Network Protocol Analysis

The Network Monitor component of Systems Management Server is a diagnostic tool that allows administrators to look at the details of network packets, perform remote captures on a packet anywhere on the network, and gather network statistics about a group of personal computers. It enables network administrators to capture and analyze network traffic and detect problems or potential network bottlenecks.

Network Monitor provides a graphical display of network statistics that you can use to perform routine troubleshooting tasks, such as locating client-to-server connection problems, or finding a computer making a disproportionate number of work requests.

With Network Monitor, you can:

• Capture frames (also called packets) directly from the local network
• Capture frames from a remote computer
• Display and filter captured frames
• Edit and transmit captured frames onto the network to test network resources or to reproduce network problems
• Display statistics on frames captured locally or on a remote computer

Network Monitor monitors the network data stream, which consists of all of the information transferred over a network at any given time. Prior to transmission, this information is divided by the networking software into smaller segments, called frames or packets. Each frame contains the following information:

• The source address of the computer that sent the message, which is a unique hexadecimal number that identifies the computer on the network
• The destination address of the computer that received the frame
• Headers from each protocol used to send the frame
• The data or a portion of the information being sent

Except in a token-ring or a subnetworked environment, every computer on the network is exposed to all network activity, but the network adapter in each computer typically passes on to the computer only the frames addressed to it. Network Monitor requires that the network adapter be in promiscuous mode, which forces it to examine all frames on the network, rather than just those addressed to it. Network Monitor then filters, counts, and copies all the frames it detects to its capture buffer, which is a reserved storage area in memory. This process is referred to as capturing.

Important To use Network Monitor, you need a network adapter that supports promiscuous mode. Read the documentation that accompanies your adapter to determine if it supports promiscuous mode.

Although the amount of information Network Monitor can capture is limited only by the amount of memory available on your computer, you usually need to capture only a small subset of the frames traveling on the network. To single out a subset of frames, you can design a capture filter, which functions in the same manner as a database query. You can filter on the basis of source and destination addresses, protocols and protocol properties, or by specifying a data pattern.

If you want a running capture to respond to events on your network as soon as they are detected, you can design a capture trigger. A capture trigger performs a specified action, such as starting an executable file, when Network Monitor detects a particular set of conditions on the network.

For more information about using Network Monitor, see the Systems Management Server Administrator's Guide.