Analyzing Network Data with Network Monitor
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Network Monitor is a component of Microsoft Systems Management Server (SMS) that you can use to detect and troubleshoot problems on LANs and on WANs that connect to the Microsoft Remote Access Service (RAS). With Network Monitor, you can identify network traffic patterns and network problems. For example, you can locate client-to-server connection problems, find a computer that makes a disproportionate number of work requests, and identify unauthorized users on your network.
With Network Monitor, you can:
Capture frames (packets) directly from the network.
Display and filter the captured frames.
Capture frames from a remote computer and display the capture statistics on the local computer at intervals that you specify.
Edit captured frames and transmit them onto the network to test network resources or to reproduce network problems.
Use experts to perform post-capture analyses of frames to identify network trends and issues.
You can also use the Monitor Control Tool to configure monitors that watch for specific frames that identify certain network problems.
Related Topics
How Network Monitor Works
About the Capture Window
About the Frame Viewer Window
About the Monitor Control Tool
About the Event Viewer Window
Network Monitor Guide to Books on Networking
Before you use Network Monitor to capture network data, you must know the hardware and software requirements and understand the security issues. You can customize display settings and the size of the buffer used to store captured frames.
Related Topics
Start Network Monitor from the SMS Administrator Console
Set the Default Capture Directory
Modify Capture Buffer or Capture Bytes per Frame
Display Address Names in Network Monitor
Display Adapter Card Vendor Names in Network Monitor
Requirements for Using Network Monitor
About Network Monitor Security
About Network Monitor Agent
About Network Monitor and Performance Monitor
About Network Monitor Agent Topologies
About Network Monitor and Token Ring Networks
Analyzing Network Data with Network Monitor
To set the default temporary capture directory for Network Monitor, you must open either the Network Monitor Capture window or Frame Viewer window.
On the Options menu, click Change Temporary Capture Directory.
Click Yes when prompted to confirm that you want to change the default directory for temporary capture files.
In the Network Monitor Temporary Capture Directory dialog box, select the directory that you want to use to store temporary capture files.
Related Topics
Configuring Network Monitor Overview
To perform these modifications, you must open the Network Monitor Capture window.
On the Capture menu, click Buffer Settings.
In the Capture Buffer Settings dialog box, adjust the size of the data that you want to capture.
If your system becomes low on resources while you capture data, reduce the size of the capture buffer or the number of bytes per frame that Network Monitor captures.
Caution If your buffer setting exceeds the amount of physical memory available on your system, memory swapping might cause frames to be dropped.
Click OK.
Related Topics
Configuring Network Monitor Overview
To display user-designated computer names, on the Options menu, click Show Address Names.
When Show Address Names is active, a check mark appears next to the command name. Network Monitor replaces hexadecimal network addresses with the user-designated (friendly) names of the computers from which frames have been captured.
Related Topics
Configuring Network Monitor Overview
To display vendor names, on the Options menu, click Show Vendor Names.
When Show Vendor Names is active, a check mark appears next to the command name, and Network Monitor replaces hexadecimal computer addresses with the names of the vendors that produce the network adapter cards on the remote computer.
Related Topics
Configuring Network Monitor Overview
On the Capture (or Display) menu, click Save Configuration.
Network Monitor saves the following data:
Size and position of panes in the Capture window and the Frame Viewer window.
Foreground and background colors assigned to protocols.
Font settings.
Settings in the Display Options dialog box.
Default parsers.
Default capture network.
State of the toolbar (hidden or visible).
Whether vendor names are substituted for addresses.
Related Topics
Configuring Network Monitor Overview
You can use Network Monitor to capture frames from your network data stream and copy those frames to a temporary capture file. Network Monitor displays statistics for the captured frames dynamically in the Capture window, and you can use it to design a capture filter, which copies only the frames that match your specific criteria.
You can also use monitors to run in the background and watch for specific network problems. (Use the Monitor Control Tool to configure and run monitors, not Network Monitor.)
Related Topics
Run Monitors
Capture and Display Network Data
Connect to Network Monitor Agent on Another Computer
Set a Capture Trigger
Create an Address Database
Save Captured Frames to a File
Designing a Capture Filter
About Monitors
About Capture Filters
About Capture Triggers
About Address Databases
About Network Monitor Agent
Analyzing Network Data with Network Monitor
By default, if the Monitor Control Service runs locally, the Monitor Control Tool displays the current state of monitors installed on the local computer.
To run monitors, the Monitor Control Tool must be open.
To configure monitors on the local server, on the File menu, click Local Computer.
- or -
To configure monitors on a remote server, connect to a remote computer.
Click the monitor name, and then click Configure.
If the monitor you want to configure is not currently enabled, in the "Monitor is not configured" message box, click Yes.
Configure monitor properties.
In the Enabled Monitors list, click the monitor name, and then click Start.
As soon as an event occurs, the Monitor Event Viewer window appears.
Related Topics
Save Current Monitor States
View User Connections to the Monitor Control Service
Install a Monitor
About Monitors
Monitor Control Tool Overview
To capture and display data from the network, you must open the Network Monitor Capture window.
On the Capture menu, click Start.
Network Monitor copies the frames to a temporary file. Information about these frames appears in the Network Monitor Capture window. This information is updated dynamically.
To halt the data capture temporarily, on the Capture menu, click Pause.
To stop the data capture, on the Capture menu, click Stop.
To display the frames that you capture, on the Capture menu, click Display Captured Data.
The Frame Viewer window appears. Now you can examine the contents of the captured frames.
Note You can save a step by clicking Stop and View on the Capture menu, which stops the capture and displays the captured frames.
Network Monitor displays session statistics for the first 100 unique network sessions that it detects. To reset statistics and view information about the next 100 detected network sessions, on Capture menu, click Clear Statistics.
Related Topics
Capture Data in Dedicated Capture Mode
Capturing Network Data Overview
To connect to Network Monitor Agent on another computer, you must open the Network Monitor Capture window.
On the Capture menu, click Networks.
In the Select a Network dialog box, expand the Remote node.
Double-click the Double click for remote NPPs line.
In the Remote NPP Connection dialog box, type the remote computer name or its IP address and then click OK.
From the list in the Select a Network dialog box, select a network adapter card and then click OK.
When you capture data with a remote computer, Network Monitor Agent stores the captured frames on the remote computer until you save them to a local computer file.
Related Topics
Disconnect from Network Monitor Agent on Another Computer
About Network Monitor Agent
Capturing Network Data Overview
You specify capture criteria to identify the frames that you want to capture on the network. You build a complete capture filter expression by specifying the protocols, address pairs, and data patterns of the frames that you want to include in, or exclude from, the capture.
To design a capture filter, you must be in the Network Monitor Capture window, so that you can open the Capture Filter dialog box. To open this dialog box, on the Capture menu, click Filter. Then, complete the following tasks:
Specify capture filter protocols.
Specify address pairs in a capture filter.
Specify frame data patterns to capture.
Related Topics
Save a Filter
Load a Capture Filter
About Capture Filters
Capturing Network Data Overview
To set a capture trigger, you must open the Network Monitor Capture window.
On the Capture menu, click Trigger.
Complete the settings in the Capture Trigger dialog box.
If you select the Execute Command Line option, you can use a command that represents an executable file (any of the NET commands, for example). To use a command that requires the command processor (COPY, for example), type CMD /K, and then type the command.
Note If you select the Pattern match then buffer space option and set Buffer Space to 100%, Network Monitor overwrites the frame that contains the pattern match.
Click OK.
Related Topics
Capture and Display Network Data
About Capture Triggers
Capturing Network Data Overview
To create an address database, you must have captured network data, and you must open the Network Monitor Frame Viewer window.
On the Display menu, click Find All Names to associate the captured computer addresses with the friendly names of the computers that the frames are captured from.
After the frames are processed and a message notifying you how many non-duplicate names have been added to the address database appears, click OK.
On the Display menu, click Addresses.
The Address Database dialog box displays the names that have been added to the database.
To use these addresses to design a filter in the future and save the database to a file, click Save.
Related Topics
About Address Databases
Capturing Network Data Overview
Network Monitor supports capture files as large as 1,024 MB.
On the File menu, click Save As.
Specify the directory and drive that you want to store the file on.
Type the file name.
If you want Network Monitor to load the file at a later time, you must use the .cap file extension. By default, Network Monitor uses this file extension if you do not specify one.
To save a range of frames, in From and To, type the beginning and ending frame numbers, respectively.
To save only the frames that meet current display filter specifications, click Filtered.
Click Save.
Note When you save a range of frames or apply a display filter and then save the filtered frames, Network Monitor renumbers the saved frames, starting with 1. However, clicking File under Output to in the Print dialog box (that is, printing to a file) preserves the frame numbers associated with the original frames.
Related Topics
Capture and Display Network Data
Capturing Network Data Overview
After you capture frames with Network Monitor, you can view them in detail (in the Frame Viewer window), filter them based on criteria you specify, search for data within frames, and use experts to search for trends.
Related Topics
Open an Existing Capture File
Expand and Collapse Frame Details
View a Specific Frame
Search for a Frame by Its Properties
Identify the Largest Broadcaster on the Network
Find Network Routers
Resolve Network Addresses
Run Experts on Captured Data
Designing a Display Filter
About Captured Data
About Display Filters
About Experts
Analyzing Network Data with Network Monitor
To open a capture file in Network Monitor, you must open either the Capture window or Frame Viewer window.
On the File menu, click Open.
Select the capture file that you want to open, and then click Open.
Note You can open several capture files at one time; Network Monitor opens a separate Frame Viewer window for each capture file.
Related Topics
Save Captured Frames to a File
Interpreting Captured Data Results Overview
To expand and collapse branches of frame details, you must open the frame data in the Network Monitor Frame Viewer window.
To expand a list of frame data, in the Detail pane, click the PLUS SIGN (+). All other lines that use the expanded protocol automatically expand as they appear.
To collapse a list of frame data, in the Detail pane, click the MINUS SIGN (–).
Note By default, frame data in the Frame Viewer window Detail pane are collapsed.
Related Topics
Frame Viewer Window: Detail Pane
About the Frame Viewer Window
Interpreting Captured Data Results Overview
To view a specific frame, you must open the Network Monitor Frame Viewer window.
On the Display menu, click Go To Frame.
In the Go To dialog box, type the number of the frame that you want to view.
(The frame number appears in the Frame column.)
Click OK.
Network Monitor highlights the frame that you specify.
Note Frames are numbered in the order that Network Monitor captures them.
Related Topics
Search for a Frame by Its Properties
About the Frame Viewer Window
Interpreting Captured Data Results Overview
To search for a frame by its properties, you must open the Network Monitor Frame Viewer window.
On the Display menu, click Find Next Frame.
In the Find Frame Expression dialog box, do one of the following:
To search for a frame on the basis of its source or destination address, click the Address tab and then complete the settings.
To search for a frame on the basis of the protocols that were used to send it, click the Protocol tab and then complete the settings.
To search for a frame on the basis of protocol properties, click the Property tab and then complete the settings.
To begin searching for the expression displayed near the top of the dialog box, click OK.
If the property is found, the frame automatically expands to display the property that you specified in your search.
To find the next frame with the specified properties, on the Display menu, click Repeat Find Next Frame.
To find the previous frame with the specified properties, on the Display menu, click Repeat Find Previous Frame.
The search remains active until you close the active window or begin a new search.
Related Topics
View a Specific Frame
Interpreting Captured Data Results Overview
A Network Monitor display filter functions in the same way as a database query. You can use it to specify the types of captured data you want to examine. You also can use display filters to specify the types of displayed data, such as protocols and computer addresses, that you want to save to a file.
Note You can add only one expression at a time. If you specify an expression and then click another tab in the Expression dialog box, that expression is lost. To save the specified expression and add it to the decision tree, you must click OK.
To design a display filter, you must open the Network Monitor Frame Viewer window, so that you can access the Display Filter dialog box. To open this dialog box, on the Display menu, click Filter. Then, you can complete the following tasks:
Specify display filter protocols.
Specify display filter protocol properties.
Specify address pairs in a display filter.
Modify the display filter decision tree structure.
Save a display filter.
Load a display filter.
Related Topics
About Display Filters
Interpreting Captured Data Results Overview
If the Graph pane indicates a high percentage of network use and if network operations are unusually slow, an abrupt increase in broadcasts might be the source of the problem.
To identify the largest broadcaster on the network, you must open the Network Monitor Capture window.
On the Capture menu, click Start.
When you are finished capturing data, on the Capture menu, click Stop (or Pause).
In the Station Statistics pane (the lowest pane on the screen), double-click the Broadcasts Sent column heading.
- or-
Right-click in the Broadcasts Sent column, and then click Sort Column.
The row containing the highest number of broadcasts that were sent appears at the top of the list. The network address in this row represents the largest broadcaster on your network.
You also can use the Top Users expert to find the largest broadcasters in an existing capture file.
Related Topics
Interpreting Captured Data Results Overview
To use Network Monitor to find network routers, you must open either the Network Monitor Capture window or Frame Viewer window.
On the Tools menu, click Find Routers.
Complete the settings in the Find Network Routers dialog box, and then click OK.
The Capturing Router Data dialog box opens. Progress indicators appear on top of this dialog box.
If the Network Monitor Capture window is empty, a new capture begins. When the buffer is full or when you click Proceed to Search Capture, the capture stops.
When the search is completed, the Network Routers Found dialog box opens.
To add the displayed routers to the global address database, click OK.
Related Topics
How Network Monitor Identifies Routers
Interpreting Captured Data Results Overview
Network Monitor can find IP, IPX, Ethernet, TokenRing, or FDDI network addresses for a specific computer name. You can also specify an address to resolve its registered friendly name to its IP and MAC addresses.
To use Network Monitor to resolve network addresses, you must open either the Network Monitor Capture window or Frame Viewer window.
On the Tools menu, click Resolve Addresses From Name.
In the Resolve Addresses from Name dialog box, in the Name box, type the computer name whose network address you want to find or type an IP/IPX address to find its computer name.
To modify how Network Monitor searches for network addresses or a computer name, click Options and then complete the settings in the Options dialog box.
Click Search.
- or -
To obtain this data for the local computer, click Local Machine Information.
Network Monitor retrieves the network address of the selected computer.
To add the retrieved address to the local address database or to update an existing address with the new address information, click Keep Names.
To modify the display name (before saving, for example), click in the Addresses table, click Edit Address, and then complete the settings in the Address Information dialog box.
Related Topics
Interpreting Captured Data Results Overview
The Top Users expert helps you determine who is using the network, or which computers might be causing a problem such as a broadcast storm.
To find top consumers on the network, the Network Monitor Frame Viewer window must be open.
On the Tools menu, click Experts.
In the Network Monitor Experts dialog box, select Top Users in the Groups list.
To configure the Top Users expert, click Configure Expert, complete the settings in the Top Users Configuration dialog box, and then click OK.
Click Add to Run List.
Click Run Experts.
The top consumers detected in the current capture appear in the Event Viewer window.
Related Topics
Viewing Events in the Event Viewer Window
About Experts
Interpreting Captured Data Results Overview
To display protocol distribution, the Network Monitor Frame Viewer window must be open.
On the Tools menu, click Experts.
In the Network Monitor Experts dialog box, select Protocol Distribution in the Groups list.
To configure the Protocol Distribution expert, click Configure Expert, complete the settings in the Protocol Distribution Configuration dialog box, and then click OK.
Click Add to Run List.
Click Run Experts.
The distribution of protocols in the current capture, including frames and bytes claimed, appears in the Event Viewer window.
Related Topics
Viewing Events in the Event Viewer Window
About Experts
Interpreting Captured Data Results Overview
To run the Average Server Response Time expert, the Network Monitor Frame Viewer window must be open.
On the Tools menu, click Experts.
In the Network Monitor Experts dialog box, select Average Server Response Time in the Groups list.
To configure the Average Server Response Time expert, click Configure Expert, complete the settings in the Average Server Response Time Configuration dialog box, and then click OK.
Click Add to Run List.
Click Run Experts.
The average response times of servers measured in the current capture appear in the Event Viewer window.
Related Topics
Viewing Events in the Event Viewer Window
About Average Server Response Times
Interpreting Captured Data Results Overview
To coalesce protocol data for the entire capture file, the Network Monitor Frame Viewer window must be open.
On the Tools menu, click Experts.
In the Network Monitor Experts dialog box, select Protocol Coalesce Tool in the Groups list.
To configure the Protocol Coalesce Tool, click Configure Expert, complete the settings in the Protocol Coalesce Configuration dialog box, and then click OK.
Click Add to Run List.
Click Run Experts.
The coalesced protocol data from the current capture appears in a new Frame Viewer window. Note that the new file has the same name, followed by "(Coalesced)".
The Protocol Coalesce Tool creates the first frame in the coalesced capture file. The frame includes the following settings:
Frame number is 1.
Time is the time of the first frame in the original capture file.
Source MAC Address is 000000000000.
Destination MAC Address is 000000000000.
Description contains the name and location of the original capture file.
Comment contains the name and location of the coalesced capture file.
Note You can also have the Protocol Coalesce Tool coalesce a single frame by right-clicking that frame in the Detail pane and launching the expert from the pop-up menu. When accessed this way, the expert is configured automatically, and it inserts the coalesced frame in the current capture file.
Related Topics
About Coalesced Frames
Interpreting Captured Data Results Overview
To display property information, the Network Monitor Frame Viewer window must be open.
On the Tools menu, click Experts.
In the Network Monitor Experts dialog box, select Property Distribution in the Groups list.
To configure the Property Distribution expert, click Configure Expert, complete the settings in the Property Distribution Configuration dialog box, and then click OK.
Click Add to Run List.
Click Run Experts.
The statistics for the selected protocol property in the current capture, including the number and percentage of frames, appear in the Event Viewer window.
Note You also can right-click a property in the Detail pane and launch the expert from the pop-up menu. When accessed this way, the expert is configured automatically for the selected property.
Related Topics
Viewing Events in the Event Viewer Window
About Experts
Interpreting Captured Data Results Overview
The TCP Retransmit expert finds all the Transmission Control Protocol (TCP) frames in the capture that have been retransmitted to the same computer more than once, and displays the data in the Event Viewer window. Use this data to find computers that are having connection problems with the network.
To find retransmitted TCP frames, the Network Monitor Frame Viewer window must be open.
On the Tools menu, click Experts.
In the Network Monitor Experts dialog box, select TCP Retransmit in the Groups list.
Note The TCP Retransmit expert has no configurable options.
Click Add to Run List.
Click Run Experts.
The retransmitted TCP frames detected in the current capture appear in the Event Viewer window.
Related Topics
Viewing Events in the Event Viewer Window
About Experts
Interpreting Captured Data Results Overview
When you work with a capture file, you can:
Add comment frames anywhere in the file.
Edit and transmit frames on the network.
Choose the time format you want to associate with a captured frame.
Specify which of the protocols used to send a frame that you want to display.
Customize how frames appear in the Frame Viewer window.
Print frame data.
Related Topics
Transmit a Frame onto the Network
Transmit a Range of Frames or a Capture File onto the Network
Specify the Protocol Header to Display
Specify the Frame Time Stamp
Select a Protocol Color Scheme
Set the Frame Data Display Font
Print Captured Frames
Add a Comment Frame to a Capture
About Transmitting Frames onto the Network
Analyzing Network Data with Network Monitor
To transmit a frame onto the network, you must open the Network Monitor Frame Viewer window.
Caution Transmitting a captured frame on the network can cause problems. To reduce the probability that the transmission will cause network problems, make sure that you carefully select and edit the frame before transmission. To help you avoid accidental transmission, the frame edit and transmit features are disabled by default.
In the Summary pane, select the frame that you want to transmit.
On the Tools menu, click Allow Transmit.
In the Select a Network dialog box, select the network that you want to transmit the frame onto and then click OK.
On the Tools menu, click Transmit Frame.
Related Topics
Prepare Frames for Transmission
Transmit a Range of Frames or a Capture File onto the Network
About Transmitting Frames onto the Network
Customizing Captured Data Overview
To transmit frames, you must open the Network Monitor Frame Viewer window.
Caution Transmitting captured frames can cause problems on the network. To minimize the probability that the transmission will cause network problems, make sure that you carefully select and edit the frames before transmission. To help you avoid accidental transmission, the frame edit and transmit features are disabled by default.
If you want to transmit a subset of frames, prepare them for transmission.
On the Tools menu, click Allow Transmit.
In the Select a Network dialog box, select the network that you want to transmit the data on and then click OK.
On the Tools menu, click Transmit Capture.
In the Transmit Capture dialog box, select the send options and then click OK.
Related Topics
Transmit a Frame onto the Network
About Transmitting Frames onto the Network
Customizing Captured Data Overview
You can configure Network Monitor to display the filtered protocol as the summary protocol in the Frame Viewer window.
To specify the protocol header to display, you must open the Network Monitor Frame Viewer window.
On the Display menu, click Options.
In the Display Options dialog box, click Auto.
Click OK.
Related Topics
Specify the Frame Time Stamp
Customizing Captured Data Overview
To specify the frame time stamp, you must open the Network Monitor Frame Viewer window.
On the Display menu, click Options.
In the Display Options dialog box, specify one of the available time options.
The time setting appears under Time in the Frame Viewer window Summary pane.
Click OK.
Related Topics
Specify the Protocol Header to Display
Customizing Captured Data Overview
To select a protocol color scheme, you must open the Network Monitor Frame Viewer window.
On the Display menu, click Colors.
In the Protocol Colors dialog box, click the protocol names and the color combination you want.
Click OK.
To specify more than one color combination, repeat this procedure for each protocol color scheme that you want.
Related Topics
Customizing Captured Data Overview
To set the frame data display font, you must open the Network Monitor Frame Viewer window.
On the Display menu, click Font.
In the Font dialog box, specify the font settings and then click OK.
Related Topics
Customizing Captured Data Overview
To print frames, you must open the Network Monitor Frame Viewer window.
Display captured data or a capture file.
On the File menu, click Print.
In the Print dialog box, set printing options and then click OK.
Note When you print frames, columns that do not fit on the page horizontally are truncated. To avoid losing important information, resize the columns before printing so that they display only essential information. To do so, in the Print Setup dialog box, click Landscape. If you resize a column to its smallest possible size, it does not print at all.
Related Topics
Set the Print Filter
Print All Data in a Capture File
Customizing Captured Data Overview
To add a comment frame to a capture, you must open the Network Monitor Frame Viewer window.
On the Tools menu, click Insert Comment Frame.
- or -
Right-click the Frame column where you want to insert a comment frame, and then click Insert Comment.
Complete the settings in the Insert Comment Frame dialog box, and then click OK to add the frame to the capture.
The comment frame contains the Trail protocol, which includes statistics such as the amount of frames and bandwidth consumed. These statistics are based on a block of frames bounded by the current comment frame and the next comment frame of the same type (or the end of the capture).
Related Topics
Customizing Captured Data Overview
.gif "Cc723623.spacer(en-us,TechNet.10).gif")