CHAPTER 4

                       MONITORING NETWORK ACTIVITY

 

 

Communications across the network is increasingly important in the work environment.  Similar to

processors or disks on your system, the behavior of the network has an impact on the operation of

your computer.  Microsoft Windows 2000 provides two primary utilities for monitoring network

performance:  System Monitor and Network Monitor.  System Monitor, installed with Both

Windows 2000 Professional and Windows 2000 Server, tracks resource utilization and network

throughput.  Network Monitor, an optional component for Windows 2000 Server, track network

throughput in terms of captured network traffic.

 

 

Lesson 1:  Introducing Network Monitor

 

You can use Microsoft Windows 2000 Network Monitor to view and detect problems on local area

network (LANs).  For example, you can use Network Monitor to diagnose hardware and software

problems when two or more computers cannot communicate. 

 

 

Understanding Network Monitor

 

You can use Network Monitor to collect data sent to and from computers and then view and analyze

the data.  Network Monitor captures frames and packets on the data-link layer through the application

layer and presents it graphically.  Frames and packets are composed of many different pieces of

information including:

 

·        Source and destination addresses

·        Sequencing information

·        Checksums

 

Network Monitor decodes this information allowing you to analyze network traffic and troubleshooting

network problems.  In addition to data-link layer data, Network Monitor can also interpret some

application layer data, such as Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP).

 

NOTE:  Network Monitor is composed of a gathering agent that collects data and an administrative

utility that displays and analyzes the data.  Installing the Network Monitor Tools component in

Windows 2000 automatically installs both the Network Monitor utility and agent.

 

 

 

=====================================================================

 

wininf4.html                                                    PAGE 2                                                    2002/03/11

 

 

 

 

Network Monitor Driver

 

 

The Network Monitor driver gathers frames from a network adapter and passes the information to the

Network Monitor utility for viewing and analysis.  The driver can also forward frames to a remote

administrator running the version of Network Monitor included with Microsoft Systems Management

Server.

 

NOTE:  When you install the Network Monitor driver, the Network Segment object is added for

use in System Monitor.

 

Installing the driver alone does not install the Network Monitor administrative utility.  If you want to

view and analyze Network Monitor data on a system, you must install the Network Monitor Tool

Windows component on a computer running Windows 2000 Server.

 

 

Capturing Network Data

 

Network Monitor uses a process called capturing to examine network frames.  You can capture all

network traffic to and from the local network card, or capture a specific subset of frames.

 

 

Lesson Summary:

 

•   You can use Windows 2000 Network Monitor to view and analyze problems on your

network. 

•   You can also store a log of network activity into a file and then send the file to a professional

network analyst or support organization.

 

 

Lesson 2:  Using Network Monitor

 

When using Network Monitor, you should remember two key points:

 

Run Network Monitor at low-usage times or for short periods of time.  This decreases the effect on

ystem performance caused by Network Monitor.

 

Capture only as many statistics as you need for evaluation.  This prevents you from capturing too

much information to make a reasonably quick diagnosis of the problem.

 

 

 

 

=====================================================================

 

wininf4.html                                                    PAGE 3                                                    2002/03/11

 

 

 

 

Examining Frames

 

Network Monitor can capture frames sent to and from a network adapter.  Frames are made up

of many different pieces of information, including:

 

• The protocol being used
• The source address of the computer that sent the message
• The destination address of the frame
• The length of the frame

 

 

To capture network frames:

 

Start/programs/administrative tools/Network monitor/capture (start)

 

 

Viewing Data

 

•   After you have captured data, you can view it in the Network Monitor uses interface. 

Network

•   Monitor performs some data analysis automatically because it translates raw captured

data and organizes it into the structure of a logical frame.  Network Monitor also displays

overall network.

•   Broadcast frames
•   Multicast frames
•   Network utilization
•   Total bytes received per second
•   Total frames received per second

 

NOTE:  For security reasons, Windows 2000 Network Monitor captures only those frames,

ncluding broadcast and multicast frames, sent to or from the local computer.

 

 

 

=====================================================================

 

wininf4.html                                                    PAGE 4                                                    2002/03/11

 

 

 

Network Monitor acts as a Network Driver Interface Specification-Compliant (NDIS) driver to

copy frames to the capture buffer, a resizable storage area in memory.  The default size of 1MB;

you can adjust the size manually as needed.  Make sure there is enough memory free to allow for

this.

 

 

NOTE:  Because Network Monitor uses the local-only mode of NDIS instead of promiscuous

mode (in which the network adapter passes on all frames sent on the network, you can use

Network Monitor even if your network adapter does not support promiscuous mode.  Networking

performance is not affected when you use an NDIS driver to capture frames.  (Putting the

network adapter in promiscuous mode can add 30 percent or more to the load on the CPU).

 

Network Monitor displays session statistics from the first 100 unique network sessions it detects. 

To reset statistics and see information on the next 100 network session detected, on the Capture

menu, click Clear Statistic.

 

 

=======================================================================

Statistics Displayed in the Capture Window

=======================================================================

 

Pane                Displays

 

 

Graph              A graphical representation of the activity currently taking place on

                        the network.

 

Session Stats  Statistics about individual sessions currently taking place on the

                        Network.

 

Station Stats   Statistics about the sessions participated in by the computer

                        Running Network Monitor

 

Total Stats      Summary Statistics about the network activity detected since the

                        Capture process begins

 

 

=====================================================================

 

 

To capture only those frames that originate with specific computer, determine the addresses of the

computers on your network and associate the address with its Domain Name System (DNS) or

NetBIOS name.  After these associations are made, you can save the names to an address

database (.adr) file that can be used to design capture filters and display filters.

 

NOTE:  Capture filters can significantly increase the processor’s workload because each packet

must be processed through the filter and either saved or discarded.  In some cases, using complex

filters might result in missed frames.

 

To design a capture filter, specify decision statements in the Capture Filter dialog box.  By

pecifying a pattern match in a capture filter, you can:

 

• Limit a capture to frames consisting of specific data types
• Capture frames sent using a specific protocols
• Use a capture trigger to initiate actions following the capture.

 

 

 

 

=====================================================================

 

wininf4.html                                                    PAGE 5                                                    2002/03/11

 

 

 

Descriptions of Capture Triggers

 

======================================================================

Trigger Type                                 Description

======================================================================

Nothing                       No trigger is initiated, This is the Default.

 

Pattern Match            Initiates the trigger when the specified pattern occurs in a

                                    Captured frame.

 

Buffer Space              Initiates the trigger when a specified amount of the capture

                                    Buffer is filled.

 

Pattern Match            Initiates the trigger when the pattern occurs, and is followed

then Buffer Space      By a specified % of the capture buffer being filled.

 

Buffer Space               Then Initiates the trigger when the specified % of the capture

Pattern Match            buffer fills, and is followed by the occurrence of the pattern

                                    in a captured frame.

 

No Action                   No action is taken when the trigger condition is met.  This

                                    is the default.  Even though you select No Action, the

                                    Computer beeps when the trigger condition is met.

 

Stop Capture              Stops the capture process when the trigger condition is met.

 

Execute                       Runs a program or batch file when a trigger condition is met.

Command Line           If you select this option, provide a command or the path to a

                                    Program or batch file.

 

 

=========================================================================

 

 

NOTE:  If your computer uses multiple network adapters, either switch between the two adapters

or run multiple instances of Network Monitor.  To switch between adapters, on the Capture menu,

click Networks, then select a different adapter.

 

When you capture data, the data in the capture buffer is written to a capture (.cap) file.

 

 

Using Display Filters

 

Similar to a capture filter, you can use a display filter like a database query to specify which frames

to display.  Because a display filter operates on data that has already been captured, it does not

affect the contents of the Network Monitor capture buffer.  A frame can be filtered based on the

following data:

 

 

=====================================================================

 

wininf4.html                                                    PAGE 6                                                    2002/03/11

 

 

 

 

•   The frame’s data-link layer or network layer source or destination address.
•   The protocols used to send the frame or packet.
•   The properties and values the frame contains.  (A property is a data field within a

protocol header. 

•   A protocol’s properties, collectively, indicate the purpose of the protocol).

 

 

To design a display filter, specify decision statements in the Display Filter dialog box.  Information

in the Display Filter dialog box is in the form of a decision tree, which is a graphical representation

of a filter’s logic.

 

With displays filters, you use AND, OR, and NOT logic, and, unlike a capture filter, you can use

more than four addresses filter expressions.  When you display captured data, all available

information about the captured frames sent by a specific protocol, edit the Protocol line in the

Display Filter dialog box.

 

 

Reviewing Captured Data

 

Perform the steps in the following list as part of your routine for reviewing and analyzing captured

data:

 

•    Follow a session using source and destination IP address and port numbers.
•    If you find a Reset, focus on the sequence numbers and acknowledgements that

precede it.

•   Use a calculator to see which acknowledgements are associated with the data sent
•   Try to understand the activity you are seeing, does the send do retries?, did the sender

back up and re-send the previous packet?, Is the Receiver asking for a missed frame

by acknowledging a

previous sequence number?

 

A reset can be caused by time-outs at the TCP layer or by time-outs of higherlayer protocols. 

 

For example, an SMB read might time out in 45 seconds and cause a reset of the session even

though communications are slow but working at the TCP layer.

 

 

Network Monitor Performance Issues

 

Network Monitor creates a memory-mapped file for its capture buffer.  For best results, make

sure to create a capture buffer large enough to accommodate the traffic you need. 

 

 

 

 

=====================================================================

 

wininf4.html                                                    PAGE 7                                                    2002/03/11

 

 

 

Detecting Network Monitor

 

To help protect your network from unauthorized use of Network Monitor installations, Network

Monitor can detect other installations of Network Monitor that are running on the local segment

of your network.

 

• The name of the computer
• The name of the user logged on at the computer
• The state of Network Monitor on the remote computer (running, capturing or transmitting).
• The adapter address of the remote computer
• The version number of Network Monitor on the remote computer.

 

 

Lesson Summary:

 

•   Network Monitor monitors the network data stream, which consists of all information

transferred over a network at any given time.  You can use a display filter to determine which

 frames to display.

•   After you have captured data, you can view it in the Network Monitor user interface. 
•   Make sure you specify a capture buffer large enough to accommodate the traffic you need.

 

 

 

Lesson 3:  Windows 2000 Administration Tools

 

 

Windows 2000 have tools and technologies to simplify administration for computers in your network. 

Terminal Services provides access to Windows 2000 and the latest Windows-based applications for

client computers.  In addition, Windows 2000 provides the Simple Network Management Protocol

(SNMP), which allows you to monitor and communicate status information from SNMP agents to

network management software.

 

 

Windows 2000 Administration capabilities

 

Windows 2000 has tools and technologies to simplify administration of computers in your network. 

Terminal Services provides access to Windows 2000 and the latest Windows-based applications for

client computers.  In addition, Windows 2000 provides the Simple Network Management Protocol

(SNMP), which allows you to monitor and communicate status information from SNMP agents to

network management software.

 

 

=====================================================================

 

wininf4.html                                                    PAGE 8                                                    2002/03/11

 

 

 

Terminal Services

 

                       

When you enable Terminal Services on a Windows 2000 Server, you either select Remote

Administration or Application Server mode.

 

Application Server mode allows you to deploy and manage applications from a central location. 

You can deploy a Windows 2000 interface as well as applications to computers that cannot run

Windows 2000.

 

Terminal Services also offers a remote administration mode that allows you to access, manage, and

troubleshoot clients.  Remote Administration mode allows you to remotely administer Windows 2000

servers over any TCP/IP connection, including remote access, Ethernet and Internet, wireless, and

wide area network (WAN) or a virtual private network (VPN).  You can install Terminal Services

from the Windows Components add/remove program in control panel.

 

 

Using Terminal Server

 

Although a Remote Desktop Protocol (RDP)  connection is configured automatically when Terminal

Services is installed, you can use the following general steps to make a new connection.

 

 

Simple Network Management Protocol (SNMP)

 

SNMP is a network-management protocol frequently used in TCP/IP networks to monitor and

manage computers and other devices (such as printers) connected to the network.  SNMP can be

installed and used on any computer running Windows 2000 and TCP/IP or IPX/SPX.

 

 

CLASSROOM NOTES:

 

There are three areas you must be aware for SNMP:

 

• Agents
• SNMP initiates a trap
• The information is stored in the MIB (men in black, or Management Information Base).

 

 

Management Systems and Agents

 

SNMP is comprised of management systems and agents.  A management system is any computer

running SNMP management software.

 

 

=====================================================================

 

wininf4.html                                                    PAGE 9                                                    2002/03/11

 

 

 

 

The SNMP agent component also allows a Windows 2000 computer to be administered remotely. 

The only operation initiated by an agent is called a trap.  A trap is a message sent by an agent to

a management system indicating that an event has occurred on the host running the agent.

 

 

Benefits of SNMP

 

If you have installed a DHCP server, Internet Information server, or WINS server software on a

Windows 2000-based computer on the network, you can monitor these services by using an

SNMP manager program.

 

• Active TCP connections
• UDP datagrams received per second
• ICMP message per second
• Total network interface bytes per second

 

 

Lesson Summary:

 

 

•   SNMP is a network-management protocol widely used in TCP/IP networks.
•   You can also use SNMP to monitor and control remote hosts and gateways on an internetwork.
•   The SNMP service can handle requests from one or more hosts, and it is also report network-

management information to one or more hosts, in discrete blocks of data called traps.