Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
How the Network Monitor Driver Works
Network Monitor tracks the network data stream, which consists of all of the information transferred over a network at any given time. Before transmission, the networking software divides this information into smaller segments, called frames. Each frame contains the following information:
The source address of the computer that sent the message.
The destination address of the computer that receives the frame.
Header information of each protocol used to send the frame.
The data (or a portion of it) being sent to the destination computer.
All frames on a network segment pass through every computer connected to that segment. However, the network card typically passes only the frames addressed to it as the destination computer, to the networking software. The Windows XP Professional version of Network Monitor can copy frames originating from or sent to the local computer to a temporary capture file. The process by which Network Monitor copies frames is referred to as data capture.
The amount of information that the Network Monitor Driver can capture is limited only by disk space availability, up to one gigabyte. However, you usually need to capture only a small subset of the frames traveling on your network. To isolate a subset of frames, you can design a capture filter, which functions like a database query to isolate the information that you specify. You can filter frames on the basis of source and destination addresses, protocols, protocol properties, and pattern offset.
If you want a running capture to respond to specific conditions as soon as the Network Monitor detects them, you can design a capture trigger. When the Network Monitor detects a particular set of conditions on the network, this capture trigger performs a specified action, such as starting an executable file.
When used with a network adapter that supports promiscuous mode, the full version of Network Monitor (available with Microsoft Systems Management Server version 2.0) can capture all the frames it detects.
The Network Data Stream
Network Monitor monitors the network data stream, which consists of all information transferred over a network at any given time. Prior to transmission, this information is divided by the network software into smaller pieces, called frames or packets.
Frames, whether broadcast, multicast, or directed, are made up of several different pieces that can be analyzed separately. Some of these pieces contain data that Network Monitor can use to troubleshoot networking problems. For example, by examining the destination address, it can be determined whether the frame was a broadcast frame, indicating all hosts had to receive and process this frame, or a directed frame sent to a specific host. By analyzing frames, you can determine the exact cause of the frame, which helps determine whether the service generating these types of frames can be optimized.