Monitoring Network Performance |
Unlike System Monitor, which is used to monitor anything from hardware to software, Network Monitor focuses exclusively on network activity. To understand the traffic and behavior of your network components, install and use Network Monitor.
Network administrators use Microsoft Windows 2000 Network Monitor to view and detect problems on local area networks (LANs). For example, as a network administrator, you can use Network Monitor to diagnose hardware and software problems when two or more computers cannot communicate. You can also copy a log of network activity into a file and then send the file to a professional network analyst or support organization.
Network application developers can use Network Monitor to monitor and debug network applications as they are developed.
Network Monitor monitors the network data stream, which consists of all information transferred over a network at any given time. Prior to transmission, this information is divided by the network software into smaller pieces, called frames or packets. Each frame contains:
The process by which Network Monitor copies frames is referred to as capturing. You can use Network Monitor to capture all local network traffic or you can single out a subset of frames to be captured. You can also make a capture respond to events on your network. For example, you can make the network start an executable file when Network Monitor detects a particular set of conditions on the network.
After you have captured data, you can view it in the Network Monitor user interface. Network Monitor does much of the data analysis for you by translating the raw capture data into its logical frame structure.
For security reasons, Windows 2000 Network Monitor captures only those frames, including broadcast and multicast frames, sent to or from the local computer. Network Monitor also displays overall network segment statistics for broadcast frames, multicast frames, network utilization, total bytes received per second, and total frames received per second.
In addition, to help protect your network from unauthorized use of Network Monitor installations, Network Monitor can detect other installations of Network Monitor that are running on the local segment of your network. Network Monitor also detects all instances of the Network Monitor driver being used remotely (by either Network Monitor from Systems Management Server or the Network Segment object in System Monitor) to capture data on your network.
When Network Monitor detects other Network Monitor installations running on the network, it displays the following information:
In some instances, your network architecture might prevent one installation of Network Monitor from detecting another. For example, if an installation is separated from yours by a router that does not forward multicasts, your installation cannot detect that installation.
Network Monitor uses a network driver interface specification (NDIS) feature to copy all frames it detects to its capture buffer, a resizable storage area in memory. The default size is 1 MB; you can adjust the size manually as needed. The buffer is a memory-mapped file and occupies disk space.
Note
Because Network Monitor uses the local only mode of NDIS instead of promiscuous mode (in which the network adapter passes on all frames sent on the network), you can use Network Monitor even if your network adapter does not support promiscuous mode. Networking performance is not affected when you use an NDIS driver to capture frames. (Putting the network adapter in promiscuous mode can add 30 percent or more to the load on the CPU.)
To set up Network Monitor, perform two steps:
You can install the driver on a computer running either Windows 2000 Professional or Windows 2000 Server. Installing the driver also installs the Network Segment object for use in System Monitor.
Installing the driver does not install Network Monitor itself. Instead, install the Network Monitor Tools on a computer running Windows 2000 Server to install Network Monitor.
To install the Network Monitor driver
If prompted for additional files, insert your Windows 2000 CD, or type a path to the location of the files on a network.
To display and analyze captured data, use the following procedure to install Network Monitor Tools on a computer running Windows 2000 Server. Network Monitor Tools installs Network Monitor along with the Network Monitor driver. If you are running Windows 2000 Server and are installing Network Monitor Tools, you can bypass the preceding procedure; you do not need to install the Network Monitor driver separately.
To install Network Monitor Tools
To start Network Monitor on a computer running Windows 2000 Server
For information about how to work with the Network Monitor user interface, see Windows 2000 Server Help.
When you've installed the Network Monitor driver on the computer from which to capture data (hereafter called the source computer) and installed Network Monitor Tools on the computer that will perform the capture (hereafter called destination computer), you can begin to capture data.
To capture data
Or, click the Capture button on the toolbar.
As frames are captured from the network, statistics about the frames are displayed in the Network Monitor Capture window, as shown in Figure 9.2.
Figure 9.2 Network Monitor Capture Window
Network Monitor displays session statistics from the first 100 unique network sessions it detects. The Network Monitor Capture window includes the panes listed in Table 9.7.
Table 9.7 Description of Display Options for the Capture Pane
Pane | Displays |
---|---|
Graph | A graphical representation of the activity currently taking place on the network. |
Session Stats | Statistics about individual sessions currently taking place on the network. |
Station Stats | Statistics about the sessions participated in by the computer running Network Monitor. |
Total Stats | Summary statistics about the network activity detected since the capture process began. |
To reset statistics and see information on the next 100 network sessions detected, on the Capture menu, click Clear Statistics. To capture only those frames that originate with specific computers, determine the addresses of the computers on your network and associate the address with its DNS or NetBIOS name. After these associations are made, you can save the names to an address database (.adr) file that can be used to design capture filters and display filters. The capture filter allows you to specify criteria for inclusion in or exclusion from the capture. If the address is not available in the address database, try to capture all traffic and, after stopping and viewing the capture, use the Find All Names command on the Display menu to locate the address.
Note
Capture filters can significantly increase the processor's workload because each packet must be processed through the filter and either saved or discarded. In some cases, using complex filters might result in missed frames.
An example of such a filter is an address pair, used to capture frames from specific computers on the network. An address pair consists of:
Regardless of the sequence in which statements appear in the Capture Filter dialog box, EXCLUDE statements are evaluated first. Therefore, if a frame meets the criteria specified in an EXCLUDE statement in a filter containing both an EXCLUDE and INCLUDE statement, that frame is discarded. Network Monitor does not test that frame by INCLUDE statements to see if it meets that criterion also.
For example, to capture all the traffic from Joe's computer except the traffic from Joe to Anne, use the following capture filter in the address section:
include Joe <----> Any
exclude Joe <----> Anne
If there are no include lines, the default address
your_computer_name – – – – Any
is used by default.
Figure 9.3 shows the Capture Filter dialog box, accessed from the Capture menu or by pressing F8 in the Capture window.
Figure 9.3 Capture Filter Dialog Box
To design a capture filter, specify decision statements in the Capture Filter dialog box. For information about display filters, see "Displaying Captured Data" later in this chapter.
By specifying a pattern match in a capture filter, you can:
When you filter based on a pattern match, you must specify where the pattern occurs in the frame (how many bytes from the beginning or end). If your network medium has a variable size in the media access control protocol, such as Ethernet or Token Ring, specify to count from the end of the topology header.
Table 9.8 describes the trigger types you can use to specify the condition that starts the trigger.
Table 9.8 Trigger Types for Network Monitor Captures
Trigger type | Description |
---|---|
Nothing | No trigger is initiated. This is the default. |
Pattern Match | Initiates the trigger when the specified pattern occurs in a captured frame. |
Buffer Space | Initiates the trigger when a specified amount of the capture buffer is filled. |
Pattern Match Then Buffer Space | Initiates the trigger when the pattern occurs and is followed by a specified percentage of the capture buffer being filled. |
Buffer Space Then Pattern Match | Initiates the trigger when the specified percentage of the capture buffer fills and is followed by the occurrence of the pattern in a captured frame. |
No Action | No action is taken when a trigger condition is met. This is the default. Even though you select No Action, the computer beeps when the trigger condition is met. |
Stop Capture | Stops the capture process when the trigger condition is met. |
Execute Command Line | Runs a program or batch file when a trigger condition is met. If you select this option, provide a command or the path to a program or batch file. |
If your computer uses multiple network adapters, use Network Monitor to collect data from multiple network adapters, and then either switch between the two adapters or run multiple instances of Network Monitor.
To switch between adapters
Modem adapters appear as ETHERNET with a dial-up connection flag set to TRUE.
After capturing data, you might want to save it. For example, it is useful to save captures before starting another capture (to prevent loss of the captured data) if you think you might need to analyze the data later, or if you need to document network use or problems. When you save captured data, the data in the capture buffer is written to a capture (.cap) file.
To simplify data analysis, Network Monitor interprets raw data collected during the capture and displays it in the Frame Viewer window.
To display captured information in the Frame Viewer window, from the Capture menu, click Stop and View while the capture is running. You can also display captures by opening a file with the .cap extension.
Figure 9.4 shows the key elements in the Frame Viewer window.
Figure 9.4 Frame Viewer Window
Table 9.9 lists Frame Viewer's panes.
Table 9.9 Frame Viewer Panes
Pane | Displays |
---|---|
Summary | General information about captured frames in the order in which they were captured. |
Detail | The parsed contents of the frame's data. |
Hexadecimal | A hexadecimal and ASCII representation of the captured data. |
You can use a display filter to determine which frames to display. Like a capture filter, a display filter functions like a database query, allowing you to single out specific types of information. Because a display filter operates on data that has already been captured, it does not affect the contents of the Network Monitor capture buffer. You can filter a frame by:
Figure 9.5 shows the Display Filter dialog box, accessed from the Display menu or by pressing F8 in the Frame Viewer window.
Figure 9.5 Display Filter Dialog Box
To design a display filter, specify decision statements in the Display Filter dialog box. Information in the Display Filter dialog box is in the form of a decision tree, which is a graphical representation of a filter's logic. When you modify display filter specifications, the decision tree reflects these modifications. Table 9.10 lists various types of filter items you can use.
Table 9.10 Filter Item Options
Filter item | Description |
---|---|
Protocol | Specifies the protocols or protocol properties. |
Address Filter (default is ANY <– –> ANY) |
Specifies the computer addresses on which you want to capture data. |
Property | Specifies property instances that match your display criterion. |
You must click OK to save the specified decision statement and add it to the decision tree before adding another decision statement.
Although capture filters are limited to four address filter expressions, display filters are not. With display filters, you can also use AND, OR, and NOT logic.
When you display captured data, all available information about the captured frames appears in the Frame Viewer window. To display only those frames sent by a specific protocol, edit the Protocol line in the Display Filter dialog box.
Protocol properties are information that defines a protocol's purpose. Because the purpose of protocols varies, properties differ from one protocol to another.
Suppose, for example, that you have captured a large number of frames using the SMB protocol but want to examine only those frames in which the SMB protocol was used to create a directory on your computer. In this instance, you can single out frames where the SMB command property is equal to make directory.
When you display captured data, all addresses from which information was captured appear in the Frame Viewer window. To display only those frames originating from a specific computer, edit the ANY <– –> ANY line in the Display Filter dialog box.
Perform the steps in the following list as part of your routine for reviewing and analyzing captured data:
If so, note the number of retries and the time elapsed. The default number of retries for TCP/IP is 5. This value might be different for other protocols.
A reset can be caused by time-outs at the TCP layer or by time-outs of higher-layer protocols. Resets originating at the TCP layer should be easy to read from the trace. It might be more difficult to determine the cause of resets originating from higher-layer protocols such as the server message block (SMB).
For example, an SMB read might time out in 45 seconds and cause a reset of the session even though communications are slow but working at the TCP layer. The trace might only narrow down what component is at fault. From there you might need to use other troubleshooting methods to determine the cause.
To see TCP sequencing when higher-level protocols are present, start Network Monitor and edit the Expression dialog box, using the following steps. Figure 9.6 shows the Expression dialog box.
Figure 9.6 Expression Dialog Box
To see TCP sequencing
Network Monitor creates a memory-mapped file for its capture buffer. For best results, make sure to create a capture buffer large enough to accommodate the traffic you need.
In addition, although you cannot adjust the frame size, you can store only part of the frame, thus reducing the amount of wasted capture buffer space. For example, if you are interested only in the data in the frame header, set the frame size (in bytes) to the size of the header frame. Network Monitor discards the frame data as it stores frames in the capture buffer, thereby using less capture buffer space.
Tip
Windows Event Viewer shows start, stop, and connection events for Network Monitor. To verify Network Monitor operation, or as a first step in tracking down Network Monitor problems, examine the event log.