Monitoring Network Traffic

Use Network Monitor to find problems with network applications, misconfigured workstations, and unnecessary protocols

Network Monitor is an administrative tool that lets you monitor network traffic as it crosses the wire. Protocol parsers built in to the tool organize traffic into packets for ease of analysis and give you information you can use to track down problems with network applications, misconfigured workstations, and unnecessary protocols installed on workstations, printers, and servers. Network Monitor's features include display filters, which can help you locate specific information in large network traces; capture filters, which can narrow down the information the tool captures; and triggers, which let you tell your system to take a certain action based upon a packet's contents.

Network Monitor for Windows 2000 comes in two versions: a lite version, which ships with Win2K, and a full version, which is part of Systems Management Server (SMS) 2.0 and which you can also install on Windows NT 4.0. The lite version monitors only local traffic. The full version captures all traffic on the network and, when you connect to another server or workstation on which you've installed the Network Monitor driver, lets you monitor remote systems. The Network Monitor driver ships with Win2K and doesn't require installation of SMS. To use the full version of Network Monitor without installing SMS, execute the setup.exe program from the mext directory on the Microsoft Systems Management Server 2.0 CD-ROM.

Manually Capturing Traffic
To start Network Monitor, go to Start, Programs, Administrative Tools, Network Monitor. To run the tool, you first need to select a network to enable the Capture menu (if your machine has only one network card, the Capture menu will already be enabled).

Before you begin a capture, you should check the buffer configuration. Select Buffer Settings from the Capture menu to display the Capture Buffer Settings dialog box. By default, the maximum capture buffer size that Win2K allows is 1GB; NT's default maximum buffer size is 8MB less than the amount of RAM installed on the machine.

Although you can use virtual memory for the capture buffer, doing so can cause your capture not to include crucial frame information. To determine the maximum reliable buffer setting, use Task Manager to check the available physical memory, then don't exceed that size. For impromptu network sniffing, I typically use a 4MB capture buffer—large enough to give me a good deal of information but small enough to zip into a reasonably sized email attachment.

The Capture Buffer Settings dialog box also lets you select the size of the frames you want to capture. You can use this capability to prevent capturing extraneous frame data and wasting space. How much of the frame you decide to capture depends on the particular protocol you're investigating. For example, you can set a frame size of 14 bytes to capture only Ethernet headers. A 14-byte frame size lets you capture 73,142 frames in a 1MB capture buffer. To capture IP headers, you'd use a 34-byte frame size—14 bytes for the Ethernet header plus 20 bytes for the IP header. Tailoring the frame size is an especially useful technique for investigating problems with file transfers, which often generate frames that contain 1200 bytes or more of user data and quickly fill up your capture buffer.

To start a manual capture, simply select Start from the Capture menu. Alternatively, you can press F10 or click the Record button on Network Monitor's toolbar. Network Monitor will immediately begin capturing frames and will continue to do so until you stop the capture or until the buffer fills up.

Working with a Data Set
After you've captured data, select Display Captured Data from the Capture menu to display the captured data set. Figure 1 shows a sample display. The summary (top) pane contains the following columns, which you can rearrange by dragging a column head to a new location:

The middle pane in the Network Monitor window is the detail pane. You can toggle this pane on or off by clicking the Toggle Detail Pane button in Network Monitor's toolbar. (The Toggle Detail Pane button is the second of the three pane-toggle buttons, which appear as a group above the Src MAC Addr column in Figure 1.) In this pane, Network Monitor provides detailed information that it obtains by parsing protocols.

To parse protocols, Network Monitor uses .dll files and .ini files, which it stores in the parser directory (by default, this directory is winntsystem32etmonfull parsers for the SMS version of Network Monitor and winntsystem32etmon parsers for the lite version). As shipped, Network Monitor can parse 40 protocols, including new ones such as Layer 2 Tunneling Protocol (L2TP). If you want to analyze protocols that Network Monitor doesn't understand (e.g., ICA), you need to either write or buy additional parser .dll and .ini files.

The hexadecimal (bottom) pane in the Network Monitor window provides specific information about the frame in the detail pane. If you understand how to read the hex trace, you can create very specific custom capture filters, as I explain later. To toggle this pane on and off, click the Toggle Hex Pane button in the toolbar.

Using Filters
Network Monitor offers various types of filters to help eliminate extraneous data so that you can capture or view only relevant information. If your machine has multiple Ethernet cards, you can use a network filter to choose which network interface you want to monitor. To implement a network filter, select Networks from the Capture menu and select an interface from the Select a network window. In addition, you can connect to remote computers to monitor other networks.

Capture filters let you reduce the amount of traffic you actually pull off the network for analysis. For example, if you narrow down a network problem to a specific computer, you might want to capture only the packets directed to that computer. You can capture and save one set of data, change your capture filter, capture another set of data, then compare the two data sets. You can also save capture filters and reuse them later.

To design a capture filter, select Filter from the Capture menu to display the Capture Filter dialog box, which Figure 2 shows. You can filter data by protocol, address, data pattern, or a combination of the three.

To filter by protocol, select the SAP/ETYPE line in the Capture Filter window and click Edit to display the Capture Filter SAPs and ETYPEs dialog box. Service Advertising Protocol (SAP) can identify addresses and services for network-attached servers. Although Novell NetWare's IPX and SPX protocols most commonly use SAP, the SAP options can also filter IBM NetBIOS, SNA, and even IP services. Ethernet Type (ETYPE) refers to a field in the Ethernet header of a typical packet.

You use the Capture Filter SAPs and ETYPEs dialog box to select the type of protocol you want to filter. By default, all protocols appear in the Enabled Protocols pane. To select one particular protocol, click Disable All to disable all protocols, then select the protocol you want from the Disabled Protocols pane and click Enable. To locate a particular protocol in the Disabled Protocols or Enabled Protocols pane without scrolling through the entire list, click the column header and type the first letter of the name of the protocol you want.

To generate a capture file for a particular machine, select the Address Pairs line in the Capture Filter window and click Edit (or double-click the INCLUDE *ANY <--> *ANY expression) to open the Address Pairs dialog box. The Address Pairs filter lets you capture traffic between selected computers on the network and specify the direction of the traffic you want to monitor. This filter is useful for analyzing the conversation between servers and workstations or servers and printers. (The lite version that ships with Win2K can sniff only local traffic. To monitor other traffic, you need the full SMS version of Network Monitor.)

The Pattern Matches line in the Capture Filter dialog box lets you filter based on a specific pattern of hex or ASCII data that appears in a particular position in a frame. Pattern capture filters are somewhat tricky to use because they require that you find a pattern of data that appears in every frame of the type you want to capture and that you know where in the frame that particular pattern appears. You can analyze existing capture data to find this information.

For example, Frame 177 in Figure 1 is a NetBIOS over TCP/IP (NetBT) transport frame, as the NBT in the Protocol column indicates. This protocol rides on top of TCP, IP, and the Ethernet protocol. This particular frame is a session KeepAlive frame. Let's say you want to create a capture filter that captures only NetBIOS session KeepAlive frames (perhaps to analyze the impact of NetBIOS KeepAlive traffic on the network). You would click the plus sign to the left of the NBT summary line in the detail pane to expand the NBT section of the trace. Then, you'd select the NBT: Packet Type line. Network Monitor highlights the corresponding section of the hex trace—in this case, the hex number 85 on line 30 in Figure 1's hex pane—indicating that the selected frame is a NetBIOS Session KeepAlive frame. In the lower right corner of the Network Monitor screen, you can see the notation Off: 54 (x36). This notation indicates that x85 is offset 54, or x36, bytes from the beginning of the packet.

After you find the pattern for a particular manifestation, you can create a pattern filter and test whether the pattern does what you want it to do. To create a pattern filter, select the Pattern Matches line in the Capture Filter dialog box and click Pattern. In the Pattern Match dialog box, which Figure 3 shows, enter the offset that you want.

In the Pattern field, you can see that I typed not only the value 85 from the hex pane in Figure 1 but also the value 00 that follows the 85. Filtering on two or three consecutive numbers from the hex pane, when possible, ensures finer control of the capture process and reduces the number of bogus hits. In the Offset (in hex) field, I typed 36 to indicate the hex offset. Now, I can click OK and use this pattern filter in another capture session to capture only NetBIOS KeepAlive frames.

A pattern match doesn't need to be perfect to work, but it does need to be close to perfect. Creating a pattern filter can be time-consuming but can also be a great help in locating and resolving an obscure problem.

In addition to filtering data before you collect it, you can apply filters to displayed data sets. Display a set of captured data and select Filter from the Display menu. The Display Filter dialog box that appears looks and works much like the Capture Filter dialog box and lets you filter by protocol and network conversation.

Customizing the Display
Network Monitor offers some settings that can help make the time you spend browsing capture files more productive. From the Display menu, you can select Font to change the size of the display text. For a more functional change, select Colors to access the Protocol Colors dialog box and assign different font colors to specific protocols. Using different font colors lets you more easily trace particular conversations in a large capture. To assign a colored font to a particular protocol, select the protocol from the list in the Protocol Colors dialog box and select a color from the Foreground drop-down menu. Background colors highlight the line in the color you select and don't affect the font color.

The Duplicate feature, which you select from the Window menu, copies the capture into another window and lets you work on both copies at the same time. You can use a different display filter on each copy and compare two views of the same capture. To avoid the confusion that can result from working on two views that have the same name, you can select Label from the Window menu and add a label to each view. When working with a duplicate, you can close one window without affecting the other window. Selecting Save Configuration from the Display menu saves the setting.

The Insert Comment Frame selection on the Tools menu lets you add text to the capture file to help you interpret the data later or for training purposes. In the Insert Comment Frame dialog box, specify a Frame Number, select Comment from Type of Frame to Insert, and type a comment for the new frame. The Description column displays the comment you typed, as Figure 4 shows.

You can also insert bookmark frames to mark particular places in the capture file and easily return to them later. The new frame's Protocol column in the trace shows whether the frame is a comment or a bookmark frame. Comment and Bookmark are among the protocols you can select to create a display filter. Filtering comment or bookmark frames and printing the result can be helpful when you're working with a heavily documented capture file.

If you insert two comment frames and clear the No Statistics check box in the Insert Comment Frame dialog box, Network Monitor will calculate statistics between the two comment frames. Network Monitor's statistics provide information about how many frames a particular section of traffic includes, the time between frames, and the average bandwidth the frames consume.

Configuring Triggers
A trigger examines frames as Network Monitor collects them to determine whether the frames meet a condition that you have specified. When a frame meets the specified condition, the trigger causes the system to sound an alert, stop the capture, or execute a command line. You can configure a trigger to take action when the buffer becomes partially or completely full, when a frame matches a pattern, or a combination of the two.

A simple and useful trigger can make Network Monitor save the capture file and shut down when the buffer becomes full during a monitoring session. To create such a trigger, select Trigger from the Capture menu. In the Capture Trigger dialog box, which Figure 5 shows, select Buffer space from the Trigger on section. Choose 100% as the Buffer Space setting, and choose Stop Capture as the Trigger Action.

To take this trigger one step further, write a batch file to send a message informing you that the capture has stopped. This batch file could be as simple as

net send administrator The capture is complete.

You can write this command in Notepad and rename the resulting .txt file with a .bat extension. Then, in the Capture Trigger dialog box, select Execute Command Line as the Trigger Action and point the trigger to the file's location.

You can incorporate pattern offsets into triggers to have Network Monitor identify a variety of events. In response to a particular event, Network Monitor can do anything that you can do from a command line—including starting another instance of Network Monitor on another machine. Figure 5 illustrates how to configure a trigger that executes a batch file named keepaliveSpotted.bat, which alerts you when Network Monitor finds a KeepAlive frame.

Automatically Launching Network Monitor
You can use the Netmon command to launch Network Monitor from a batch file or use the Win2K Task Scheduler or At command to schedule a capture. To control the tool's actions, you can append switches to the Netmon command on the Win2K Task Scheduler command line or include switches in the batch file that you use the At command to schedule. The available switches are

netmon /net:2

uses the second network interface listed in the Networks dialog box to launch Network Monitor. If your machine has a modem, Network Monitor will see the modem as an additional network interface.

For example, the command

netmon /autostart /buffersize:5 /autostop

launches Network Monitor, sets the buffer size at 5MB, immediately begins capturing data, and stops the capture when the buffer is full.

A Network Administrator Must-Have
I don't have enough room to explain everything Network Monitor can do—you could spend quite a bit of time learning all its capabilities. But you don't need to master all the tool's ins and outs before you find it useful. Begin with this thorough introduction to Network Monitor's features. Then, reach for Network Monitor whenever you're facing a problem whose source you can't pin down. I recommend incorporating Network Monitor into your maintenance routine as well. You'll be glad you did.