Network Management and Monitoring

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
By Steven B. Thomas

Chapter 5 from Windows NT, Heterogeneous Networking, published by MacMillan Technical Publishing

  • Network Manager Tools

    Utilities that give you the option of managing and monitoring Windows NT computers locally and/or remotely.

  • Network Monitor Utility

    Learn about inherent utilities such as the Network Monitor utility and learn how the Network Monitor analyzes protocols and network traffic.

  • Performance Monitor

    Learn how to use performance monitoring and metering utilities such as the Windows NT Performance Monitor.

  • Use SNMP to Manage Remote Computers

    We will discuss in detail the SNMP manageable agent included with Windows NT.

On This Page

The Tools of a Network Manager
The Performance Monitor
PerfLog: Performance Data Log Service
PERFMTR.EXE: Performance Meter
The Network Monitor
Monitoring Disk Usage
Simple Network Management Protocol
PERF2MIB.EXE: Performance Monitor MIB Builder Tool
Command-Line Network Monitoring Utilities
Using the Resource Kit Management Tools

The Tools of a Network Manager

From start to finish, many tools can assist a network manager. A network manager needs the following items to develop an internetwork design, manage the network, and troubleshoot:

  • A plan (well laid out)

  • Hardware (usually a private nonproduction workstation, a management console, a printer, and/or plotter)

  • Software (used for documentation, network management data, and for establishing network blueprints)

  • Spreadsheet or database program

  • Graphics or drawing application

  • Word processing application

The network administrator also needs tools and utilities that can enable him or her to monitor and manage network performance. This chapter focuses on performance management.

The Performance Monitor

The Performance Monitor is installed by default after the installation of Windows NT. To start the execution of the Performance Monitor, double-click its icon in the Administrative Tools program group.

The Performance Monitor has four view modes:

  • Chart

  • Log

  • Alert

  • Report

By default, Performance Monitor opens up in the Chart view.

Each of the views can be displayed in the Performance Monitor window using the icons in the toolbar or from the View menu.

Chart View

The Chart view, one of four main views, is brought up in an initialized state, as shown in Figure 5.1.

Several choices can be made when adding information to the Chart view. The first choice is the system to be monitored. It defaults to the local system.

You can then begin to add performance counters to the chart list for active monitoring, either by clicking the plus icon on the toolbar or by navigating to the Edit menu and selecting Add to Chart. Figure 5.2 displays the Add to Chart dialog box.

Any of the interconnected systems known to this system can be entered in the Computer text box. Objects for monitoring within the Chart view are chosen from the Object drop-down list box. The default object is Processor, which has the default counter of %Processor Time.


Figure 5.1: The Chart view.


Figure 5.2: The Add to Chart dialog box.

The resulting chart can display separate lines for each counter for an object. Objects have varying numbers of counters that can be displayed. The following list shows the counters for the object Processor:

  • Percentage DPC Time

  • Percentage Interrupt Time

  • Percentage Privileged Time

  • Percentage Processor Time

  • Percentage User Time

  • APC Bypasses/sec

  • DPC Bypasses/sec

  • DPC Rate

  • DPCs Queued/sec

  • Interrupts/sec

As this list shows, the Processor object has many counters just for the processor and the instances of each process.

Tip A large number of counters are available; the Explain button can be used to display an explanation of the selected counter, if necessary.

Commonly Used Counters

The objects commonly used for tracking can be chosen from the Chart view and include the following:

  • Cache. File system cache.

  • Logical Disk. Partitions and space usage.

  • Memory. System memory.

  • Network Protocol Resources.

  • Objects. Certain parts of system software.

  • Physical Disk. Counters relating to the physical disk systems.

  • Process. Running programs.

  • Processor. The CPU.

  • Redirector. The file system redirector used to redirect file system requests to other systems.

  • Server. Incoming network traffic due to share access.

  • System. Common counters to all hardware and software.

  • Thread. Running threads.

After selecting the object counter, click the Add button to add the counter line to the display. After all object counters are selected, click the Done button to display the chart, as illustrated in Figure 5.3.

Tip You can use the Ctrl+H keystroke to highlight your selected object counter so that you can more easily view its activity.

The Edit Chart Line enables the color, scale, width, and style to be changed in the resulting display. The legend at the bottom of the window, above the status bar, shows what each color or style line represents, as illustrated in Figure 5.3.

The scale percent, a multiplier, allows an object counter display to fit within the boundaries of the current chart along with other object counters when they have widely varying values. The Instance specifies which of the object counters of the identical type is displayed.

Adjusting Chart Options

Click the Chart Options icon on the toolbar or choose Chart from the Options menu to change the characteristics of the chart. This brings up the Chart Options dialog box, as shown in Figure 5.4.


Figure 5.3: Tracking real-time counters using the Performance Monitor.

Figure 5.4: The Chart Options dialog box.

Figure 5.4: The Chart Options dialog box.

In the Chart Options dialog box, you can adjust the display properties and attributes of the Performance Monitor. Options in this dialog box enable you to make the following adjustments to the chart:

  • The legend and counter values can be removed from the display.

  • A vertical and horizontal grid can be added to the chart.

  • The vertical maximum can be increased or decreased from a default _of 100.

  • The time or sample interval can be changed.

  • The display or gallery can be changed from a default histogram to a bar graph.

The check box option Always on Top allows the Performance Monitor display to appear on top of any window you select, as illustrated in Figure 5.5.


Figure 5.5: Viewing histograms and other chart option changes in the Performance Monitor.

Saving Settings

You can always save your settings to a .PMC file. This file can be used in conjunction with a Program Group icon to invoke a Performance Monitor session with the object counters automatically added to the chart.

Data Source

The data source explains the source of information the Performance Monitor is using. The default source for information is the current activity of this system. This source is shown on the status bar Data: Current Activity at the lower-left corner of the window (refer again to Figure 5.5). The alternative source for information is any log file in which previous activity has been recorded.

To change the source of data, choose Data From from the Options menu. This brings up the Data From dialog box, enabling you to change the source of the data. The default log file is perfmon.log. Figure 5.6 displays the Data From dialog box.

Figure 5.6: The Data From dialog box.

Figure 5.6: The Data From dialog box.

If the button to the right of the name of the log file is clicked, the Open Input Log File dialog box opens, allowing a log file to be selected from any path.

The Log View

The Log view enables you to select objects and their counters to be logged for subsequent display and analysis. Clicking its icon on the toolbar or choosing Log from the View menu can bring up the Log view. Like the other views, it is initialized by default; in other words, no object counters are defined for it. Figure 5.7 displays the Log view in the Performance Monitor.


Figure 5.7: The Log view.

If Add to Log is selected from the Edit menu or clicked on the toolbar, the Add to Log dialog box displays, as shown in Figure 5.8. From this dialog box, you can select the object counters.

If you click the Done button (this button toggles with Cancel), the Performance Monitor window with the Log view is brought up, as illustrated in Figure 5.9.

The selected objects appear in the view with all counters collected for each object.


Figure 5.8: The Add To Log dialog box.


Figure 5.9: Viewing the log status in the Performance Monitor.

Log Options

Choosing Log from the Options menu or clicking the Options icon brings up the Log Options dialog box. Here, you can specify the name to be given to the log file and its location. The interval at which counters are written to the log file can also be specified. Figure 5.10 shows this.


Figure 5.10: The Log Options dialog box.

The log can be paused with Pause or stopped with Stop.

Counters for the objects included in the log file are available for subsequent viewing. If the previously created log file is opened, for example, counters are only available for the Cache, Physical Disk, and Processor, as shown in Figure 5.11.


Figure 5.11: Selecting the available counters from the input log file.

After OK is clicked, the Performance Monitor window appears with the default Chart view. The status line at the bottom of the Performance Monitor window shows that the source of the data is from the log file. The graph time displays the duration for the log.

The Report View

The information collected by the Performance Monitor for object counters can be displayed in the form of a report rather than in a graphic representation.

The easiest way to begin a report is to click its icon on the toolbar. Alternatively, you can choose Report from the View menu. A new report is blank because no object counter information has been selected. Object counter information for a report is selected much like a chart.

Click the Add to Report icon to select object counters to be included within the report, as shown in Figure 5.12.


Figure 5.12: The Add to Report dialog box.

Because only object counter values are displayed in the report, only the object counter and instance can be selected. After the object counters have been chosen, click OK to display the report.

The objects organize the report with all counters for the same object group, together under a column header of the object.

The Alert View

An alert is a line of information returned to the Alert view of the Performance Monitor, when the value of an object counter is above or below a user-defined value. The entry in the log includes a date and timestamp, the actual object counter value, the criteria for returning it, the object value counter, and the system. Clicking its icon on the toolbar or selecting Alert from the View menu can bring up an Alert log. The Alert view, brought up in the Performance Monitor window, is initialized by default. Figure 5.13 displays the Alert view in the Performance Monitor.


Figure 5.13: The Alert view.

Select Add to Alert from the Edit menu or click its icon on the toolbar to bring up the Add to Alert dialog box, as shown in Figure 5.14.

The computer, object counter, color, and instance, if appropriate, can be selected in a fashion similar to the way charts are selected. Alerts are different in that they result in the display of information only if the object counter value is greater than or less than a user-defined value. Optionally, a program can be specified to execute either the first time or each time an alert is recorded.

After you have finished adding object counters to the Alert log, click Done to display the Alert view as shown in Figure 5.15.


Figure 5.14: The Add to Alert dialog box.


Figure 5.15: The Alert view shown after adding object counters to the Alert log.

In the example Alert log, the legend shows that alerts are logged under the following conditions:

  • The processor uses more than 3% of its time executing Kernel Mode code.

  • The number of available or free pages if memory drops below 1,000 pages.

  • The average number of bytes written to the disk is less than 300.

The Alert options, brought up by choosing the Alert options icon, enable the automatic monitoring interval to be changed. Figure 5.16 shows the Alert Options dialog box.

Just like the Chart and Report option, the source of data for alerts can be changed using the Data From option: The source can either be the current activity of the system or any log file that contains previously recorded activities.

Figure 5.16: The Alert Options dialog box.

Figure 5.16: The Alert Options dialog box.

Isolating Bottlenecks

A bottleneck in the processor occurs when utilization sustains at 80% on a consistent basis. If the processor reaches 100% utilization, this usually indicates that the processor is inadequate. A second or faster processor would solve the problem. It is important to understand that acceptable processor usage can depend on computer activity.

Exporting Data

You can export data from charts and logs into other formats as well, as shown in Figure 5.17. This data can be read into charting programs such as Microsoft Excel or Lotus 1-2-3, as shown in Figure 5.18.


Figure 5.17: Exporting data into a comma- or tab-delimited format.


Figure 5.18: Viewing imported data using Microsoft Excel.

PerfLog: Performance Data Log Service

This service is found in the Windows NT Resource Kit. This tool logs data from performance counters to tab- or comma-separated variable files. It enables you to choose which performance counters you want to log, and starts new log files automatically at selected intervals.

The text files to which PerfLog logs data can be used as input to spreadsheets, databases, and other applications, as well as to Performance Monitor. Unlike Performance Monitor logs, which store data in a compact, multidimensional C-language data format, PerfLog logs can be used as direct input without reformatting.

PerfLog uses the same objects and counters as Performance Monitor (included with the Windows NT operating system), but it enables you to select which counters you want to log for each instance of an object. You also can select the level of detail you need on an instance and let PerfLog select a set of counters for you. You can also view this data in the form of a report, which will give an average counter over the timespan of the log file. This is an excellent tool for collecting historical trends when you have to use the Performance Monitor in Interactive Mode.

Installing PerfLog

To install the Performance Data Logging service, follow these steps:

  1. Navigate to the Administrative Tools group and select Performance Monitor.

  2. From the Performance View menu, choose Log. From the Edit menu, choose Add to Log.

  3. Add the objects you want to track to the log.

  4. Navigate to the File menu and choose Save Settings As.

  5. Save the settings file as a .PML file and save the file to the %SYSTEMROOT%\SYSTEM32 directory.

  6. Navigate to the Options menu and choose Log.

  7. In the Log File field, type the name of the log file you want in a .LOG format. Specify a log filename (*.LOG) and the logging interval, but do not start logging.

  8. Save the settings file as a .PMW into your %SYSTEMROOT%\SYSTEM32 folder by using the Save Workspace command on the File menu.

  9. Copy the file DATALOG.EXE from the Resource Kit directory into your %SYSTEMROOT%\SYSTEM32 folder.

To install the Data Logging service, type the following in a command prompt window in the %SYSTEMROOT%\SYSTEM32 directory:

monitor setup

This command registers the service with the Service Manager. You only need to run this command once. To use your settings file, type the following:

monitor filename.PMW

Type the following to start logging events and alerts immediately:

monitor start

To stop logging, type the following:

monitor stop

You can then view the log file in Performance Monitor. (You must stop the Monitor service before you can use the log file in Performance Monitor.)

You can also use this command to set the service to start automatically when Windows NT starts by typing the following:

monitor automatic

Viewing the Historical Data

To view historical data, follow these steps:

  1. Navigate to the Administrative Tools group and select Performance Monitor.

  2. From the Performance View menu, choose Chart. From the Options menu, choose Data From.

  3. Change the option from Current Activity to the log file's complete path.

  4. Your chart is now blank. You need to add the individual counters. You can do this by going to the Edit menu and choosing Add to Chart and selecting the counters you would like to view.

Author's Note You can go back and forth, adjusting which counters are displayed, because the input is from a data file rather than current activity. You are not adding to the system load while doing this.

PERFMTR.EXE: Performance Meter

Performance Meter displays text-based information on the performance of a computer running Windows NT. You can think of this as a kind of command-line version of performance metering.

To use Performance Meter, follow these steps:

  1. At the command prompt, type perfmtr.

  2. Type a command (without pressing Enter) for any of the following:

    c CPU usage

    f File cache usage

    h Header

    i I/O usage

    p POOL usage

    r Cache Manager reads and writes

    s Server statistics

    v Virtual memory usage

    x x86 VDM (Virtual DOS Machine) usage

At any point while you are running this utility, you can change the option by typing the letter option. It keeps updating until you type the q key.

The Network Monitor

Windows NT 4.0 now includes a scaled version of the Network Monitor (see Figure 5.19). The Network Monitor tool enables a network manager to "sniff" the network for protocol analysis. This allows low-level network traffic analysis so that the various packet information can be filtered. This utility has limited parsing, restricted primarily to header information. The descriptions of the headers are excellent, however. I have always been a strong advocate of protocol analyzers because they make the best education tool for networking and data communications.


Figure 5.19: A scaled version of the Network Monitor.

A variety of options can be implemented with this utility. Available options include the following:

  • Capturing data

  • Filtering captures

  • Registering network address information in databases

  • Printing information

  • Vendor adjustments

Captures can be saved for reference points in tracking historical performance.

Frame Types

Traffic captured by a network traffic analysis tool is displayed in segments called frames. A frame represents the addressing and protocol information, as well as the data transferred from one host to another on the network. The frame is merely a message. Any formatted message is a protocol data unit (PDU). The frame is a PDU similar to a packet or a datagram. The PDU differs depending on the protocol. The term frame is used to describe data-link level PDUs, such as Ethernet and Token Ring.

There are three different types of frames:

  • Broadcast

  • Multicast

  • Directed (unicast)


Broadcast frames are delivered to all hosts on the network. They may actually be destined for one specific host; because of protocol or addressing reasons, however, they are sent to all hosts.

Broadcasts are sent with the unique destination address of FFFFFFFFFFFF. No host can be configured with this address. All hosts on the network accept this frame, and process it up through its protocol stack until it determines whether to complete processing of the frame or discard it (as it is not meant for the local computer).


Multicast frames are delivered to a portion of the hosts on the network. Similar to broadcast frames, they are not delivered to a specific destination media access control (MAC) address, but to a selected subset of the hosts on the network. Each host has to register the multicast address to become a member of that multicast subset. NetBIOS Extended User Interface (NetBEUI) and some TCP/IP applications make use of multicasts.

Directed Frames

Directed frames, or unicasts, are the most common type of frames. These frames have a destination address for a specific host on the network. All other hosts that receive this frame discard it because it does not contain the host's hardware address.

Each of the different protocols that ship with Windows NT 4.0 may differ in their implementation of broadcasts. TCP/IP and NWLink initiate broadcasts, for example, but NetBEUI sends multicasts rather than broadcasts.

Frame Encapsulation

The Network Monitor can capture information and store it in a buffer for analysis. The protocol analyzer then parses each frame. All the header information can be translated given that a corresponding DLL is available. The Network Monitor has header translation information for all the following protocols:

  • AppleTalk

  • TCP/IP

  • Special Network Monitor

  • Microsoft Services

  • Novell Services


  • Remote Access

  • Banyan VINES

  • Routing

Even on a hybrid network, you can use this utility to analyze information. Figure 5.20 displays this information as it is shown in the Network Monitor.


Figure 5.20: The Capture window within the Network Monitor.

The Capture window displays the following information in the upper pane:

  • Frame number (for referencing within the capture)

  • The time elapsed (offsets from the start of the capture)

  • The source media access control address

  • The target media access control address

  • The highest layer protocol parsed

  • The description of this protocol header

  • Source other address (if used, a logical address—IP, IPX, and so on)

  • Target other address (if used, a logical address—IP, IPX, and so on)

  • Type other address (a Network Layer protocol, if found)

The following is an example of this using a NetBIOS over TCP/IP frame:

52 174.567 STEVE WORKGROUP NBT NS: Query req. for *<00...(15)> IP

Double-clicking a frame invokes the multi-pane view dialog box. This is where two additional panes pop up below the frame list. The first new pane displays the parsed headers, which can be expanded to reveal every protocol field option. Each frame and all of its expanded fields can be copied to the Clipboard, if needed.

The following is a NetBIOS over TCP/IP frame in this format:

FRAME: Base frame properties
ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol
IP: ID = 0x1A39; Proto = UDP; Len: 78
UDP: Src Port: NETBIOS Name Service, (137); Dst Port: NETBIOS Name Service 
(137); Length = 58 (0x3A)
NBT: NS: Query req. for *<00...(15)>

Finally, the bottom pane displays this information in raw hex or byte format. When a header is selected from the preceding pane, the corresponding bytes are selected in this pane as well. The following is that same information shown in byte format:

00000:  72 D9 E8 00 01 01 00 01 50 87 63 80 08 00 45 00   
00010:  00 4E 1A 39 00 00 80 11 8C CC D0 8E 52 20 D0 83   
00020:  A0 67 00 89 00 89 00 3A 97 F6 94 8E 00 10 00 01   
00030:  00 00 00 00 00 00 20 43 4B 41 41 41 41 41 41 41   
00040:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   
00050:  41 41 41 41 41 41 41 00 00 21 00 01 

Capture and Display Filters

Filters can be invoked at any time when capturing data or working with a previous capture. When you implement a capture filter, you can tell the Network Monitor to include or exclude specific MAC addresses or logical addresses as well as protocols. You can use these same criteria to filter a display, which is for previously saved captures or an active capture that you have stopped. You can then save these criteria into a file with a .CF or .DF extension for use at a later time. The Network Monitor comes with two display and two capture filters. Each one has a default and a NOBROAD (which filters out broadcasts).

The addresses can come from the address database for the capture filter. In the case of the display filter, it would come from the current capture. For the _protocols, which also are referred to as ETYPE and SAP (Service Access Point), you can filter based on all the available protocols:

































































The Address Database

The next time you design a capture filter that involves address pairs, you can use this database. If you assign the database the DEFAULT.ADR filename, it becomes your default address database. You can use the Address Database dialog box to add, delete, or edit addresses in an address database. You also can use this dialog box to save the current address database or load a different one.

Warning: I would not advise saving this information to the DEFAULT.ADR if you plan to run this monitor on a machine moving from network to network, because the addresses may get confused.

The Address List on this dialog box displays the following information about each computer:

  • A friendly name

  • The 12-digit hexadecimal network address

  • The address type (for example, MAC or IP)

  • The name of the vendor who created the network card

  • A comment or additional information

With the address database, you can automatically pull up a capture display with the sources and target addresses resolved to a name automatically rather than a cryptic MAC address. This feature is a must for convenience on a regularly monitored LAN.

Additional Options

You can use the Network Monitor's advanced options to change between network devices, load a remote Network Monitor agent, and find routers, and query for other Network Monitor agents, utilities, and their current status. It is important to note that when you use these utilities, they will use special protocols, which also show up in a capture. These special protocols include the following:

  • BONE. This is the Bloodhound Oriented Network Entity protocol. Each Network Monitor agent uses this protocol to perform station-to-station queries.

  • BOOKMARK. This is used as a mark point method between Network Monitor agents. It also is used in the adjustment and retransmission of packets.

  • GENERIC. This is an unused protocol designed for future versions of the Network Monitor utility.

Capture Triggers

Capture triggers allow the Network Monitor to not automatically capture unless a certain condition is met. You can use one of the following trigger types to determine the criteria:




The default where no trigger is initiated.

Pattern Match

This initiates the trigger when the specified pattern occurs in a captured frame.

Buffer Space

This initiates the trigger when a specified amount of the capture buffer is filled. This is often used for a stop trigger.

Pattern Match Then Buffer Space

This initiates the trigger when the pattern occurs and is followed by a specified percentage of the capture buffer being filled. This is a popular one in that people use this to do a start trigger on the first one and a stop on the second one.

Buffer Space Then Pattern Match

This initiates the trigger when the specified percentage of the capture buffer fills and is followed by the occurrence of the pattern in a captured frame.

If the trigger condition has been met, you can tell the Network Monitor to perform a specific event.



No Action

This specifies that no action is taken when a trigger condition is met. This is the default. Even though you select No Action, the computer beeps when the trigger condition is met.

Stop Capture

This stops the capture process when the trigger condition is met.

Execute Command Line

This runs a program or batch file when a trigger condition is met. If you select this option, provide a command or the path to a program or batch file.

Different Network Monitor Versions

A Network Monitor version is included with Windows NT Server 4.0. This is the simple version and is not to be confused with the Microsoft Systems Management Server (SMS) Network Monitor extensions (full version). Both versions can assist with network traffic analysis, although the full version of the product, included with SMS, offers more features and functions than does the version included with Windows NT Server 4.0.

Table 5.1 lists the product differences.

Table 5.1 Differences in the Network Monitor Simple and Full Versions.


Network Monitor (Simple)

Network Monitor (Full)

Local capturing

To and from the local computer's Network Monitor agent

All devices on the entire subnet

Remote capturing

Not available


Determining top user of network bandwidth

Not available


Determining which protocol consumed the most bandwidth

Not available


Determining which devices are routers

Not available


Resolving a user-friendly name to a MAC address

Not available


Editing and retransmitting network traffic

Not available


Installing the SMS Network Monitor

To install the SMS Network Monitor, follow these steps:

  1. Right-click the Network Neighborhood icon, and select Map Network Drive.

  2. In the path field, type the path to the Network Monitor Extensions for SMS. This can be found on the SMS 1.x CD.

  3. From an Explorer window or using a command prompt, open Setup.exe.

  4. Accept the default network path and click Continue.

  5. If you are prompted to create the directory, click OK.

  6. When prompted for passwords, you can submit a password for control or not enter any. Proceed by clicking No Password.

  7. When prompted for your username, type administrator.

  8. Click OK again to confirm.

  9. Click OK to continue. Then click OK again. The utility invokes the Network Control Panel application.

  10. Click on the Services tab. Note that you will not see this option if the Network Monitor is already installed.

  11. Click Add and select Network Monitor Agent, not Network Monitor Tools and Agent.

  12. Click Close to exit out of the Network Control Panel.

  13. When prompted to restart your computer, click Yes.

Network Monitor Command-Line Options

The Network Monitor has many command-line options that can be used for noninteractive use and/or for scheduling purposes.

The command-line version switches include the following:

  • /autostart Start the Network Monitor in Capture Mode immediately.

  • /autostop Stop capturing the moment the capture buffer is used.

  • /buffersize:size Start the Network Monitor with a predetermined capture buffer size.

  • /remote:name Connect to the remote computer's Network Monitor agent.

  • /net:number Capture data from the network specified by the network number.

  • /quickfilter:path Start capturing immediately using the filter specified by the path.

  • /displayfilter:path Start the Network Monitor using the specified filter.

Monitoring Disk Usage

Disk performance is a big factor in overall network performance management. If the disk controller or the hard drive is encountering a bottleneck, file transfers can be significantly degraded. There are certain items to keep under consideration when monitoring disk usage on a computer, as described in the following sections.

Turning On the Windows NT Disk Performance Counters

To use utilities such as the Performance Monitor to keep track of physical _disk usage, you must enable the Windows NT disk performance counters. By default, Windows NT does not enable physical disk performance counters. To enable disk performance counters, you need to use the DISKPERF.EXE command.

The syntax for DISKPERF is as follows:

Diskperf  option

Available options include the following:


Enable counters


Disable counters


Enable counters for stripe sets, mirror sets, or stripe sets with parity

When you enable or disable counters, you must reboot Windows NT to actually complete the operation.

Test Your Server Hard Drive Performance

The hard drives and disk controllers are the most important part of a server's configuration and another critical part of performance management. Windows NT uses a lazy-write file system NTFS for its advanced file system option. If you decide to use NTFS, you will have additional overhead due to the file system's advanced structure, which includes extended attributes and transactional-tracking information. NTFS also does not automatically commit transactions to the disk like the FAT file system.

This is important to know because this forces your hard drives to be reliable and as fast as possible. One way to do this is to use additional utilities that can test and even enhance the performance of your disk drives.


DISKMAX is found in the Windows NT Resource Kit. It is a response probe test to help you determine the maximum throughput of a disk drive. It can be excellent in testing the speed of your hardware. DISKMAX does sequential, unbuffered reads of 64KB records from a 20MB file. After you have performed the test using this utility, you can then use Performance Monitor to help you analyze the result.

To run DISKMAX, you first need to install the required files from the Resource Kit you want to test. The CD SETUP utility installs all files except for Workfile.dat as part of the Performance Tools group.

The following is the list of the files required from the Resource Kit:







As noted previously, Workfile.dat is not installed by the SETUP utility, but you can copy it manually from the CD. Workfile.dat is a 20MB file filled with zeros that Response Probe uses to simulate a workload file. You can use Workfile.dat or you can create a zero-filled file of any size by using the CREATEFILE (Creatfil.exe) utility in the \Probe subdirectory. The CREATEFILE syntax follows:

     creatfil <filename> [<filesize>].

filesize is optional; the default is 1,024KB.

If you haven't done so already, you need to enable the Performance Monitor disk counters using the DISKPERF utility discussed in the previous section.

Start a Performance Monitor log. If possible, write the log to a different physical drive. This helps ensure a realistic baseline. Log the Logical Disk object at a one-second update interval.

At the command prompt of the drive you want to test, change to the subdirectory where the .sc* files are stored (the default is Examples) and type the following:

     <Path>Probe diskmax.scr 900

When the command prompt returns, stop the Performance Monitor log. Analyze the data from the test using the Response Probe output file, which _is Diskmax.out, and your Performance Monitor log. Use the following Performance Monitor counters:

Logical disk: Avg. Disk Bytes/Read
Logical disk: Avg. Disk sec/Read
Logical disk: Disk Read Bytes/sec
Logical disk: Disk Reads/sec

Simple Network Management Protocol

You may want to look for a solution that enables you not only to monitor the important server and network resources, but also to modify them. A system or network management solution is viable for this.

For higher-scale heterogeneous networks, Windows NT supports SNMP (Simple Network Management Protocol). This is the Internet standard protocol for managing nodes on networks. The original implementation of SNMP allowed a predominant network-management protocol that is simple and inexpensive to implement. However, it could not communicate from manager to manager, did not support IPX, OSI, and AppleTalk, and above all did not address security. This protocol later evolved to support IPX, OSI, and AppleTalk networks as well as small levels of security. Figure 5.21 displays a typical SNMP environment.


Figure 5.21: Managing all major network entities with SNMP.

SNMP 2, a new implementation, builds on features of SNMP, addresses more security and manager-to-manager communication, and provides for error return. It remains backward-compatible with the command set of SNMP version 1, but doubles the available command sets from four to eight.

SNMP uses databases known as MIBs (Management Information Base). These are the set of parameters an SNMP management station can query or set in the SNMP agent of a network device. The Windows NT SNMP service includes the following:

  • MIB II (based on RFC 1213)

  • LAN Manager MIB II

  • MIBs for DHCP and WINS servers

The SNMP service allows SNMP-based managers to perform standard SNMP commands, such as reading the counters in the standard MIBs included with the service. Windows NT SNMP has an extensible architecture, so it can be used to create custom functionality on a Windows NT Workstation or Server, such as starting and stopping specific services or shutting down the system. Later, we will discuss a utility that helps facilitate this.

The SNMP Model

The SNMP model is based on the manager-agent model. The SNMP Manager uses a network management application to submit the commands to the SNMP agents on the network entities. Lately, the applications have been developed primarily to provide a user-friendly interface for managers to seamlessly process these commands. Windows NT implements the SNMP agent as a service, but does not provide an SNMP Manager by default.

Object Identifiers

The network management platform is used by SNMP for object identification. It uses the available MODs as a dictionary of sorts. MOD (manageable objects database) refers to compiled MIBs. The MIB hierarchy is defined by using certain guidelines.

The main entities that comprise the MIB guidelines are the OIDs (object identifiers), shown in Figure 5.22. They represent each manageable object with a unique sequence of numbers and names. SNMP uses the number as an abbreviated form of the name to make requests for data values and to identify the response that carries the values.

You can think of this as a directory service of manageable objects. Beneath the root of the hierarchy are three major areas:

  • ITU-T(0). This is the starting point for entities standardized by the International Telecommunication Union—Telecommunications.

  • ISO (1). This is where most of the major SNMP entities are found (Internet, and so on) under the International Standardization Organization.

  • Joint-ISO-ITU-T(2). This is an experimental area for joint entities.

Three basic types of MIBs are governed by their place in the MIB tree:

  • Public—MIB 2 (Starts

  • Experimental (

  • Private Enterprise (


Figure 5.22: The MID OID hierarchy.

For the three MIBs we are focusing on, these OIDs are organized in a tree-like structure. The sequence of numbers identifies the various branches of the subtree that a given object comes from. The root of the tree is the ISO (International Standards Organization) trunk. Its value is 1. Each branch above the root (or below, depending on your perspective) further identifies the source of the given object.

All SNMP objects are members of the subtree identified by or 1.3.6.l. Each additional component in this dotted notation further defines the exact location of an object. The numbers for each subtree are assigned by the IETF to ensure that all branches are unique.

The Enterprise numbers (beneath follow:

NCR 191

SGI 59

Banyan 1303

COM 43

NEC 119

Sun 42

LAN Manager 77

DEC 36

McAfee 110


Oracle 111


Microsoft 311


Intel 343

HP 11

Apple 63

Novell 23

Installing SNMP

When you install SNMP on a Windows NT computer, you are only installing the SNMP agent. Table 5.2 describes the files installed on a Windows NT computer with the SNMP service installed.

Table 5.2 Files installed with SNMP when running Windows NT.




DHCP MIB extension-agent DLL, available only when the DHCP Server is installed on a computer running Windows NT Server.


Internet Information Server DLL, available only if IIS is installed on a computer running Windows NT Server.


MIB-II extension-agent DLL.


LAN Manager extension-agent DLL.


A Windows NT-based SNMP manager API that listens for manager requests. It sends the requests to and receives responses from SNMP agents.


Installed with the SNMP service and used by the management API, Mgmtapi.dll, to map text-based object names to numeric OIDs.


SNMP agent service, a master (proxy) agent that accepts manager program requests and forwards the requests to the appropriate subagent-extension DLL for processing.


Receives SNMP traps from the SNMP agent and forwards them to the SNMP Manager API on the management console. Snmptrap.exe is a background process started only when the SNMP Manager API receives a manager request for traps.


WINS MIB extension-agent DLL, available only when the WINS Server is installed on a computer running Windows NT Server.

Microsoft MIBs fall into the private enterprises category. Table 5.3 lists the base object names and their respective OID locations, along with the standard MIBs included with Windows NT.

Table 5.3 Standard MIBs Included with Windows NT.

MIB Name Base Object Name

Base Object Identifier (OID)


Internet MIB-II

Defines objects essential for either configuration or fault analysis. Internet MIB-II is defined in RFC 1213.

LAN Manager MIB-II

Defines objects that include such items as statistical, share, session, user, and logon information.

Microsoft DHCP
Server MIB private.

Contains statistics for the DHCP Server, and DHCP scope information.

Microsoft Internet
Internet Information

The FTP, Gopher, and Information Server HTTP server MIBs are derived from the Server base object.

Microsoft WINS
Server MIB private.

Contains information about the WINS Server, including statistics, database information, and push and pull data.

With these MIBs running along with the SNMP service, a network administrator can do the following:

  • View and change parameters in the LAN Manager and MIB-II MIBs by using SNMP Manager programs.

  • Monitor and configure parameters for any WINS servers on the network by using SNMP Manager programs.

  • Monitor DHCP servers by using SNMP Manager programs.

  • Use Performance Monitor to monitor TCP/IP-related performance counters, which are ICMP, IP, Network Interface, TCP, UDP, DHCP, FTP, WINS, and IIS performance counters.

  • Use the Windows NT Server Resource Kit utilities to perform simple SNMP Manager functions.

Table 5.4 describes SNMP-related utilities and files provided on the Resource Kit compact disc. If you ever plan to use SNMP to monitor and manage Windows NT computers from another non-Windows NT operating system, your management application needs to have access to these precompiled MIB definition files.

You probably won't ever need these files if you are using a utility such as the Performance Monitor to monitor other Windows NT computers. If you are using an SNMP utility to track other Windows NT computers using strictly SNMP, however, you have to import these MIBs into the manager. You also need to download these files to a non-Windows NT computer to manage the nodes from a non-Windows NT computer.

Table 5.4 SNMP-related utilities and files.




DHCP server-managed objects. *


Microsoft WINS server-managed objects. *


IIS-managed objects. *


FTP server-managed objects. *


Gopher server-managed objects. *

Http.mib *

HTTP server-managed objects.


LAN Manager MIB-II. *




Structure of Management Information MIB, as specified in RFC 1155. This file contains the global definitions used to define the objects in the other MIBs.

Configuring SNMP

The SNMP service is installed when you check the related option in the Microsoft TCP/IP Installation Options dialog box. After the SNMP service software is installed on your computer, you must configure it with valid information for SNMP to operate (see Figure 5.23). The SNMP configuration information identifies communities and trap destinations (see Figure 5.24).

Tip You must be logged on as a member of the Administrators group for the local computer to configure SNMP.


Figure 5.23: Configuring SNMP network properties.


Figure 5.24: Microsoft SNMP Properties dialog box.

The SNMP configuration information identifies communities and trap destinations. A community is an ASCII name that represents a group of hosts to which a Windows NT computer running the SNMP service belongs. You can specify one or more communities to which the Windows NT computer using SNMP sends traps. The community name is placed in the SNMP packet when the trap is sent.

When the SNMP service receives a request for information that does not contain the correct community name and does not match an accepted hostname for the service, the SNMP service can send a trap to the trap destination(s), indicating that the request failed authentication. Trap destinations are the names or IP addresses of hosts to which you want the SNMP service to send traps with the selected community name.

You can also implement security at a higher degree by configuring the service to accept only certain community names. Then, you can configure the service to accept SNMP packets only from certain hosts within that community.

To configure the SNMP service, follow these steps:

  1. Start the Network option in the Control Panel to display the Network Settings dialog box. On the Services tab, select SNMP Service, and choose the Configure button. The SNMP Service Configuration dialog box appears (refer again to Figure 5.23).

  2. To identify each community to which you want this computer to send traps, type the name in the Community Names box. After typing each name, choose the Add button to move the name to the Send Traps With Community Names list on the left.

    Typically, all hosts belong to public, which is the standard name for the common community of all hosts. To delete an entry in the list, select it and choose the Remove button.

    Tip Community names are case-sensitive.

  3. To specify hosts for each community you send traps to, after you have added the community and while it is still highlighted, type the hosts in the IP Host/Address or IPX Address box. Then, choose the Add button to move the hostname or IP address to the Trap Destination for the selected community list on the left.

    You can enter a hostname, its IP address, or its IPX address. To delete an entry in the list, select it and choose the Remove button.

  4. To enable additional security for the SNMP service, choose the Security button. Continue with the configuration procedure.

  5. To specify agent information (comments about the user, location, and services), choose the Agent button. Continue with the configuration procedure.

  6. After you have completed all procedures, choose the OK button. When the Network Settings dialog box reappears, choose the OK button.


SNMP Browser is a utility that enables you to get SNMP information from an SNMP host on your network. This is a pretty raw utility and uses the following syntax:

     Snmputil command host community-name OID

Look at the following example:

     snmputil getnext ip_address public .

SNMP Command Set

SNMP uses a simple set of commands to set and retrieve values of objects in MIBs. There are three basic request types in SNMP: Set, Get, and GetNext. The basic SNMP protocol entity is referred to as a PDU (protocol data unit).

Get and Set operations are only allowed on object instances. Obviously, multiple objects may be retrieved or modified in a single PDU. SNMP specifies that, when modifying objects, if one Set fails in a PDU, none of the Set operation should be applied.

A GetNext request is slightly different from Get and Set operations. GetNext requests can specify any OID. The SNMP protocol specifies that when a GetNext request is issued to a particular agent, it will return the first value instrument by the receiving agent following the specified OID.

SNMP Traps

Traps are SNMP messages that originate from the agent to a preconfigured management station. They are used to notify management consoles of significant events.

The GENERICTRAP identifies what kind of trap this is. It can be one of any of the following:

  • SNMP_GENERICTRAP_COLDSTART. This trap indicates cold start.

  • SNMP_GENERICTRAP_WARMSTART. This trap indicates warm start.

  • SNMP_GENERICTRAP_LINKDOWN. This trap indicates link down.

  • SNMP_GENERICTRAP_LINKUP. This trap indicates link up.

  • SNMP_GENERICTRAP_AUTHFAILURE. This trap indicates authentication failure.

  • SNMP_GENERICTRAP_EGPNEIGHLOSS. This trap indicates EGP (Exterior Gateway Protocol) neighbor loss.

  • SNMP_GENERICTRAP_ENTERSPECIFIC. This indicates an enterprise-specific trap.

Each SNMP command event is assigned a unique PDU number. In SNMP version 1, there are five PDUs (see Table 5.5).

Table 5.5 SNMP version 1 command PDUs.













For SNMP version 2, there were some changes with the command set. New PDUs were added but do not conflict with the previous events. Table 5.6 shows the changes in the PDUs that are available with SNMP version 2. The SNMP version 1 Get, GetNext, and Set requests will stay the same. The only change to the GetResponse is its name. With SNMP version 2, we will call it a response. The SNMP version 1 TrapResponse will become obsolete. The SNMP v2 Trap is its replacement.

Table 5.6 SNMP version 2 requests.

















SNMP v2 Trap


Selected List of Object Identifiers

SNMP uses the data pointing structure of the Abstract Syntax Notation version 1 (ASN.1). This uses a tree structure to point at the item of data or object that we want. When we build OIDs out of this tree, we separate each branch with a period. These are often referred to as dotted paths. The next few pages list the most common branches beneath the MIB tree located at

Common MIB Paths

The first branches deal with the categories including the Systems Group, the Interfaces Group, the IP Group, the TCP Group, the UDP Group, the EGP Group, the Transmission Group, and the SNMP Group. They are in the following list:


MIB II Objects

These object are listed in order of their name, OID path, and a brief description (see Table 5.7).

Table 5.7 MIB II objects.


OID Path



A text description of the system supported by this agent.


The vendor's OID of the agent in the system.


The time in milliseconds since the agent was started.


The contact for this agent and how to contact it.


An administrator-assigned name.


The physical location of this node.


A value that indicates the set of services supported.


The number of network interfaces.


A list of interface entries.


A row of the ifTable, containing objects for a logical interface.


A unique value for each interface.


A text description of the interface.


The type of physical or link Interface protocol.


The maximum transmission unit (MTU).


An estimate of the interface's current bandwidth.


The interface's address at the Protocol Layer.


The desired state of the interface.


The current operational state of the interface.


The value of sysUptime at the time the interface became _operational.


The total numbers of octets received on the interface.


The number of subnet unicast packets delivered on the interface.


The number of non-unicast packets delivered on the interface.


The number of non-error packets that were discarded.


The number of inbound packets containing errors at a higher layer.


Packets discarded due to an unsupported protocol.


The total of octets transmitted out of the interface.


The total number of packets sent to a subnet unicast address.


The total number of packets sent to a non-unicast address.


The number of outbound packets that were discarded but did not have errors.


The number of outbound packets that could not be sent because of errors.


The length of the output packet queue in packets.


A reference to MIB definitions.


The network address-to-physical address table.


Each entry contains one network address to physical address.


The interface on which this entry's equivalence is effective.


The media-dependent physical address.


The network address corresponding to the media-dependent physical address.


The indicator that this system can forward datagrams received but not addressed to it.


The time-to-live field of the IP datagrams originated at this system.


The total number of input datagrams received from interfaces.


The number of input datagrams discarded due to errors.


The number of datagrams discarded when the field was not destined for this system.


The number of datagrams received but not discarded because of an unknown protocol.


The number of datagrams discarded because of an unknown or unsupported protocol.


The number of IP datagrams received with no problems but still discarded by the system.


The total number of input datagrams successfully delivered to IP user-protocol.


The total number of IP datagrams that local protocols passed to IP.


The number of outbound IP datagrams that were discarded but had no errors.


The number of IP datagrams discarded because the system could not find a route.


The maximum number of seconds IP holds received fragments awaiting reassembly.


The number of IP fragments needing reassembly.


The number of IP datagrams successfully reassembled.


The number of failed reassembled IP datagrams.


The number of IP fragments that have been reassembled.


The number of IP packets that have been discarded because they could not be fragmented.


The number of IP datagram fragments that IP has generated.


The table of IP addressing information.


Information for one of the system's IP addresses.


The IP address to which this entry's addressing information pertains.


The index value that uniquely identifies the interface to which this entry is applicable.


The subnet mask associated with the IP address of this entry.


The value of the least-significant bit in the IP broadcast address.


The size of the largest IP data-MaxSize gram that this system can reassemble from IP fragments.


The IP routing table.


An entry in the route table.


A route to a particular destination.


The value that identifies the local interface through which the datagram should reach the next hop.


The primary routing metric for this route.


An alternative route metric for this interface.


An alternative route metric for this interface.


An alternative route metric for this interface.


The IP address of the next hop of this interface.


The type of route.


The way the system learned the route.


The number of seconds since IP last updated this route.


The mask to be logically ANDed with the destination.


The IP address translation table for mapping IP to physical addresses.


Each entry contains one address to physical equivalence.


The interface on which this entry's equivalence is effective.


The media-dependent PhysAddress -physical address.


The IP address corresponding to NetAddress the media-dependent physical address.


The type of mapping.


The number of routing entries that IP discarded even though they were valid.


The total number of ICMP messages that the system received.


The number of ICMP Destination Unreachable messages received.


The number of ICMP Time Extended messages received.


The number of ICMP Parameter Problem messages received.


The number of ICMP Source Quench messages received.


The number of ICMP Redirect messages received.


The number of ICMP Echo requests received.


The number of ICMP Echo Reply messages received.


The number of ICMP Timestamp Reply messages.


The number of ICMP Reps Timestamp Reply messages received.


The number of ICMP Address Mask request messages received.

icmpInAddrMask Reps

The number of ICMP Address Mask Reply messages received.


The total number of ICMP messages that the system attempted to send.


The number of ICMP messages that this system did not send due to ICMP problems.


The number of ICMP_Unreachs Destination Unreachable messages sent.


The number of ICMP Time Exceeded messages sent.


The number of ICMP Parameter Problem messages sent.


The number of ICMP Source Quench messages sent.


The number of ICMP Redirect messages sent.


The number of ICMP Echo requests sent.


The number of UCMP Echo replies sent.


The number of ICMP Time Stamp messages sent.


The number of ICMP Time Reps Stamp Reply messages sent.


The number of ICMP Address Mask Request messages sent.


The number of ICMP Address RepsMask Reply messages sent.


The algorithm used to determine the timeout value.


The minimum, in milliseconds, for the retransmission timeout.


The maximum, in milliseconds, for the retransmission timeout.


The maximum number of TCP connections the system can support.


How many TCP connections transitioned to SYN-SET state from the CLOSED state.


How many TCP connections transitioned to the SYN-RCVD state from the listen state.


How many TCP connections have not completed the SYN handshake procedure.


How many times TCP has gone to the CLOSED state from ESTABLISHED or CLOSE-WAIT state.


How many TCP connections are currently in the ESTABLISHED or CLOSE-WAIT state.


The total number of segments received, including those received in error.


The total number of segments sent, excluding those containing only retransmitted octets.


The total number of segments retransmitted.


A table containing TCP connection-specific information.


Information about a particular current TCP connection.


The state of this TCP _connection.


The local IP address for this Address TCP connection.


The local port number for this TCP connection.


The remote IP address for this TCP connection.


The remote port number for this TCP connection.


The total number of segments received in error.


The number of TCP segments sent containing the RST flags.


The total number of incoming UDP datagrams.


The total number of UDP datagrams received where there were no ports on the receiving end.


The number of received UDP datagrams that are undeliverable, but not because of the UDP port.


The total number of UDP datagrams sent from this system.


A table containing UDP listening information.


Information about a current UDP listener.


The local IP address for this UDP listener.


The local port number for this UDP listener.


Total SNMP packets received.


Total SNMP messages the agent sent to the transport service.


Total SNMP messages delivered with an unsupported SNMP version.


Total SNMP messages sent with CommunityNamesan unknown community name.

SnmpInBad CommunityUses

Total SNMP messages with an operation not allowed by the community.


Total ASN.1 errors found when Errs decoding SNMP packets.


Not used.


Total SNMP PDUs delivered with an error status of Too Big.


Total SNMP PDUs delivered with an error status of No Such Name.


Total SNMP PDUs delivered with a status of Bad Value.


Total SNMP PDUs delivered with an error status of Read-Only.


Total SNMP PDUs delivered with an error status field value of Generr (general error).


Total MIB objects the agent retrieved successfully.


Total MIB objects the agent altered successfully.


Total SNMP Get-Request PDUs accepted and processed.


Total SNMP Get-Next PDUs accepted and processed.


Total SNMP Set-Requests PDUs accepted and processed.


Total SNMP Get-Response PDUs accepted and processed.


Total SNMP Trap PDUs accepted and processed.


Total SNMP PDUs sent with an error status field of Too Big.


Total SNMP sent with an error status of No Such Names.


Total SNMP sent with a status of Bad Value.


Total SNMP sent with an error status of Read-Only.


Total SNMP sent with an error status field value of Generr (general error).


Total SNMP Get requests sent.


Total SNMP GetNext requests sent.


Total SNMP Set requests sent.


Total SNMP GetResponses sent.


Total SNMP Trap PDUs sent.


Indicates whether the agent can generate Authentication-Failure traps.

LAN Manager MIB

Although many of the following are obsolete, they still can be used for the purpose of some basic service management:


Microsoft MIB Objects

The following MIBs are found under the Microsoft Enterprise object. There are more specific definitions found in the Microsoft Windows NT Resource Kit.


SNMP Monitor

The SNMP Monitor, found in the BackOffice and Windows NT Resource Kits, is a utility that can monitor any SNMP MIB variables across any number of SNMP nodes. It can then optionally log query results to a repository, which can be any ODBC data source (such as SQL Server), automatically creating any necessary tables. Logging can be enabled for all queries or limited to particular thresholds, and thresholds can be either edge- or level-triggered.

Rudimentary conditionals are also possible. SNMP Monitor can execute arbitrary command lines based on whether the node responded to the query, whether the node supported the requested variable, and whether the value was greater than, less than, or equal to a specified constant.

SNMP Monitor is a standalone executable that accepts a configuration file as input. By default, if no configuration file is specified, the SNMP Monitor does not successfully monitor anything. The configuration file is a text file that consists of one or more monitored node definitions separated by at least one blank line or C++-style comment line. A definition consists of the scope declaration followed by one or more conditional statements.

The syntax for the scope declaration is as follows:

<Node ID> <OID> <Poll interval> <Default log setting> [<ODBC data source> <ODBC

table name> <ODBC user ID> [<ODBC password>]]

Available options include the following:

  • <Node ID> This could be a computer name without backslashes (for example, STEVE), a dotted IP address (for example,, and a colon followed by the path to a text file containing a list of computer names or IP addresses. There must be one entry per line, and blank lines are ignored (for example, :c:\snmpmon\config\nodes.snmp).

  • <OID> This is the dotted object identifier within the MIB namespace (for example,

  • <Poll interval> This is the number of seconds between each poll of this monitored node.

  • <Default log setting> This can be one of the following values:

    0 Do not log any data unless specified by one of the conditionals.

    1 Log all query results, ignoring the log settings in the conditionals.

  • <ODBC data source> Refers to the name of the ODBC data source to which to direct logged data.

  • <ODBC table name> Refers to the name of the table within the data source to which to direct logged data. If this table does not exist, it is created.

  • <ODBC user ID> Refers to the user ID used to connect to the ODBC data source.

  • ODBC password> Refers to the password used to connect to the ODBC data source. If this parameter is omitted, no password is used.

The scope declaration is followed immediately by any number of conditional statements. Each conditional has the following format:

<Condition> <Log trigger> [<Command-line trigger> <Command-line timeout>

<Command line>]

PERF2MIB.EXE: Performance Monitor MIB Builder Tool

Using PERF2MIB.EXE, Performance Monitor MIB Builder Tool, developers can create new ASN.1 syntax MIBs for their applications, services, or devices that use Performance Monitor counters. Administrators can then track performance of these components by using any system-management program that supports SNMP.

This tool also creates a .MIB file that can be used by an SNMP-based management console to perform SNMP requests for the performance data in question, and thus monitor performance remotely. This allows all performance data available through the HKEY_PERFORMANCE_DATA Registry key to be exposed through SNMP.

To use this utility, follow these steps:

  1. From a command prompt, navigate to the Resource Kit directory.

  2. Type the following command:

    perf2mib perfmib.mib perfmib.ini memory 1 mem processor 2 cpu "Network 
    Segment" 3 net PhysicalDisk 4 disk

    This helps translate the Performance Counter, proprietary to Windows NT, into a MIB (SNMP-compatible).

  3. Type the following command to compile the MIB.

    mibcc -oc:\reskit\mib.bin -n -t -w2 c:\reskit\smi.mib 
    c:\reskit\LMMIB2.MIB c:\reskit\mib_II.mib perfmib.mib
  4. Stop the SNMP agent by typing the following command:

  5. Rename the %systemroot%\system32\mib.bin to mib.old using the following command:

    Ren %SystemRoot%\system32\mib.bin %SystemRoot%\system32\mib.old.
  6. Transfer a few files from the Resource Kit directory to the System directory by typing the following:

    XCOPY C:\RESKIT\perfmib.* %SystemRoot%\system32\
    XCOPY C:\RESKIT\mib.bin %SystemRoot%\system32\
  7. Register perfmib.reg using the following command:

  8. Restart the SNMP agent by typing the following command:


Now you can use the Resource Kit utility SNMPUTIL.EXE to process SNMP requests.

Unicenter TNG Framework

This product, by CAI, allows full-scale enterprise management for IP and IPX environments. The Unicenter TNG base product offers an extremely rich set of management functions for network and systems management:

  • Security

  • Scheduling and workload

  • Network management

  • Storage

  • Performance

  • Output

  • Resource accounting and chargeback

  • Problem management

  • Complete event management

All these functions are integrated on top of the framework and deliver, in one package, the core set of management functions needed for network and systems management.

The following is a selected list of features in Unicenter TNG:

  • 2D and 3D user interface

  • Object repository

  • Autodiscovery of nodes

  • Calendar management

  • Virus detection

  • Reporting

  • Business-process views

  • Event management

Command-Line Network Monitoring Utilities

There are two primary command-line utilities—NETSTAT and NBTSTAT—that are discussed in the following sections.


NETSTAT displays TCP/IP protocol session information (see Figure 5.25).


Figure 5.25: NETSTAT.

The syntax for NETSTAT is as follows:

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

The following are switches:


Displays all connections and listening ports. (Server-side connections are normally not shown.)


Displays Ethernet statistics. This may be combined with the -s option.


Displays addresses and port numbers in numeric form.

-p proto

Shows connections for the protocol specified by proto; proto may be tcp or udp. If used with the -s option to display per-protocol statistics, proto may be tcp, udp, or ip.


Displays the contents of the routing table.


Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.


Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics. If omitted, NETSTAT prints the current configuration information one time.


NBTSTAT reports statistics and connections for NetBIOS over TCP/IP. The most common switch for NBTSTAT is -r, which reports complete name resolution statistics for Windows networking.

The syntax for NBTSTAT is as follows:

NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [-S]

[interval] ]

The following are switches:


(adapter status)

Lists the remote machine's name table given its name.


(Adapter status)

Lists the remote machine's name table given its IP address.



Lists the remote name cache including the IP addresses.



Lists local NetBIOS names.



Lists names resolved by broadcast and via WINS.



Purges and reloads the remote cache name table.



Lists sessions table with the destination IP addresses.



Lists sessions table converting destination IP addresses to host names via the HOSTS file.


Remote host machine name.


IP address

Dotted decimal representation of the IP address.



Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics.


Service Pack 4 of Windows NT added an additional enhancement to the nbtstat utility. The Nbtstat.exe command now has the -RR command, which deletes and re-registers a user in WINS database without having to perform a system reboot.

Using the Resource Kit Management Tools

So far, we have mentioned built-in utilities that Windows NT provides for network management along with a few third-party utilities relating to disk and network management. The Resource Kit also has some graphical management utilities that enable you to further manage specific services in a much more detailed manner.

Domain Monitor

Domain Monitor is a Resource Kit utility that monitors the status of servers in a specified domain and its secure channel status to the domain controller, as well as to domain controllers in trusted domains. If any status shows errors, Domain Monitor displays various status icons, as well as the domain controller name and list of trusted domains. You can find the cause of errors by checking the error numbers reported in the Windows NT Messages database.

Domain Monitor connects to servers to retrieve status information using the current user's username and password. Therefore, if the current user account doesn't exist in a domain or in the database of a trusted domain, the status query may fail. Any user who is logged on can query the status information, but only administrators can use the Disconnect button to disconnect and restore connections.

The status of a domain is shown in one of following states:

  • Success Indicates that all servers in the domain are running, and PDCLinkStatus and TDClinkStatus shows only successful connections (no errors).

  • Problem Indicates a problem that may require attention. This icon appears when any server in the domain has an error under PDCLinkStatus or TDClinkStatus or when any server in the domain is down.

  • Warning Indicates a severe problem that requires attention. This icon appears when the status for any server or domain controller shows an error or when the domain's domain controller is down.

  • Domain Down Displayed when all servers in the domain are down.

  • Unknown Displayed while Domain Monitor is checking connections.

The NET WATCH Utility

This Resource Kit utility shows which users are connected to shared directories. It also enables you to disconnect users and un-share directories. It can simultaneously monitor multiple computers. If a user or set of users reports being unable to access a server, you can check to see who can connect to it. To use NET WATCH, the Server Service must be started and you must be logged on as a member of the Administrators group for any computer you are trying to watch.

Look at the following syntax:

     netwatch \\computername1 [\\computername2 ... \\computernameN]

computername1 to N are the names of the computers whose users you want to monitor.

To indicate the network connections you want to watch on the Options menu, click Show Open Files, Show Hidden Shares, or Show In Use Shares Only.

NET WATCH updates the list of connected users every 30 seconds or whenever you press F5. You can view more details on a resource by double-clicking it or by selecting it and pressing Alt+Enter. The Manage Shared Folders dialog box (Ctrl+S) lists and shows the paths of the shared folders of the computer.


REMOTE SHUTDOWN, a Resource Kit utility, is a batch file that runs either SHUTCMD.EXE when run with parameters, or SHUTGUI.EXE when run without them.

SHUTCMD.EXE and SHUTGUI.EXE are, respectively, a command-line utility and a GUI utility; both enable you to shut down or reboot a local or remote Windows NT Server or Windows NT Workstation.

Look at the following syntax:

shutcmd [/?] [\\computername] [/L] [/A] [/R] [/T:xx] [msg] [/Y] [/C]

/? (or shutdown

Shows all command-line without parameters) options.


Specifies a remote computer to shut down. Note that if no name is given but the utility is started with any of the other options, the local computer name is used.

/L -

Specifies a local shutdown.

/A -

Aborts a system shutdown. This is only possible during the timeout period. If this switch is used, all others are ignored.

/R -

Specifies that the computer should reboot after shutdown.

/T:xx -

Sets the timer for system shutdown in xx seconds. The default is 20 seconds.

Msg -

Specifies an additional message, with a maximum of 127 characters allowed.

/Y -

Answers all following questions with yes.

/C -

Forces running applications to close.

Browser Monitor

The Browser Monitor Resource Kit utility monitors the status of browsers on selected domains. Browsers are shown on a per-domain and per-transport basis. In the main window, Browser Monitor displays various status icons and identifies the domain, transport, and Master Browser. Browser Monitor connects to servers to retrieve status information using the current user's username and password. Therefore, if the current user account doesn't exist in a domain, the status query may fail. Any user who is logged on can query the status information.

About the Author

Steven B. Thomas has been involved in teaching various areas of Windows NT for the past several years. As president of Gate City Consulting, Steven created a firm dedicated to providing consulting, training, and course-development services to clients for the purpose of establishing real-world implementations of business solutions.

Steve is also a Microsoft Certified Systems Engineer (MCSE) and Microsoft Certified Trainer (MCT). Due to his UNIX and Novell background, Steve is also a Certified NetWare Administrator. (CNA).

Copyright © 1999 MacMillan Technical Publishing

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice. International rights = English only.

International rights = English only.

Click to order