Get help troubleshooting and fine-tuning performance on your Win2K systems with this handy tool.

Network Monitor to the Rescue

Get help troubleshooting and fine-tuning performance on your Win2K systems with this handy tool.

Just when you were starting to wonder what all those days spent in that Windows NT Server 4.0 in the Enterprise certification course were good for, you stumble across Network Monitor in Windows 2000 Server. Back in the day, you might remember deconstructing a network frame in the Network Essentials and TCP/IP courses, and you might remember delving into packet analysis and how important it is for troubleshooting problems. NT 4.0's Network Monitor was readily available, but in Windows 2000, it's not even installed by default. This month, let's look at Network Monitor, a tool that you might so easily dismiss but can be effective in pinpointing problems on the wire.

(For the purposes of this column, I use the terms packets and frames interchangeably. At a deeper level than I'll venture into here, packets and frames are different-so, no flame e-mail from the gurus, eh?)

Network Monitor Basics

So, what is Network Monitor other than two nouns put together? It's a software-based tool for monitoring network traffic and activity levels. Network Monitor has two basic faces, the Capture window and the Frame Viewer window.

The Capture window in Network Monitor is the default view (see Figure 1). It's divided into several screen panes.

Figure 1. Network Monitor's Capture window displays real-time network traffic. (Click on image to view larger version.)

The upper left part is the Graph pane. Current, real-time activity such as % Network Utilization is displayed in a horizontal histogram. The Total statistics pane in the upper right part of the Capture window reveals total network activity since the current capture session commenced. In the center, on the left, you have session statistics to show you the activity between two nodes. The bottom half of the screen reveals station session activity on a per node basis. Essentially the network node, which is identified by the media access control (MAC) address in the Network Address column, reports individual sent and received activity for frames, and bytes.

The Frame Viewer window (see Figure 2) is not as mysterious as the Capture Window. In its default view, the Frame Viewer lists frames in rows and provides specific information in columns. I'll explain it in detail later.

Figure 2. The Frame window allows you to analyze traffic at — you guessed it — the frame level. (Click on image to view larger version.)

Install Network Monitor

Network Monitor isn't installed by default, which is too bad - more admins might use it. So, follow these steps to install Network Monitor on your Windows 2000 Server:

  1. Click Start, Settings, Control Panel.
  2. Double-click the Add/Remove Programs applet.
  3. Click Add/Remove Windows Components Select Management and Monitoring Tools on the Windows Components screen and click Details.
  4. Select Network Monitor Tools (see Figure 3) and click OK.
  5. Click Next. Network Monitor and associated tools will be installed. You may be asked to insert the Windows 2000 Server disk.
  6. Click Finish and close the Add/Remove Programs applet.
Figure 3. Installing Network Monitor. (Click on image to view larger version.)

To use Network Monitor, select Network Monitor from the Administrative Tools program group. When Network Monitor launches, it displays the Capture window. This is your starting point to the wonderful world of network monitoring, also known as "sniffing." When you sniff, you capture and view network packets or frames.

Starting a network packet capture is easy. Simply click the Start Capture button on the toolbar or select Start from the Capture menu. The capture activity will appear in the Capture window, allowing you to observe host-to-host communications, network utilization rate, and so on. Click the Stop Capture button to terminate the capture activity, and don't forget to save (select Save from the File menu) your capture session in case your need to look at it later or send it to Microsoft technical support for troubleshooting.

Using Network Monitor

There are many reasons to use Network Monitor, but the vast majority of Windows 2000 MCSEs will wait until trouble lurks. Few of us have the time to learn Network Monitor for giggles. Actually waiting until you need Network Monitor to solve a problem is an entirely acceptable method of learning. And, as I'll explain in the next section, some MCSEs get so excited about Network Monitor, they make being an expert in it part of their technical niche!

Packet analysis
I'll assume you understand the basics of networking or that you can quickly refer to your old Network Essentials text. The reason that I make that assumption is that you should already know that network activity is reflected by packet activity. When you capture a session with Network Monitor, you can observe the packet activity as seen in Figure 4 in the Frame Viewer window, which has been modified to display the Summary pane (top), Detail pane (center) and Hex pane (bottom).

Figure 4. Detailed session information presented frame by frame. (Click on image to view larger version.)

Frames 31 to 33 show the infamous TCP/IP three-way handshake of session establishment. Huh? In networking, two hosts have to agree to communicate. In packet 31, one computer (LOCAL) attempts to establish a session with the other (RED…). The session establishment attempt is shown by the send (S) entry in the Description column. In frame 32, the second computer (RED…) replies with an acknowledgement (A) and then a send (S). The first computer completes the three-way handshake and establishes a session in frame 33 with a final acknowledgement (A).

The three-way handshake is the most common type of packet analysis you're likely to encounter as an MCSE when troubleshooting: session establishment. That is, it's likely Microsoft technical support will initially work with you to make sure that two hosts are even communicating with each other and trying to establish a session.

Advanced settings
There are many advanced settings in Network Monitor, making this a huge area of MCSE study (but after you complete that Windows 2000 MCSE, eh?). I cover many of the advanced Network Monitor features in my Windows 2000 Server Secrets book (IDG Books Worldwide) in Chapter 19: Network Monitor Secrets, but I'll address one advanced feature now — the display filter.

When using Network Monitor, you're often on a journey that you have no map for, you don't know where you're going and you don't know when you'll arrive. The point is that you really need to capture all frames in capture session and then filter which frames are displayed as you troubleshoot a problem. The Display Filter (see Figure 5) lets you select specific protocols to display from the capture. The result of using the display filter is shown in Figure 6, where only HTTP packets are displayed.

Figure 5. Displaying HTTP frames via Display Filter. (Click on image to view larger version.)

Figure 6. In the filtered results, only HTTP frames are displayed. (Click on image to view larger version.)

Making Your Fortune With Network Monitor

I'll never forget my blunt introduction to packet analysis nearly a decade ago. I was speaking with the IT director of a large printing company and he described a need for a network engineer with packet analysis experience. Why? Because the firm had an immense wide area network (WAN) that was experiencing network problems. Up to that point, I had always considered myself to be a network engineer (small "e"), but this telephone call introduced me to network Engineering (large "E"). In fact, if you're a small minority that feels the MCSE, with its operating system focus, doesn't have enough true network engineering, then may I encourage you to pursue your technology niche in packet analysis with Network Monitor.

More importantly, the topic of money is near and dear to the hearts of many MCSEs. One bona fide path to riches is the packet analysis path. You'll charge top dollar to troubleshoot intense network problems. Some words of advice, though: As you get deeper into packet analysis, you'll find yourself living more in the router community and less in the network operating system community. If such is the case, check out MCP Magazine's sibling online magazine, TCPmag.com, which is oriented to the router community. You can access that magazine at www.tcpmag.com and the other magazines at www.certcities.com.

I'll use network monitor when I need it, but my professional interests are broader than the narrow world of packet analysis.

Featured