Export (0) Print
Expand All

Chapter 10 - Monitoring Your Network

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Network administrators can use Microsoft Windows NT Network Monitor to capture and display frames (also called packets) to detect and troubleshoot problems on local area networks (LANs). For example, you can use Network Monitor to diagnose hardware and software problems when two or more computers cannot communicate. You can also capture network activity and then send the capture file to professional network analysts or support organizations.

Network application developers can use Network Monitor to monitor and debug network applications as they are developed.

Note To use Network Monitor effectively, you must understand network protocol formats, protocol procedures, and network operating systems. Although that information is beyond the scope of this chapter, it is available from other publishers. For additional resources, see "Network Monitor Guide to Books on Networking" and the "Network Monitor Guide to Reports on Networking" in Network Monitor Help.

Install Network Monitor and the Network Monitor Agent using the Services tab of the Network option in Control Panel by choosing Network Monitor Tools and Agent. After you install Network Monitor, you can start it from the Programs, Administrative Tools (Common) menu on the Start button, or from the command line.

Editing and Transmitting Frames 

Microsoft Systems Management Server (SMS) also includes a version of Network Monitor. In addition to the functionality described in this chapter, the SMS version can also capture frames sent to or from any computer on the network, edit and transmit frames on the network, and remotely capture frames (for example, over a dial-up network connection) from other computers on the network running Network Monitor Agent (including computers running Windows NT Workstation and Windows 95).

Network Monitor Overview

Network Monitor monitors the network data stream, which consists of all information transferred over a network at any given time. Prior to transmission, this information is divided by the network software into smaller pieces, called frames or packets. Each frame contains the following information:

  • The source address of the computer that sent the message

  • The destination address of the computer that received the frame

  • Headers from each protocol used to send the frame

  • The data or a portion of the information being sent

To ensure that security is maintained on your Windows NT network, Windows NT Network Monitor displays only those frames sent to or from your computer, broadcast frames, and multicast frames. For more information, see "Network Monitor Security" later in this chapter

Network Monitor can capture only as much information as fits in available system memory. Fortunately, you usually need to capture only a small subset of the frames traveling on your network. To single out a subset of frames, design a capture filter, which functions like a database query. You can filter on the basis of source and destination addresses, protocols, protocol properties, or by specifying a pattern offset. For more information on filters, see "Capture Filters" later in this chapter.

To have a running capture respond to events on your network as soon as they are detected, design a capture trigger. A capture trigger performs a specified action, (such as starting an executable file) when Network Monitor detects a particular set of conditions on the network. For more information on triggers, see "Capture Triggers" later in this chapter.

Network Monitor supports dozens of popular protocols, including NetBIOS (NetBEUI), IPX, SPX, and many TCP/IP-related protocols. For a complete list, see "Supported Protocol Parsers" later in this chapter.

After you have captured data (and have optionally saved the data to a capture file), you can view it. Network Monitor does much of the data analysis for you by translating the raw capture data into its logical frame structure. For more information, see "Capturing and Displaying Frames" later in this chapter.

The core functionality of Network Monitor, as described in this chapter, is supported by Microsoft Product Support Services. Network-dependent tasks, such as interpreting data that you capture from your network, are not supported.

For more information on capturing frames, see "Capturing Network Data" later in this chapter.

For more information on displaying previously captured data that has been saved in a capture file, see "Displaying Captured Data" later in this chapter.

Network Monitor Security

For security reasons, Windows NT Network Monitor captures only those frames, including broadcast and multicast frames, sent to or from the local computer. Network Monitor also displays overall network segment statistics for broadcast frames, multicast frames, network utilization, total bytes received per second, and total frames received per second.

Windows NT Network Monitor uses a new network driver interface specification (NDIS) version 4.0 feature to copy all frames it detects to its capture buffer (a resizable storage area in memory). The process by which Network Monitor copies frames is referred to as capturing.

Note Because Network Monitor uses NDIS 4.0 instead of promiscuous mode (where the network adapter card passes on all frames sent on the network), you can use Network Monitor even if your network adapter card does not support promiscuous mode. Networking performance is not affected when you use an NDIS 4.0 driver to capture frames. (Putting the network adapter card in promiscuous mode can put an additional 30 percent or more load on the CPU.)

In addition, to help protect your network from unauthorized use of Network Monitor installations, Network Monitor provides:

  • Password protection

  • The capability to detect other installations of Network Monitor on the local segment of your network

Setting Capture and Display Passwords

Use the Monitoring Agent icon in the Windows NT Control Panel to change the capture and display passwords for Network Monitor or for the Network Monitor Agent:

  • A capture password allows the user to capture statistics from the network and to display captured data.

  • A display password allows the user to open only previously saved capture (.cap) files.

If you installed both Network Monitor and the Network Monitor Agent, the capture and display passwords apply both to Network Monitor and to the installation of the Network Monitor Agent on that computer.

Caution If the Network Monitor Agent is installed on your computer, if the service is running, and if no password is set, anyone using Network Monitor from an Systems Management Server computer can connect to your computer and use it to capture from your network.

Detecting Other Installations of Network Monitor

To protect your network from unauthorized monitoring, Network Monitor can detect other installations of Network Monitor on the local segment of your network. Network Monitor also detects all instances of the Network Monitor Agent being used remotely (by either Network Monitor from SMS or Windows NT Performance Monitor) to capture data on your network.

When Network Monitor detects other Network Monitor installations on the network, it displays the following information about them:

  • Name of the computer

  • Name of the user logged on at the computer

  • State of Network Monitor on the remote computer (Driver Installed, Running, Capturing, or Transmitting)

  • Adapter address of the remote computer

  • Version number of Network Monitor on the remote computer

Note In some instances, your network architecture might prevent one installation of Network Monitor from detecting another. For example, if an installation is separated from yours by a router that does not forward multicasts, your installation cannot detect that installation.

Network Monitor Help

Network Monitor Help contains procedures to guide you through the tasks relating to the information covered in this chapter. In addition, two types of additional Help are available: Property and Protocol.

Property Help is available from the Detail window when you view a capture. Property Help gives you a quick way to view a protocol command reference when focused on a specific command. Currently, Property Help is available only for the Server Message Block (SMB) protocol.

Protocol Help includes an introduction to and the contents of the SMB protocol specification.

For more information about the Detail window and viewing captures, see "Displaying Captured Data" later in this chapter.

Configuring Network Monitor and the Network Monitor Agent

Use the Network Monitoring Agent option in Control Panel to describe each network card in your computer and to reset the Network Monitor defaults. Resetting Network Monitor defaults resets all Network Monitor settings.

Describing each network card is particularly useful if your computer has multiple network cards or when other people using SMS Network Monitor are using the Network Monitor Agent from your computer. Describing each network card in your computer makes it easier to identify which card you are using to capture or if someone is using the SMS Network Monitor to capture frames from your computer which computer they are using to capture.

For more information, open the Control Panel folder, double-click Monitoring Agent, and click Help.

Supported Protocol Parsers

A protocol parser is a dynamic-link library (.DLL) that identifies the protocols used to send a frame onto the network. Information about these protocols appears when you display captured frames in the Frame Viewer window. For each protocol that Network Monitor supports, there is a corresponding parser.

The following is a list of the protocols that Network Monitor supports. The SMS Network Monitor supports additional parsers.

































































If you want to capture data sent in a protocol that Network Monitor does not support, use the SMS Network Monitor or add your own parser.

Capturing Network Frames

As mentioned earlier, capturing occurs when a network card passes on a subset of the frames that pass over the network to Network Monitor. Network Monitor stores these frames in the capture buffer, a sizable region of memory. If the capture buffer overflows, the newest frame added to the buffer, replaces the oldest frame. To prevent the capture buffer from overflowing and to make frame analysis easier use a capture filter to capture only those frames that meet criteria you define. To have a running capture respond to events on your network as soon as they are detected, design a capture trigger.

This section describes how to:

  • Use the Network Monitor Capture window.

  • Capture data from the network.

  • Design a capture filter.

  • Design a capture trigger.

Network Monitor Capture Window

As frames are captured from the network, statistics about the frames are displayed in the Network Monitor Capture window.


The Network Monitor Capture window includes the following panes.




A graphical representation of the activity currently taking place on the network

Session Stats

Statistics about individual sessions currently taking place on the network

Station Stats

Statistics about the sessions participated in by the computer running Network Monitor

Total Stats

Summary statistics about the network activity detected since the capture process began

Capturing and Displaying Frames

Frames captured from the network are copied to the capture buffer, a reserved storage area in memory. Information about these frames appears as they are captured in the Network Monitor Capture window. To control capture status, choose Start, Stop, Stop and View, Pause, or Continue from the Capture menu.

Note Network Monitor displays session statistics from the first 100 unique network sessions that it detects. To reset statistics and see information on the next 100 network sessions detected, click Clear Statistics on the Capture menu.

Customizing Capture Buffer Settings

Captured frames are stored in the capture buffer. When the capture buffer overflows, each new frame replaces the oldest frame in the buffer.

Four elements effect how quickly the capture buffer will be filled:

  • Capture buffer size

  • Frame size

  • Capture filter

  • Volume of network traffic

The first three of these elements can be customized.

Capture Buffer Size

The capture buffer is stored in memory, not on disk. Although Network Monitor can use virtual memory to store a capture buffer, it is better to use a buffer large enough to ensure that critical frames are not dropped. However, it should be small enough to prevent Windows NT from swapping part of the capture buffer to disk. (The default maximum capture buffer size is 8 MB less than the amount of RAM installed on your computer.)

Frame Size

Although you cannot adjust the frame size, you can store only part of the frame, thus reducing the amount of wasted capture buffer space. For example, if you are interested in only the data in the frame header, set the Frame Size (in bytes) to the size of the header frame. Network Monitor discards the frame data as it stores frames in the capture buffer, thereby using less capture buffer space.

Capture Filter

For more information on creating a capture filter, see "Capture Filters" later in this chapter.

Building an Address Database

Sometimes you'll need to capture only those frames that originate with specific computers. To do this, you must know the addresses of the computers on your network.

Network Monitor can associate a computer's hexadecimal address with its more familiar name. After these associations are made, you can save the names to an address database (.adr) file that can be used to design capture filters and display filters. For more information on how to do this, see "Capture Filters" and "Designing a Display Filter" later in this chapter.

Avoiding Dropped Frames

In addition to setting a sufficient buffer size and capture filter, you can put Network Monitor into dedicated Capture mode, in which the Network Monitor Capture window statistics are replaced by the following dialog box:


By not displaying and updating Capture window statistics, Network Monitor reduces the load on the CPU, thereby reducing the chance that packets will be dropped. Use this option if you are running Network Monitor on a busy computer.

For more information on creating a Capture Filter, see "Capture Filters" later in this chapter.

Working With Multiple Network Adapters

If your computer uses multiple network adapters, use Network Monitor to collect data from both of them by either switching between the two adapters or by running multiple instances of Network Monitor.

To switch between adapters, click Networks on the Capture menu and then select a different adapter.

Capture Filters

A capture filter functions like a database query. Use it to specify the types of network information you want to monitor. For example, to see only a specific subset of computers or protocols, you can create an address database, use the database to add addresses to your filter, and then save the filter to a file. By filtering frames, you save both buffer resources and time. Later, if necessary, you can load the capture filter file and use the filter again.

Designing a Capture Filter

To design a capture filter, specify decision statements in the Capture Filter dialog box. The Capture Filter dialog box displays the filter's decision tree, which is a graphical representation of a filter's logic. When you include or exclude information from your capture specifications, the decision tree reflects these specifications.


Filtering by Protocol

To capture frames sent using a specific protocol, specify the protocol on the capture filter SAP/ETYPE= line. For example, to capture only IP frames, disable all protocols and then enable IP ETYPE 0x800 and IP SAP 0x6. By default, all of the protocols that Network Monitor supports are enabled.

Filtering by Address

To capture frames from specific computers on your network, specify one or more address pairs in a capture filter. You can monitor up to four specific address pairs simultaneously.

An address pair consists of:

  • The addresses of the two computers between which you want to monitor traffic. (An address is a hexadecimal number that identifies a computer uniquely on the network.)

  • Arrows that specify the traffic direction you want to monitor.

  • The INCLUDE or EXCLUDE keyword, indicating how Network Monitor should respond to a frame that meets a filter's specifications.

    Note Regardless of the sequence in which statements appear in the Capture Filter dialog box, EXCLUDE statements are evaluated first. Therefore, if a frame meets the criteria specified in an EXCLUDE statement in a filter containing both and EXCLUDE and INCLUDE STATEMENT, that frame is discarded. Network Monitor does not test that frame by INCLUDE statements to see if it meets that criteria also.

For example, to capture all the traffic from Joe's computer — except the traffic from Joe to Anne — use the following capture filter address section:


include Joe ßà Any 

exclude Joe ßà Anne

Note If there are no include lines, <your computer> ßà Any is used by default.

Filtering by Data Pattern

By specifying a pattern match in a capture filter, you can:

  • Limit a capture to only those frames containing a specific pattern of ASCII or hexadecimal data.

  • Specify how many bytes into the frame the pattern must occur. This number of bytes is known as an offset.

When you filter based on a pattern match, you must specify where the pattern occurs in the frame (how many bytes from the beginning or end). If your network media has a variable size in the media access control (MAC) protocol, such as Ethernet or Token Ring, specify to count from the end of the topology header.

Capture Triggers

A trigger is set of conditions that, when met, initiate an action. For example, before using Network Monitor to capture data from the network, you can set a trigger to stop the capture or to execute a program or command file. You can also specify the conditions under which these actions will occur.

Use one of the following trigger types to specify the condition that starts the trigger:

Nothing Click this option to specify that no trigger is initiated. This is the default. Pattern Match Click this option to initiate the trigger when the specified pattern occurs in a captured frame. Buffer Space Click this option to initiate the trigger when a specified amount of the capture buffer is filled. Pattern Match Then Buffer Space Click this option to initiate the trigger when the pattern occurs and is followed by a specified percentage of the capture buffer being filled. Buffer Space Then Pattern Match Click this option to initiate the trigger when the specified percentage of the capture buffer fills and is followed by the occurrence of the pattern in a captured frame.

You can specify to have one of the following actions occur when a trigger condition is met:

No Action Click this option to specify that no action is taken when a trigger condition is met. This is the default.

Note Even though you select No Action, the computer beeps when the trigger condition is met.

Stop Capture Click this option to stop the capture process when the trigger condition is met. Execute Command Line Select this check box to run a program or batch file when a trigger condition is met. If you select this option, provide a command or the path to a program or batch file.

Saving Captured Data

When you save captured data, the data in the capture buffer is written to a capture (.cap) file. Be sure to save captured data:

  • Before starting another capture (to prevent loss of the captured data). 

  • If you might need to analyze the data later. 

• If you need to document network use or problems.

Capture files can be opened and viewed in Frame Viewer windows.

For more information about saving captured data, see "To save the captured frames to a capture file or text file" in Network Monitor Help.

Displaying Captured Data

Network Monitor simplifies data analysis by interpreting raw data collected during the capture and displaying it in the Frame Viewer window.

To display captured information in the Frame Viewer window, choose Stop and View from the Capture menu while the capture is running or by opening a capture file (.cap).

Note To display data captured with Network General's Sniffer, open the noncompressed Sniffer files. To view a compressed Sniffer file, open the file in Sniffer and then save the file in uncompressed format, or obtain a Sniffer file decompression tool from Network General.

The following illustration shows the key elements in the Frame Viewer window:


The Frame Viewer window includes the following panes:




The frame's contents, including the protocols used to send it


A hexadecimal and ASCII representation of the captured data


General information about captured frames in the order in which they were captured

Using a Display Filter

Like a capture filter, a display filter functions like a database query, allowing you to single out specific types of information. But because a display filter operates on data that has already been captured, it does not affect the contents of the Network Monitor capture buffer.

Use a display filter to determine which frames to display. You can filter a frame by:

  • Its source or destination address.

  • The protocols used to send it.

  • The properties and values it contains. (A property is a data field within a protocol header. A protocol's properties, collectively, indicate the purpose of the protocol.)

For more information about showing and hiding panes, see "To show and hide panes in a window" in Network Monitor Help.

Designing a Display Filter

To design a display filter, you specify decision statements in the Display Filter dialog box. Information in the Display Filter dialog box is in the form of a decision tree, which is a graphical representation of a filter's logic. When you modify display filter specifications, the decision tree reflects these modifications.


Protocol Use protocol lines to specify the desired protocols or protocol properties. For more information on filtering protocols, see the next section. For information on specifying particular protocol properties, see "Filtering by Protocol Property" later in this chapter. Address Filter (default is ANY <--> ANY) Use address filter lines to specify the computer addresses on which you want to capture data. For information on how to filter on an address pair, see "Filtering by Computer Address" later in this chapter. Property Use this to specify property instances that match your display criterion.

You can add only one decision statement at a time to your filter. If you specify a decision statement and then select another category, the decision statement is lost. You must click OK to save the specified decision statement and add it to the decision tree before adding another decision statement.

Note Although capture filters are limited to four address filter expressions, display filters are not. With display filters, you can also use AND, OR, and NOT logic.

Filtering by Protocol

When you display captured data, all available information on the captured frames appears in the Frame Viewer window. To display only those frames sent in a specific protocol, edit the Protocol line in the Display Filter dialog box.

Filtering by Protocol Property

Protocol properties are the elements of information that define a protocol's purpose. Because the purpose of protocols vary, properties differ from one protocol to another. To filter by protocol property, click Expression under Add in the Display Filter dialog box, click the Property tab, and then specify the protocol property, relation, and value to filter.

Suppose, for example, that you have captured a large number of frames using the SMB protocol but want to examine only those frames in which the SMB protocol was used to create a directory on your computer. In this instance, you can single out frames where the SMB command property is equal to "make directory."

Filtering by Computer Addresses

When you display captured data, all addresses from which information was captured appear in the Frame Viewer window. To display only those frames originating from a specific computer, edit the ANY <--> ANY line in the Display Filter dialog box.


Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft