Network Monitor
Unlike System Monitor, which is used to monitor anything from hardware to software, Network Monitor focuses exclusively on network activity. To understand the traffic and behavior of your network components, install and use Network Monitor.
Network Monitor Features
Network administrators use Microsoft Windows 2000 Network Monitor to view and detect problems on local area networks (LANs). For example, as a network administrator, you can use Network Monitor to diagnose hardware and software problems when two or more computers cannot communicate. You can also copy a log of network activity into a file and then send the file to a professional network analyst or support organization.
Network application developers can use Network Monitor to monitor and debug network applications as they are developed.
Network Monitor monitors the network data stream which consists of all information transferred over a network at any given time. Prior to transmission, this information is divided by the network software into smaller pieces, called frames or packets. Each frame contains:
- The source address of the computer that sent the message.
- The destination address of the computer that received the frame.
- Headers from each protocol used to send the frame.
- The data or a portion of the information being sent.
The process by which Network Monitor copies frames is referred to as capturing. You can use Network Monitor to capture all local network traffic or you can single out a subset of frames to be captured. You can also make a capture respond to events on your network. For example, you can make the network start an executable file when Network Monitor detects a particular set of conditions on the network.
After you have captured data, you can view it in the Network Monitor user interface. Network Monitor does much of the data analysis for you by translating the raw capture data into its logical frame structure.
For security reasons, Windows 2000 Network Monitor captures only those frames, including broadcast and multicast frames, sent to or from the local computer. Network Monitor also displays overall network segment statistics for broadcast frames, multicast frames, network utilization, total bytes received per second, and total frames received per second.
In addition, to help protect your network from unauthorized use of Network Monitor installations, Network Monitor can detect other installations of Network Monitor that are running on the local segment of your network. Network Monitor also detects all instances of the Network Monitor driver being used remotely (by either Network Monitor from Systems Management Server or the Network Segment object in System Monitor) to capture data on your network.
When Network Monitor detects other Network Monitor installations running on the network, it displays the following information:
- The name of the computer
- The name of the user logged on at the computer
- The state of Network Monitor on the remote computer (running, capturing, or transmitting)
- The adapter address of the remote computer
- The version number of Network Monitor on the remote computer
In some instances, your network architecture might prevent one installation of Network Monitor from detecting another. For example, if an installation is separated from yours by a router that does not forward multicasts, your installation cannot detect that installation.
Network Monitor uses a network driver interface specification (NDIS) feature to copy all frames it detects to its capture buffer, a resizable storage area in memory. The default size is 1 MB; you can adjust the size manually as needed. The buffer is a memory-mapped file and occupies disk space.
Note
Because Network Monitor uses the local only mode of NDIS instead of promiscuous mode (in which the network adapter passes on all frames sent on the network), you can use Network Monitor even if your network adapter does not support promiscuous mode. Networking performance is not affected when you use an NDIS driver to capture frames. (Putting the network adapter in promiscuous mode can add 30 percent or more to the load on the CPU.)
Installing Network Monitor
To set up Network Monitor, perform two steps:
- Install the Network Monitor driver on any computer from which you want to capture data for analysis with Network Monitor.
- Install the Network Monitor utilities on a computer running Windows 2000 Server on which data will be captured.
You can install the driver on a computer running either Windows 2000 Professional or Windows 2000 Server. Installing the driver also installs the Network Segment object for use in System Monitor.
Installing the driver does not install Network Monitor itself. Instead, install the Network Monitor Tools on a computer running Windows 2000 Server to install Network Monitor.
To install the Network Monitor driver
- Click Start , point to Settings , click Control Panel , and then double-click Network and Dial-up Connections .
- In Network and Dial-up Connections , right-click Local Area Connection , and then click Properties .
- In the Local Area Connection Properties dialog box, click Install .
- In the Select Network Component Type dialog box, click Protocol , and then click Add .
- In the Select Network Protocol dialog box, click Network Monitor Driver , and then click OK .
If prompted for additional files, insert your Windows 2000 CD, or type a path to the location of the files on a network.
To display and analyze captured data, use the following procedure to install Network Monitor Tools on a computer running Windows 2000 Server. Network Monitor Tools installs Network Monitor along with the Network Monitor driver. If you are running Windows 2000 Server and are installing Network Monitor Tools, you can bypass the preceding procedure; you do not need to install the Network Monitor driver separately.
To install Network Monitor Tools
- Click Start , point to Settings , click Control Panel , and then double-click Add/Remove Programs .
- In the Add/Remove Programs dialog box, double-click Add/Remove Windows Components .
- In the Windows Component Wizard dialog box, click Next .
- Under Components , click Management and Monitoring Tools , and then click the Details button.
- Under Subcomponents of Management and Monitoring Tools , select the Network Monitor Tools check box, and then click OK .
- Click Next to proceed with installation, and then click Finish and Close to exit.
To start Network Monitor on a computer running Windows 2000 Server
- Click Start , point to Programs , and point to Administrative Tools .
- Under Administrative Tools , click Network Monitor .
For information about how to work with the Network Monitor user interface, see Windows 2000 Server Help.
Capturing Frame Data
When you've installed the Network Monitor driver on the computer from which to capture data (hereafter called the source computer) and installed Network Monitor Tools on the computer that will perform the capture (hereafter called destination computer), you can begin to capture data.
To capture data
- Open Network Monitor.
- On the Capture menu, click Start .
Or, click the Capture button on the toolbar.
As frames are captured from the network, statistics about the frames are displayed in the Network Monitor Capture window, as shown in Figure 9.2.
Figure 9.2 Network Monitor Capture Window
Network Monitor displays session statistics from the first 100 unique network sessions it detects. The Network Monitor Capture window includes the panes listed in Table 9.7.
Table 9.7 Description of Display Options for the Capture Pane
Pane
|
Displays
|
---|---|
Graph
|
A graphical representation of the activity currently taking place on the network.
|
Session Stats
|
Statistics about individual sessions currently taking place on the network.
|
Station Stats
|
Statistics about the sessions participated in by the computer running Network Monitor.
|
Total Stats
|
Summary statistics about the network activity detected since the capture process began.
|
To reset statistics and see information on the next 100 network sessions detected, on the Capture menu, click Clear Statistics . To capture only those frames that originate with specific computers, determine the addresses of the computers on your network and associate the address with its DNS or NetBIOS name. After these associations are made, you can save the names to an address database (.adr) file that can be used to design capture filters and display filters. The capture filter allows you to specify criteria for inclusion in or exclusion from the capture. If the address is not available in the address database, try to capture all traffic and, after stopping and viewing the capture, use the Find All Names command on the Display menu to locate the address.
Note
Capture filters can significantly increase the processor's workload because each packet must be processed through the filter and either saved or discarded. In some cases, using complex filters might result in missed frames.
An example of such a filter is an address pair, used to capture frames from specific computers on the network. An address pair consists of:
- The addresses of the computers between which you want to monitor traffic. Note that you can capture to a computer or to a router; however, you cannot select multiple address pairs with the OR operation. You must run multiple instances of Network Monitor to capture to either a computer or a router simultaneously. (An address is a hexadecimal number that identifies a computer uniquely on the network.)
- Arrows that specify the traffic direction you want to monitor.
- The INCLUDE or EXCLUDE keyword, indicating how Network Monitor should respond to a frame that meets a filter's specifications.
Regardless of the sequence in which statements appear in the Capture Filter dialog box, EXCLUDE statements are evaluated first. Therefore, if a frame meets the criteria specified in an EXCLUDE statement in a filter containing both an EXCLUDE and INCLUDE statement, that frame is discarded. Network Monitor does not test that frame by INCLUDE statements to see if it meets that criterion also.
For example, to capture all the traffic from Joe's computer except the traffic from Joe to Anne, use the following capture filter in the address section:
include Joe <----> Any
exclude Joe <----> Anne
If there are no include lines, the default address your_computer_name – – – – Any is used by default.
Figure 9.3 shows the Capture Filter dialog box, accessed from the Capture menu or by pressing F8 in the Capture window.
Figure 9.3 Capture Filter Dialog Box
To design a capture filter, specify decision statements in the Capture Filter dialog box. For information about display filters, see "Displaying Captured Data" later in this chapter.
By specifying a pattern match in a capture filter, you can:
- Limit a capture to only those frames containing a specific pattern of ASCII or hexadecimal data.
- Specify how many bytes into the frame the pattern must occur. This number of bytes is known as an offset.
When you filter based on a pattern match, you must specify where the pattern occurs in the frame (how many bytes from the beginning or end). If your network medium has a variable size in the media access control protocol, such as Ethernet or Token Ring, specify to count from the end of the topology header. - To capture frames sent using a specific protocol, specify the protocol on the capture filter SAP/ETYPE= line. Available protocols appear in the dialog box when you double-click the SAP/ETYPE= line. For example, to capture only IP frames, disable all protocols and then enable IP ETYPE 0x800 and IP SAP 0x6. By default, all of the protocols that Network Monitor supports are enabled.
- Use a capture trigger to automate actions to follow the capture. A trigger is a set of conditions that, when met, initiate an action. For example, before using Network Monitor to capture data from the network, you can set a trigger to stop the capture or to run a program or command file. You can also specify the conditions under which these actions will occur. One example of a trigger is a pattern match. You can save a trigger to the local computer if you save a capture filter. The default file path for saving filters is the \System32\Netmon\Captures directory in the root directory.
Table 9.8 describes the trigger types you can use to specify the condition that starts the trigger.
Table 9.8 Trigger Types for Network Monitor Captures
Trigger type
|
Description
|
---|---|
Nothing
|
No trigger is initiated. This is the default.
|
Pattern Match
|
Initiates the trigger when the specified pattern occurs in a captured frame.
|
Buffer Space
|
Initiates the trigger when a specified amount of the capture buffer is filled.
|
Pattern Match Then Buffer Space
|
Initiates the trigger when the pattern occurs and is followed by a specified percentage of the capture buffer being filled.
|
Buffer Space Then Pattern Match
|
Initiates the trigger when the specified percentage of the capture buffer fills and is followed by the occurrence of the pattern in a captured frame.
|
No Action
|
No action is taken when a trigger condition is met. This is the default. Even though you select No Action , the computer beeps when the trigger condition is met.
|
Stop Capture
|
Stops the capture process when the trigger condition is met.
|
Execute Command Line
|
Runs a program or batch file when a trigger condition is met. If you select this option, provide a command or the path to a program or batch file.
|
If your computer uses multiple network adapters, use Network Monitor to collect data from multiple network adapters, and then either switch between the two adapters or run multiple instances of Network Monitor.
To switch between adapters
- On the Capture menu, click Networks , and then select a different adapter.
Modem adapters appear as ETHERNET with a dial-up connection flag set to TRUE.
After capturing data, you might want to save it. For example, it is useful to save captures before starting another capture (to prevent loss of the captured data) if you think you might need to analyze the data later, or if you need to document network use or problems. When you save captured data, the data in the capture buffer is written to a capture (.cap) file.
Displaying Captured Data
To simplify data analysis, Network Monitor interprets raw data collected during the capture and displays it in the Frame Viewer window.
To display captured information in the Frame Viewer window, from the Capture menu, click Stop and View while the capture is running. You can also display captures by opening a file with the .cap extension.
Figure 9.4 shows the key elements in the Frame Viewer window.
No comments:
Post a Comment