Using the Microsoft Network Monitor

Microsoft Network Monitor is a tool developed by Microsoft to make the task of troubleshooting complex network problems much easier and more economical. It is packaged as part of the Microsoft Systems Management Server product but can be used as a stand-alone network monitor.

In addition, Windows NT Server, Windows NT Workstation, and Windows 95 distribution media include the Network Monitor Agent software. Stations running Network Monitor can attach to stations running the agent software over the network or using dial-up (RAS) to perform monitoring or tracing of remote network segments. This can be a very useful troubleshooting tool.

Network Monitor works by setting the NIC to allow you to capture traffic to and from the local computer. Capture filters can be defined so that only specific frames are saved for analysis. Filters can be defined based on source and destination NIC addresses, source and destination protocol addresses, and pattern matches. Once a capture has been obtained, display filtering can be used to further narrow down a problem. Display filtering allows specific protocols to be selected as well.

Once a capture has been obtained and filtered, Network Monitor protocol parsing interprets the binary trace data into readable terms using parsing DLLs. The following sample Server Message Block (SMB) frame is shown fully parsed:


************************************************************************ Frame Time Src Other Addr Dst Other Addr Protocol Description 7 0.020 172.16.48.36 172.16.48.10 SMB C get attributes, File = \temp FRAME: Base frame properties FRAME: Time of capture = Jun 27, 1995 8:11:11.636 FRAME: Time delta from previous physical frame: 3 milliseconds FRAME: Frame number: 7 FRAME: Total frame length: 106 bytes FRAME: Capture frame length: 106 bytes FRAME: Frame data: Number of data bytes remaining = 106 (0x006A) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00608C0E6C6A ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 0020AF1D2B91 ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 106 (0x006A) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 92 (0x005C) IP: ID = 0x4072; Proto = TCP; Len: 92 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 92 (0x5C) IP: Identification = 16498 (0x4072) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 32 (0x20) IP: Protocol = TCP - Transmission Control IP: CheckSum = 0xC895 IP: Source Address = 09.48.16.172 IP: Destination Address = 172.16.48.10 IP: Data: Number of data bytes remaining = 72 (0x0048) TCP: .AP..., len: 52, seq: 344830227, ack: 2524988, win: 8166, src: 1677 dst: (NBT Session) TCP: Source Port = 0x068D TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 344830227 (0x148DB113) TCP: Acknowledgment Number = 2524988 (0x26873C) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....1... = Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 8166 (0x1FE6) TCP: CheckSum = 0xC072 TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 52 (0x0034) NBT: SS: Session Message, Len: 48 NBT: Packet Type = Session Message NBT: Packet Flags = 0 (0x0) NBT: .......0 = Add 0 to Length NBT: Packet Length = 48 (0x30) NBT: SS Data: Number of data bytes remaining = 48 (0x0030) SMB: C get attributes, File = \temp SMB: SMB Status = Error Success SMB: Error class = No Error SMB: Error code = No Error SMB: Header: PID = 0xCAFE TID = 0x0800 MID = 0x43C0 UID = 0x0800 SMB: Tree ID (TID) = 2048 (0x800) SMB: Process ID (PID) = 51966 (0xCAFE) SMB: User ID (UID) = 2048 (0x800) SMB: Multiplex ID (MID) = 17344 (0x43C0) SMB: Flags Summary = 24 (0x18) SMB: .......0 = Lock & Read and Write & Unlock not supported SMB: ......0. = Send No Ack not supported SMB: ....1... = Using caseless pathnames SMB: ...1.... = Canonicalized pathnames SMB: ..0..... = No Opportunistic lock SMB: .0...... = No Change Notify SMB: 0....... = Client command SMB: flags2 Summary = 32771 (0x8003) SMB: ...............1 = Understands long filenames SMB: ..............1. = Understands extended attributes SMB: ..0............. = No paging of IO SMB: .0.............. = Using SMB status codes SMB: 1............... = Using UNICODE strings SMB: Command = C get attributes SMB: Word count = 0 SMB: Byte count = 13 SMB: Byte parameters SMB: Path name = \temp 00000: 00 60 8C 0E 6C 6A 00 20 AF 1D 2B 91 08 00 45 00 .`..lj. ..+...E. 00010: 00 5C 40 72 40 00 20 06 C8 95 9D 39 09 8A 9D 39 .\@r@. ....9...9 00020: 0D 98 06 8D 00 8B 14 8D B1 13 00 26 87 3C 50 18 ...........&.<P. 00030: 1F E6 C0 72 00 00 00 00 00 30 FF 53 4D 42 08 00 ...r.....0.SMB.. 00040: 00 00 00 18 03 80 00 00 00 00 00 00 00 00 00 00 ................ 00050: 00 00 00 08 FE CA 00 08 C0 43 00 0D 00 04 5C 00 .........C....\. 00060: 74 00 65 00 6D 00 70 00 00 00 t.e.m.p...

The preceding parsed output example consists of three sections:

If you are sending traces to support personnel at Microsoft, they are most useful in electronic form rather than printed form, because they can be manipulated and scanned electronically. Large printed traces are time-consuming to read.