has other
features that I’ll discuss shortly.
If NetMon is already installed on your system, you can
tell which version you’re running by looking at the
Help | About menu. This displays, “SMS Retail,”
in the full version and “Retail” in the limited
version. In older releases, the limited Windows NT version
displays V4.xx.xx; the full SMS version shows V1.x.
Up and Running
If NetMon isn’t already installed, you must choose
which version to install. The installation process for
the scaled-down Windows NT version is similar to any Network
Service. Open Control Panel | Network and select the Services
tab. Find NetMon Tools and Agent on the list, select it,
and click OK. The service and the agent will be installed
and you’ll be able to monitor traffic to and from
that machine. The NetMon agent is necessary for any machine
that’s used to capture network traffic. This is because,
as I mentioned last month, when a node discovers that
a frame’s address doesn’t match its own address,
it discards the frame. On the machine running the agent,
the NIC is put into a “local only” mode that
allows the NDIS 4.x driver to collect all the frames that
are on the wire. In previous versions of NDIS, the NIC
had to support “promiscuous” mode, which also
meant that the CPU had to look at every frame affecting
performance.
Premium
Packet Sniffing |
The Mercedes of packet analyzers
is the Network General (now Network Associates)
Sniffer. This tool, and others like it
that cost thousands of dollars, looks
much deeper on the wire than simpler tools
like NetMon. NetMon only captures healthy
frames. Runts, fragments, and other frame
abnormalities are discarded and therefore
invisible to the administrator, although
you can guess many of these anomalies
by observing frequent retransmissions
from the collisions they create. I’d
argue that, unless you’re a low-level
software or hardware developer in such
areas as drivers or HALs, or unless you
simply have the budget for the Mercedes,
use NetMon instead. Learn more about Sniffer
at www.networkassociates.com.
—Michael Chacon |
|
|
Performance Monitor also uses the NetMon agent to collect
general network segment utilization information. The agent
can also collect and buffer traffic on one subnet and
then be retrieved by NetMon running on another subnet
for analysis across routers. This is conceptually similar
to WINS Proxies and DHCP relay agents. As with all things
NT, check the HCL to make sure that your adapter is on
the list.
Although the NT version works, you should work with the
real thing. If you have access to a copy of SMS, run Setup
from the NETMON directory. It’ll create an \NM directory
and install the full version of NETMON.EXE. During the
installation, you’ll be asked to provide passwords
to control who can capture frames and who has the ability
to view captured files (see Figure 1). This provides a
level of security to address NetMon’s potential exposure
when looking inside data packets on the wire. If you value
security on your network, only permit administrators to
use these programs.
|
Figure 1. Because NetMon
lets you look inside data packets, it's important
to set security so that only the proper administrators
can use the tool. |
Finally, at the end of the installation you’ll be
prompted for your name. This will allow other people running
NetMon to identify you while you’re capturing frames.
An
SMS 2.0 Pitfall |
One pitfall of installation
involves the SMS beta CD. SMS beta 2.0
contains an updated version of NetMon
as well as version 2 of the Network Monitor
Agent. This new Agent isn’t compatible
with the old NetMon utility, nor is the
updated NetMon compatible with the old
Agent.
—Paul Cernick |
|
|
Capturing Frames
Once you’ve installed NetMon, you’re ready
to start using the tool to capture frames. When you start
the program, you’ll get a capture window screen (see
Figure 2). In this case, the tool is already actively
capturing frames. It can be activated by pressing the
Capture | Start menu option or by clicking in the VCR-like
control for play.
|
Figure 2. The capture
window is the main display screen you'll see while
NetMon is capturing frames. |
A quick glance at the capture screen gives you quite
a bit of information. The initial display is divided into
four sections. The first section at the top left displays
general network utilization per second in real time. The
top right pane displays similar information in accumulative
numeric terms. If you slide the bar down on that pane,
you’ll see the same information that’s displayed
on the top left but in numeric format. The two lower panes
break the general information down further and map the
traffic to each node. The middle pane adds the important
piece of information about which nodes are communicating
with one another. You can also control the size of the
screen by closing panes you don’t need to view.
Notice the # Bytes in Buffer and % Buffer Utilized counters
in the top right pane. You can see that this buffer is
53 percent utilized and that, after only a few minutes
of collection, I’ve obtained more than 500K of data.
Make sure that you have lots of memory on the machine
running NetMon, and configure the buffer to use as much
memory as you have available. This is easily done in the
Capture | Buffer menu. If you overflow the buffer, you’ll
lose frames—and chances are they’ll be the ones
you wanted to find.
Filtering Your Data
The next configuration to consider is a more strategic
one: filtering your capture data. You can filter the actual
collection of frames based upon protocol, addresses, and
patterns inside the frames themselves (see Figure 3).
This greatly reduces the number of frames that need to
be stored in the buffer.
|
Figure 3. You can filter
the collecton of frames based upon protocol, addresses,
and patterns inside the frames themselves. In this
example, the MAC address of Jim's workstation has
been added. |
After adding another address that matches Sally’s
workstation, I can enable a filter that will collect only
the traffic sent between their two stations. To make the
capture even more granular, I’ve added a Pattern
Match that looks for a certain word inside each frame
(see Figure 4).
|
Figure 4. The capture
filter lets you capture a specific communication or
type of communication. |
With a filter set, NetMon will only collect frames that
meet this criteria and discard the rest. The downside
to this method is that I might miss something interesting
I wasn’t looking for initially.
The general rule: If you’re looking for a specific
communication or type of communication and you want to
capture only that traffic, create a capture filter. If
you aren’t sure what you’re looking for, leave
the capture filter wide open. After the capture is completed,
you can create a display filter to sift through all the
traffic and find interesting communications. The display
filter is configured in a similar manner to the capture
filter (see Figure 5).
|
Figure 5. Display filters
allow you to sift through traffic and find interesting
patterns. |
In this case, we’re searching for a particular pattern
inside any SNMP packet sent between Jim’s Machine
and the Sales Hub. The filtering possibilities are almost
endless, with nearly 100 protocol parsers included. These
can be applied toward any address that you either capture
on the wire and add to your database or add manually as
you see fit.
Another useful capture feature in NetMon is a trigger.
Triggers let you set up a filter used during the capture
while still allowing you to collect every frame. This
type of filter is used mainly either to stop the capture
when the event you’re looking for happens or to execute
another program or command when the event occurs (see
Figure 6).
|
Figure 6. Triggers let
you set up a filter during the capture while still
collecting every frame. |
Once you’ve determined if you want to filter during
or after the capture process, you can begin collecting
frames. When you’ve collected enough frames or if
your trigger is set to stop, the capture NetMon will open
the summary capture window (see Figure 7).
|
Figure 7. Once you've
collected enough frames or if your trigger is set
to stop, the summary capture window appears. This
shows all the frames you've received from your segment,
indentifying them by both MAC and IP source and destination
adresses, as well as the frame protocol. |
The summary capture window shows all the frames I received
from my segment. Each frame is displayed and identified
by both the MAC and IP source and destination addresses
along with the protocol responsible for the frame. Because
I left the capture filter wide open and listened to a
streaming audio radio program with RealPlayer, I captured
much more than I really need. A simple display filter
will let me focus on the frames that are of immediate
interest.
Let’s say that I want to use this data to demonstrate
why people should never send email across the Internet
that they aren’t prepared to make public. I create
a simple filter that will let me spy on email by viewing
SMTP traffic (see Figure 8).
|
Figure 8. To help sift
through information in the summary capture window,
you can create a filter. In this case, I'm creating
a simple filter to display SMTP traffic. |
Applying this filter will narrow the number of frames
displayed. Because only SMTP is going to be displayed
and I don’t really care about the MAC addresses at
this point, I can rearrange the display columns to suit
myself.
What I have now are all the frames that are involved
with a particular SMTP session between my workstation
and my ISP—and it could be any SMTP mail server in
your organization. I also could have set a trigger to
wait for a message that had “mechacon” with
the proper offset using the pattern matching within a
trigger. Pretty cool tool!
Now that I’ve identified the session I want, I can
drill down with the detail summary window by clicking
on the frame to view (see Figure 9). The top frame is
the summary pane, which I’ve rearranged to show the
description field. The next pane down is the detail pane,
which parses out all of the protocols within each frame
and displays the contents. The lower pane is the same
information, not parsed, in hexadecimal format on the
left and ASCII on the right.
|
Figure 9. The detail summary
window lets you drill down deeper into your session
frames. |
As you can see, my secret message really isn’t very
secret. Not only does this demonstrate how deep NetMon
lets you look into your network, but it also is a good
lead-in to a future column on the benefits of public/private
key encryption.