Monitoring Network Performance

Previous Topic Next Topic

System Monitor

The built-in Performance console provides the ability to monitor network activity along with the other performance data on the system. Treat network components as another set of hardware resources to observe as part of your normal performance-monitoring routine.

Network activity can influence the performance not only of your network components but also of your system as a whole. You should monitor other resources along with network activity, such as disk, memory, and processor activity. System Monitor enables you to track network and system activity using a single tool. Use the following counters as part of your normal monitoring configuration:

Monitoring network activity with System Monitor involves examining performance data at each network layer, as defined in the Open Systems Interconnect (OSI) model; for information about this model, see Appendix A, "OSI Model," in the Windows 2000 Server Resource Kit TCP/IP Core Networking Guide. System Monitor provides performance objects for collection of data that reflect transmission rates, packet queue lengths, and other network performance data.


note-icon

Note

Because of the overhead of the protocol headers, actual transmission rates might differ from the rates specified for the wire or line in use.

Table 9.1 illustrates the network layers and their associated performance objects.

Table 9.1 Network Layers and Related Performance Objects

OSI layer Performance objects
Application, Presentation Browser, Server, Redirector, and Server Work Queues
Session NBT Connection (NBT is an abbreviation for NetBT, which means NetBIOS over TCP/IP; NetBIOS stands for network basic input/output system)
Transport Protocol objects: TCP for the Transmission Control Protocol; UDP for the User Datagram Protocol, NetBEUI for NetBIOS, AppleTalk (installed by protocol)
Network Network Segment (installed when you install the Network Monitor driver), IP for the Internet Protocol, NWLink IPX/SPX for the Microsoft implementation of Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX). NWLink performance objects display only zeros for counters that report on frame activity.

On systems running Windows NT version 4.0, installing the Network Monitor Agent installed the Network Segment counters.

Data Link, Physical Network Interface

These counters are maintained by the driver and can report inaccurate or zero values because of problems with implementation of counters by the driver.


Begin with the lowest-level components and work your way up as you monitor performance data for your network. Monitor the objects described in this chapter over periods of time ranging from days to weeks, to a month. Using this data, determine a performance baseline, the typical level of performance you expect under typical workloads and usage. A performance baseline gives you a point from which to compare performance over time to identify growth trends, changing demands, or the emergence of a bottleneck. If performance within the baseline range becomes unsatisfactory, tune the network as described in "Resolving Network Bottlenecks" later in this chapter.

As with other resources, establish a baseline for network performance. When performance data is incompatible with your baseline values, investigate the cause. Abnormal network counter values on a server often indicate problems with its memory, processor, or disks. For that reason, the best approach to monitoring a server is to watch network counters in conjunction with Processor\% Processor Time, PhysicalDisk\% Disk Time, and Memory\Pages/sec.

For example, if a dramatic increase in Pages/sec is accompanied by a decrease in Bytes Total/sec handled by a server, the computer is probably running short of physical memory for network operations. Most network resources, including network adapters and protocol software, use nonpaged memory. If a computer is paging excessively, it could be because most of its physical memory has been allocated to network activities, leaving a small amount of memory for processes that use paged memory. To verify this situation, check the computer's system event log for entries indicating that it has run out of paged or nonpaged memory. Also monitor the nonpaged pool memory and overall memory counters. For more information about monitoring memory and performance, see "Evaluating Memory and Cache Usage" in this book.

Network Counters

Starting from the physical layer and working up to the application layer of the OSI model, you will monitor the performance objects and their counters described in the following sections.

Network Interface Object

Use the Network Interface object to monitor transmissions starting at the physical layer. The Network Interface object is installed by Transmission Control Protocol/Internet Protocol (TCP/IP) and monitors activity of the IP protocol. The object reports transmissions over the network adapter. There are no separate objects to monitor the adapters over other networking protocols.

When you use the Network Interface object counters, note that the instances include the loopback address, the network adapter, the dial-out wide area network (WAN) wrapper for each device bound under the Routing and Remote Access service, and the dial-up WAN wrapper for each device. The wrapper is code that surrounds network driver interface specification (NDIS) device drivers, providing a uniform interface between protocol drivers and NDIS device drivers and support routines that make the development of an NDIS driver easier.

The instances typically list the loopback address 127.0.0.1 first, and the remaining instances should match the binding order of the TCP/IP protocol. (If Routing and Remote Access does not use IP for a device, its traffic is not counted.) To view the binding order for TCP/IP, in the Network and Dial-up Connections dialog box, on the Connections menu, click Advanced.

Monitor the following Network Interface object counters:

Network Interface\Output Queue Length

Use this counter to indicate the length of the output packet queue. The value should be low. Queues that are one or two items long constitute satisfactory performance; longer queues mean that the adapter is waiting for the network and cannot keep pace with server requests.

Network Interface\Packets Outbound Discarded

Use this counter to determine if the network is saturated. If this counter continuously increases, it might indicate that a network is so busy that the network buffers cannot keep up with the outbound flow of packets.

Network Interface\Bytes Total/sec

Use this counter to determine how the network adapter is performing. The Bytes Total/sec counter should report high values, to indicate a large number of successful transmissions. Compare this value with the value reported by the Network Interface\Current Bandwidth counter, reflecting each adapter's bandwidth. If you see the Bytes Total/sec rate approaching the maximum transfer rate, the probability of collisions on the network increases. This in turn impacts performance by increasing the latency of packet transfer on the network. In this case, you might want to consider increasing the bandwidth or segmenting the network. For example, if using 100 megabit/sec fast Ethernet, and the total rate of bytes transferred per second approaches 65 percent of the maximum network bandwidth, you can improve performance by using a gigabit or faster Ethernet switch to segment the network into smaller networks.

Network Segment Objects

Use this object to report statistics for the local network segment. To use this object, you must have already installed the Network Monitor driver on the computer where you will run System Monitor and on the computer from which you will collect data. For more information about installing Network Monitor, see "Installing Network Monitor" later in this chapter.

Monitor the following Network Segment object counters:

Network Segment\Broadcast Frames Received/sec

Use this counter to establish a baseline when monitored over time. To determine the cause of a problem, investigate large variations from the baseline. Because each computer processes every broadcast, frequent broadcasts mean lower performance. Determine what level of broadcasts is excessive based on past performance and your expectations for the local site.

Network Segment\% Network Utilization

Use this counter to reflect the percentage of network bandwidth used for the local network segment. Use it to monitor the effect of different network operations (such as logon validation or account synchronization). A low value is preferred. This counter should not report values that exceed the maximum recommended for the type of configuration. For example, 30 percent utilization is the maximum recommended for an unswitched Ethernet network. This means that a 10-megabyte (MB) Ethernet network becomes bottlenecked when its throughput exceeds 3 MB per second. If the value of the counter is above 40 percent, collisions can cause problems. You need to determine the appropriate maximum value for this counter based on your network design and topology, and ensure that % Network Utilization does not exceed this limit.

Network Segment\Total Frames Received/sec

Use this counter to indicate when bridges and routers might be saturated. If network traffic exceeds recommended local area network (LAN) capacity, performance typically suffers across the network. To prevent this situation, it is important to monitor network-wide traffic levels, particularly on larger networks with bridges and routers.

Network Protocol Objects

When monitoring protocol counters, you are likely to be most concerned with transmission rates. Monitor these rates using counters such as Bytes Total/sec, Datagrams Received/sec and Datagrams Sent/sec, or Frames Received/sec and Frames Sent/sec. When looking at transfer counters, consider the capacity of your network. The value of Bytes Total/sec should not be close to or matching the network capacity, or the network might already be saturated.

Following is a list of typical protocol objects. Monitor the ones that pertain to the network protocol in use.

For information about these counters, see the Performance Counter Reference on the Windows 2000 Resource Kit companion CD.

Improving performance over a slow WAN link under Windows 2000 Server

In general, Windows 2000 is self-tuning, and registry entries related to TCP/IP require no adjustment. If you are using a slow WAN link, adjusting registry entries for TCP/IP can improve performance; however, these changes can adversely affect computers that are short of memory. The following procedure describes how to edit the entries in the registry.

To edit TCP/IP entries in the registry

  1. On the Start menu, click Run.
  2. In the Run dialog box, type Regedt32, and then click OK.

The following is a list of entries in HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Tcpip\Parameters that have an effect on performance when connecting by means of a slow WAN link. For information about these and other related registry settings, see "Technical Reference to the Windows 2000 Registry" on the Windows 2000 Resource Kit companion CD.


caution-icon

Caution

Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. To configure or customize Windows 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

NBT Connection Object

Use this object to track session-layer transmissions between computers. NBT stands for NetBT, an abbreviation for NetBIOS over TCP/IP. This feature provides the NetBIOS programming interface over the TCP/IP protocol. It is used for monitoring routed servers that use NetBIOS name resolution.

Application-Layer Objects

Finally, monitor services or applications at the presentation or application layers. By default, Setup installs the Browser, Redirector, Server, and Server Work Queues objects on computers running Windows 2000. These objects describe performance of file and print services using the Server Message Block (SMB) Protocol.


note-icon

Note

For detailed information about performance objects and counters, see the Performance Counter Reference on the Windows 2000 Resource Kit companion CD.

Browser Object

The primary function of the Browser service is to provide a list of computers sharing resources in a domain along with a list of other domain and workgroup names across the wide area network (WAN). This list is provided to clients that view network resources with My Network Places or the net view command. Active Directory replaces the computer browser service used in earlier versions of Windows to provide the Network Basic Input/Output System (NetBIOS) name resolution. The browser service in Windows 2000 provides backward compatibility with client computers that are running earlier versions of Windows.

The Browser performance object consists of counters that measure the rates of announcements, enumerations, and other browser transmissions. If your organization is maintaining domains under Windows NT Server version 4.0, use the counters in Table 9.2 for monitoring the Browser service.

Table 9.2 Browser Object Counters

Counter Description
Browser\Mailslot Allocations Failed The number of times the datagram receiver has failed to allocate a buffer to hold a user mailslot write.
Browser\Mailslot Opens Failed/sec Indicates the rate of mailslot messages received by this workstation that were to be delivered to mailslots that are not present on this workstation.
Browser\Mailslot Receives Failed Indicates the number of mailslot messages that could not be received due to transport failures.
Browser\Mailslot Writes Failed The total number of mailslot messages that have been successfully received, but that were unable to be written to the mailslot.
Browser\Missed Mailslot Datagrams The number of mailslot datagrams that have been discarded due to configuration or allocation limits.
Browser\Missed Server Announcements The number of server announcements that have been missed due to configuration or allocation limits.
Browser\Missed Server List Requests The number of requests to retrieve a list of browser servers that were received by this workstation, but could not be processed.
Browser\Server Announce Allocations Failed/sec The rate of server (or domain) announcements that have failed due to lack of memory.

For information about the NTDS performance object that reports performance data for Active Directory, or about counters that report lightweight directory access protocol (LDAP) activity, see the Performance Counter Reference on the Windows 2000 Resource Kit companion CD.

Troubleshooting Performance Problems with the Browser Service

Improving the performance of computers running the Browser service relies primarily on reducing traffic. You can do this in several ways:


caution-icon

Caution

Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows. To configure or customize Windows, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

In addition, two registry entries can be configured to control the amount of network traffic generated by the browser. Add the following entries to the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser
\Parameters.

Redirector Object

Use the Redirector object counters for the Workstation service, and the Server and Server Work Queues objects for the Server service. The counters for these objects describe activity at the presentation layer of the networking architecture, as described in Table 9.3.

Table 9.3 Redirector Object Counters

Counter Comments
Redirector\Bytes Total/sec The rate at which the Redirector is processing data bytes. This includes all application and file data in addition to protocol information such as packet headers.
Redirector\Current Commands The number of requests to the Redirector that are currently queued for service. If this number is much larger than the number of network adapters installed in the computer, you might want to increase the maximum allowance for pending net commands in the MaxCmds registry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\lanmanserver\parameters. The default value is 5.
Redirector\Network Errors/sec Serious unexpected errors that generally indicate the Redirector and one or more servers are having serious communication difficulties. For example, a Server Message Block (SMB) Protocol error generates a network error. Look in the system event log for results. You might need to increase the value of the SessTimeout registry entry in HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\LanmanWorkstation
\Parameters. The default is 45 seconds; values can range from 10 to 65535.
Redirector\Reads Denied/sec The rate at which the server is unable to accommodate requests for Raw Reads. When a read is more than twice the negotiated buffer size of the server, the Redirector requests a raw read, which, if granted, would permit the transfer of the data without a lot of protocol overhead on each packet. To accomplish this, the server must lock out other requests, so the request is denied if the server is very busy.
Redirector\Server Sessions Hung The number of active sessions that are timed out and unable to proceed due to a lack of response from the remote server.
Redirector\Writes Denied/sec The rate at which the server is unable to accommodate requests for raw writes. When a write is much larger than the negotiated buffer size of the server, the Redirector requests a raw write, which, if granted, would permit the transfer of the data without a lot of protocol overhead on each packet. To accomplish this, the server must lock out other requests, so the request is denied if the server is very busy.

Server Object

The Server service supports file and print sharing and is important for communication between local and remote processes. Its companion, the Workstation service, provides network connections and communication. A computer uses the Workstation service to send requests to a server; the Server service responds to those requests. A server computer can run both services.

In general, memory and disk space are considerations on computers running the Server service, and overall server monitoring should include counters for these resources. Because many services might run on top of the Server service, you should also consider the requirements of those services when assessing server requirements. For more information about performance of the Server and Workstation services, monitor the computer using the counters in Table 9.4.

Table 9.4 Server Object Counters

Object\counter Description
Server\Blocking Requests Rejected The number of times the server has rejected blocking SMBs due to insufficient count of free work items. Indicates whether the MaxWorkItem or MinFreeWorkItems server entries might need tuning.
Server\Bytes Total/sec The number of bytes the server has sent to and received from the network. Provides an overall indication of how busy the server is.
Server\Context Blocks Queued/sec The rate at which work context blocks had to be placed on the server file system process queue to await server action.

If this counter consistently averages higher than 50 milliseconds, the Server service is a bottleneck for all tasks on remote computers that are issuing remote I/O requests to the server.

Server\Errors System The number of times an internal server error was detected. Unexpected errors usually indicate a problem with the server.
Server\Pool Nonpaged Failures The number of times allocations from the nonpaged pool have failed. Indicates that the computer's physical memory is too small.

If this number consistently increases, the server is running out of the paged or nonpaged pool it originally allocated. If this occurs, you might want to consider increasing the resource.

Server\Pool Nonpaged Peak The maximum number of bytes of nonpaged pool that the server has had in use at any one point. Indicates how much physical memory the computer should have.
Server\Pool Paged Failures The number of times allocations from the paged pool have failed. Indicates that the computer's physical memory or page file are too small.

If this number consistently increases, the server is running out of the paged or nonpaged pool it originally allocated. If this occurs, you might want to consider increasing the resource.

Server\Pool Paged Peak The maximum number of bytes of nonpaged pool that the server has had in use at any one point. Indicates how much physical memory the computer should have.
Server\Sessions Errored Out Reports auto-disconnects along with errored-out sessions. To get a more accurate value for errored-out sessions, obtain the value for Server\Sessions Timed Out and reduce the Server\Sessions Errored Out value by that amount.
Server\Work Item Shortages The number of times that no work item was available or could be allocated to service the incoming request. A work item is the location where the server stores an SMB. The amount available fluctuates between a minimum and maximum value that is configured based on how the server is configured and the amount of memory on the computer. If work item shortages are occurring, it might be caused by an overloaded server. If the Work Item Shortages counter value increases, consider changing the Maxworkitems registry entry in HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\LanmanServer\Parameters.
The value can range from 1 to 512.
If the actual number of work items consistently matches the maximum set in the registry, the system consistently initiates flow control, which degrades performance.

Some additional counters, although not performance related, provide useful information about server security. These include:

Server Work Queues Object

The Server Work Queues performance object consists of counters that monitor the length of queues and objects in the queues. See Table 9.5.

Table 9.5 Server Work Queues Object Counters

Counter Description
Bytes Transferred/sec The rate at which the server is sending and receiving bytes with the network clients on this CPU. Use to determine how busy the server is.
Queue Length The current length of the server work queue for this CPU. A sustained queue length greater than four can indicate microprocessor congestion. This is an instantaneous count, not an average over time.
Total Bytes/sec The rate at which the server is reading and writing data to and from the files for the clients on this CPU. Use this counter to determine how busy the server is.
Total Operations/sec The rate at which the server is performing file read and file write operations for the clients on this CPU. This value will always be zero (0) in the Blocking Queue instance. Use this counter to determine how busy the server is.
Work Item Shortages The number of times that an inadequate number of work items was available. A work item is a request to the server from a client; the server maintains a pool of available work items per CPU to speed processing. A sustained value greater than zero indicates the need to increase MaxWorkItems for the Server service. This value will always be zero (0) in the Blocking Queue instance.

Troubleshooting Problems Involving the Server Service

In some cases, the Server service can be associated with performance problems, as described in this section.

Event log reports an event ID 2009.

An event ID 2009 might appear listed in the event log if the server could not expand an internal table because the table had reached the maximum size. These internal tables track active sessions, resource connections, open files, and open searches, so this error message can be generated by problems involving these activities.

Table 9.6 lists counters you can use to investigate these activities and possible related problems.

Table 9.6 Server Object Counters Used to Troubleshoot Event ID 2009 Events

Type of activity Possible cause of event Counters to monitor
Active sessions No more user IDs (UIDs) exist to satisfy this SMB. This may be the result of maintaining unneeded user sessions on the server. This might include mapped drives in logon scripts or applications that automatically map drives to particular servers. Redirector\Server Sessions
Redirector\Server Sessions Hung
Resource connections No more free tree IDs (TIDs) exist to satisfy a TreeConnect SMB. Redirector\Connects Core
Redirector\Connects Lan Manager 2.0
Redirector\Connects Lan Manager 2.1
Redirector\Connects Windows NT
Open files No more file IDs (FIDs) could be allocated to process the various open file SMBs because of a shortage of available FIDs. Server\Files Open
Server\Files Opened Total
Open searches Memory is allocated for search, find, and other SMB calls to store the current search state, but no additional memory could be allocated for storing search buffers. Because the Server service tends to allocate paged pool memory for storing search buffers, shortages of paged pool memory can cause this event. Server\File Directory Searches
Memory\Pool Paged Bytes
Server Work Queues\Available Work Items

MS-DOS applications or older applications that do not make Win32 calls do not have a method for closing searches after they complete. In order to handle this situation, the Server service uses several search time parameters to clear the search handle and reclaim the memory allocated to the search buffers. If you want to adjust the search time parameters to avoid events, change the values for the following entries in HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\lanmanserver\parameters in the Windows 2000 registry:

Subkey Comments
MaxGlobalOpenSearch The value of the MaxGlobalOpenSearch entry determines the maximum number of open searches allowed by the LanmanServer service. The default value is 4096 with a maximum value of 65536. To allocate more search handles, increase the value of MaxGlobalOpenSearch to 16,000 (decimal).
MaxKeepSearch The value of the MaxKeepSearch entry determines the maximum amount of time in seconds that a search will remain open. The default value is 1800 seconds (30 minutes). Decrease the value of MaxKeepSearch to 900 seconds (15 minutes).
MinKeepSearch The value of the MinKeepSearch entry determines the minimum amount of time in seconds that a search will remain open. The default value is 480 seconds (8 minutes). Decrease the value of MinKeepSearch to 240 seconds (4 minutes).


caution-icon

Caution

Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows. To configure or customize Windows, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

© 1985-2000 Microsoft Corporation. All rights reserved.