Get help troubleshooting and fine-tuning performance on your Win2K systems with this handy tool.
Network Monitor to the Rescue
Get help troubleshooting and fine-tuning performance on your Win2K systems with this handy tool.
- By Harry Brelsford
- December 01, 2000
Just when you were starting to wonder what all those
days spent in that Windows NT Server 4.0 in the Enterprise
certification course were good for, you stumble across
Network Monitor in Windows 2000 Server. Back in the day,
you might remember deconstructing a network frame in the
Network Essentials and TCP/IP courses, and you might remember
delving into packet analysis and how important it is for
troubleshooting problems. NT 4.0's Network Monitor was
readily available, but in Windows 2000, it's not even
installed by default. This month, let's look at Network
Monitor, a tool that you might so easily dismiss but can
be effective in pinpointing problems on the wire.
(For the purposes of this column, I use the terms packets
and frames interchangeably. At a deeper level than I'll
venture into here, packets and frames are different-so,
no flame e-mail from the gurus, eh?)
Network Monitor Basics
So, what is Network Monitor other than two nouns put
together? It's a software-based tool for monitoring network
traffic and activity levels. Network Monitor has two basic
faces, the Capture window and the Frame Viewer window.
The Capture window in Network Monitor is the default
view (see Figure 1). It's divided into several screen
panes.
|
Figure 1. Network Monitor's Capture
window displays real-time network traffic. (Click
on image to view larger version.) |
The upper left part is the Graph pane. Current, real-time
activity such as % Network Utilization is displayed in
a horizontal histogram. The Total statistics pane in the
upper right part of the Capture window reveals total network
activity since the current capture session commenced.
In the center, on the left, you have session statistics
to show you the activity between two nodes. The bottom
half of the screen reveals station session activity on
a per node basis. Essentially the network node, which
is identified by the media access control (MAC) address
in the Network Address column, reports individual sent
and received activity for frames, and bytes.
The Frame Viewer window (see Figure 2) is not as mysterious
as the Capture Window. In its default view, the Frame
Viewer lists frames in rows and provides specific information
in columns. I'll explain it in detail later.
|
Figure 2. The Frame window allows
you to analyze traffic at — you guessed it —
the frame level. (Click on image to view larger version.) |
Install Network Monitor
Network Monitor isn't installed by default, which is
too bad - more admins might use it. So, follow these steps
to install Network Monitor on your Windows 2000 Server:
- Click Start, Settings, Control Panel.
- Double-click the Add/Remove Programs applet.
- Click Add/Remove Windows Components Select Management
and Monitoring Tools on the Windows Components screen
and click Details.
- Select Network Monitor Tools (see Figure 3) and click
OK.
- Click Next. Network Monitor and associated tools
will be installed. You may be asked to insert the Windows
2000 Server disk.
- Click Finish and close the Add/Remove Programs applet.
|
Figure 3. Installing Network
Monitor. (Click on image to view larger version.) |
To use Network Monitor, select Network Monitor from the
Administrative Tools program group. When Network Monitor
launches, it displays the Capture window. This is your
starting point to the wonderful world of network monitoring,
also known as "sniffing." When you sniff, you capture
and view network packets or frames.
Starting a network packet capture is easy. Simply click
the Start Capture button on the toolbar or select Start
from the Capture menu. The capture activity will appear
in the Capture window, allowing you to observe host-to-host
communications, network utilization rate, and so on. Click
the Stop Capture button to terminate the capture activity,
and don't forget to save (select Save from the File menu)
your capture session in case your need to look at it later
or send it to Microsoft technical support for troubleshooting.
Using Network Monitor
There are many reasons to use Network Monitor, but the
vast majority of Windows 2000 MCSEs will wait until trouble
lurks. Few of us have the time to learn Network Monitor
for giggles. Actually waiting until you need Network Monitor
to solve a problem is an entirely acceptable method of
learning. And, as I'll explain in the next section, some
MCSEs get so excited about Network Monitor, they make
being an expert in it part of their technical niche!
Packet analysis
I'll assume you understand the basics of networking or
that you can quickly refer to your old Network Essentials
text. The reason that I make that assumption is that you
should already know that network activity is reflected
by packet activity. When you capture a session with Network
Monitor, you can observe the packet activity as seen in
Figure 4 in the Frame Viewer window, which has been modified
to display the Summary pane (top), Detail pane (center)
and Hex pane (bottom).
|
Figure 4. Detailed session information
presented frame by frame. (Click on image to view
larger version.) |
Frames 31 to 33 show the infamous TCP/IP three-way handshake
of session establishment. Huh? In networking, two hosts
have to agree to communicate. In packet 31, one computer
(LOCAL) attempts to establish a session with the other
(RED…). The session establishment attempt is shown by
the send (S) entry in the Description column. In frame
32, the second computer (RED…) replies with an acknowledgement
(A) and then a send (S). The first computer completes
the three-way handshake and establishes a session in frame
33 with a final acknowledgement (A).
The three-way handshake is the most common type of packet
analysis you're likely to encounter as an MCSE when troubleshooting:
session establishment. That is, it's likely Microsoft
technical support will initially work with you to make
sure that two hosts are even communicating with each other
and trying to establish a session.
Advanced settings
There are many advanced settings in Network Monitor, making
this a huge area of MCSE study (but after you complete
that Windows 2000 MCSE, eh?). I cover many of the advanced
Network Monitor features in my Windows 2000 Server
Secrets book (IDG Books Worldwide) in Chapter 19:
Network Monitor Secrets, but I'll address one advanced
feature now — the display filter.
When using Network Monitor, you're often on a journey
that you have no map for, you don't know where you're
going and you don't know when you'll arrive. The point
is that you really need to capture all frames in capture
session and then filter which frames are displayed as
you troubleshoot a problem. The Display Filter (see Figure
5) lets you select specific protocols to display from
the capture. The result of using the display filter is
shown in Figure 6, where only HTTP packets are displayed.
|
Figure 5. Displaying HTTP frames
via Display Filter. (Click on image to view larger
version.) |
|
Figure 6. In the filtered results,
only HTTP frames are displayed. (Click on image to
view larger version.) |
Making Your Fortune With Network Monitor
I'll never forget my blunt introduction to packet analysis
nearly a decade ago. I was speaking with the IT director
of a large printing company and he described a need for
a network engineer with packet analysis experience. Why?
Because the firm had an immense wide area network (WAN)
that was experiencing network problems. Up to that point,
I had always considered myself to be a network engineer
(small "e"), but this telephone call introduced me to
network Engineering (large "E"). In fact, if you're a
small minority that feels the MCSE, with its operating
system focus, doesn't have enough true network engineering,
then may I encourage you to pursue your technology niche
in packet analysis with Network Monitor.
More importantly, the topic of money is near and dear
to the hearts of many MCSEs. One bona fide path to riches
is the packet analysis path. You'll charge top dollar
to troubleshoot intense network problems. Some words of
advice, though: As you get deeper into packet analysis,
you'll find yourself living more in the router community
and less in the network operating system community. If
such is the case, check out MCP Magazine's sibling
online magazine, TCPmag.com, which is oriented
to the router community. You can access that magazine
at www.tcpmag.com
and the other magazines at www.certcities.com.
I'll use network monitor when I need it, but my professional
interests are broader than the narrow world of packet
analysis.