Using the Microsoft Network Monitor
Microsoft Network Monitor is a tool developed by Microsoft to make the task of troubleshooting complex network problems much easier and more economical. It is packaged as part of the Microsoft Systems Management Server product but can be used as a stand-alone network monitor.
In addition, Windows NT Server, Windows NT Workstation, and Windows 95 distribution media include the Network Monitor Agent software. Stations running Network Monitor can attach to stations running the agent software over the network or using dial-up (RAS) to perform monitoring or tracing of remote network segments. This can be a very useful troubleshooting tool.
Network Monitor works by setting the NIC to allow you to capture traffic to and from the local computer. Capture filters can be defined so that only specific frames are saved for analysis. Filters can be defined based on source and destination NIC addresses, source and destination protocol addresses, and pattern matches. Once a capture has been obtained, display filtering can be used to further narrow down a problem. Display filtering allows specific protocols to be selected as well.
Once a capture has been obtained and filtered, Network Monitor protocol parsing interprets the binary trace data into readable terms using parsing DLLs. The following sample Server Message Block (SMB) frame is shown fully parsed:
************************************************************************
Frame Time Src Other Addr Dst Other Addr Protocol Description
7 0.020 172.16.48.36 172.16.48.10 SMB C get attributes, File = \temp
FRAME: Base frame properties
FRAME: Time of capture = Jun 27, 1995 8:11:11.636
FRAME: Time delta from previous physical frame: 3 milliseconds
FRAME: Frame number: 7
FRAME: Total frame length: 106 bytes
FRAME: Capture frame length: 106 bytes
FRAME: Frame data: Number of data bytes remaining = 106 (0x006A)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 00608C0E6C6A
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 0020AF1D2B91
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 106 (0x006A)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 92 (0x005C)
IP: ID = 0x4072; Proto = TCP; Len: 92
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 92 (0x5C)
IP: Identification = 16498 (0x4072)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 32 (0x20)
IP: Protocol = TCP - Transmission Control
IP: CheckSum = 0xC895
IP: Source Address = 09.48.16.172
IP: Destination Address = 172.16.48.10
IP: Data: Number of data bytes remaining = 72 (0x0048)
TCP: .AP..., len: 52, seq: 344830227, ack: 2524988, win: 8166, src: 1677 dst: (NBT Session)
TCP: Source Port = 0x068D
TCP: Destination Port = NETBIOS Session Service
TCP: Sequence Number = 344830227 (0x148DB113)
TCP: Acknowledgment Number = 2524988 (0x26873C)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP...
TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function
TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
TCP: Window = 8166 (0x1FE6)
TCP: CheckSum = 0xC072
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 52 (0x0034)
NBT: SS: Session Message, Len: 48
NBT: Packet Type = Session Message
NBT: Packet Flags = 0 (0x0)
NBT: .......0 = Add 0 to Length
NBT: Packet Length = 48 (0x30)
NBT: SS Data: Number of data bytes remaining = 48 (0x0030)
SMB: C get attributes, File = \temp
SMB: SMB Status = Error Success
SMB: Error class = No Error
SMB: Error code = No Error
SMB: Header: PID = 0xCAFE TID = 0x0800 MID = 0x43C0 UID = 0x0800
SMB: Tree ID (TID) = 2048 (0x800)
SMB: Process ID (PID) = 51966 (0xCAFE)
SMB: User ID (UID) = 2048 (0x800)
SMB: Multiplex ID (MID) = 17344 (0x43C0)
SMB: Flags Summary = 24 (0x18)
SMB: .......0 = Lock & Read and Write & Unlock not supported
SMB: ......0. = Send No Ack not supported
SMB: ....1... = Using caseless pathnames
SMB: ...1.... = Canonicalized pathnames
SMB: ..0..... = No Opportunistic lock
SMB: .0...... = No Change Notify
SMB: 0....... = Client command
SMB: flags2 Summary = 32771 (0x8003)
SMB: ...............1 = Understands long filenames
SMB: ..............1. = Understands extended attributes
SMB: ..0............. = No paging of IO
SMB: .0.............. = Using SMB status codes
SMB: 1............... = Using UNICODE strings
SMB: Command = C get attributes
SMB: Word count = 0
SMB: Byte count = 13
SMB: Byte parameters
SMB: Path name = \temp
00000: 00 60 8C 0E 6C 6A 00 20 AF 1D 2B 91 08 00 45 00 .`..lj. ..+...E.
00010: 00 5C 40 72 40 00 20 06 C8 95 9D 39 09 8A 9D 39 .\@r@. ....9...9
00020: 0D 98 06 8D 00 8B 14 8D B1 13 00 26 87 3C 50 18 ...........&.<P.
00030: 1F E6 C0 72 00 00 00 00 00 30 FF 53 4D 42 08 00 ...r.....0.SMB..
00040: 00 00 00 18 03 80 00 00 00 00 00 00 00 00 00 00 ................
00050: 00 00 00 08 FE CA 00 08 C0 43 00 0D 00 04 5C 00 .........C....\.
00060: 74 00 65 00 6D 00 70 00 00 00 t.e.m.p...
The preceding parsed output example consists of three sections:
- summary window
- detailed description window
- hex output
If you are sending traces to support personnel at Microsoft, they are most useful in electronic form rather than printed form, because they can be manipulated and scanned electronically. Large printed traces are time-consuming to read.