Network Monitoring with SMS

Diagnose network problems with this utility

Network troubleshooting is always a complex task for a systemsadministrator. A myriad of problems can occur on your network, includingproblems with the network's physical layer (wiring), problems with the NICsrunning on each machine, and even problems with the logical layer. Diagnosingthe exact problem is often a time-consuming, trial-and-error task.

To diagnose network problems, systems administrators generally use a network monitoring tool, sometimes known as a protocol analyzer. These devices can be either hardware or software that lets you review all packet traffic on your network and look for different problems. Basic hardware and software network monitoring tools do not provide diagnosis capability: They oftencollect only statistics and packets that you must manually sort through tofigure out a problem. Advanced, multithousand-dollar hardware devices usebuilt-in artificial intelligence to determine what, if any, network difficulties you have.

Microsoft BackOffice users do not need to spend thousands of dollars on a network monitoring solution. The Systems Management Server (SMS) component of BackOffice includes one. Unfortunately, many administrators are unawareof this feature and its power, because it is not adequately documented inreference sources, third-party SMS books, or training videos available from avariety of sources.

The Network Monitor lets you observe dozens of different protocolstraversing your network. These protocols include basic ones Microsoft productsuse to communicate with one another, such as Server Message Block (SMB) for filesharing, and other protocols such as Dynamic Host Configuration Protocol (DHCP)and NetBIOS. The monitor supports all major TCP/IP protocol components,including low-level TCP, IP, and User Datagram Protocol (UDP) packets, andhigher-level protocols such as FTP, NFS, and Domain Name System (DNS). ForNetWare-enabled environments, the Network Monitor lets you watch NetWare CoreProtocol (NCP), IPX, and SPX traffic. For a complete list of supportedprotocols, refer to the SMS Administrator's Guide.

Where Is It?
When you install SMS, the Network Monitor component installs on yourBackOffice server by default. (You can manually choose not to install thecomponent.) To verify the presence of the Network Monitor, look in the SMS menufrom the Programs option on the Start menu (or look in the SMS Program Group ifyou're running NT 3.51). If an SMS Network Monitor icon is present, thecomponent is available.

Before you use the Network Monitor for interactive debugging, you mustinstall the Network Monitor Agent. Unless you insert this agent into yoursystem's network configuration, you can use the Network Monitor only to view thecontents of capture files from other machines that have the Monitor Agent setup. To install the Monitor Agent into your system's network configuration, youmust manually run the Network configuration program from the Control Panel andadd the Monitor Agent. Once you add the Monitor Agent, reboot to activate theMonitor Agent in the system configuration.

To use the Network Monitor, you must have a NIC that supports promiscuousmode operation. In promiscuous mode, the NIC routes all packets it sees onthe network to the controlling network driver. Ordinarily, a NIC disregards anynetwork traffic that does not have the NIC's Media Access Control (MAC) address,a unique 12-character hexadecimal value each NIC manufacturer assigns to everycard. Typically, if a packet does not have the correct address, your NIC willnot route the packet to your computer's network device driver; the card willdiscard packet.

You can launch the Network Monitor in two ways. In the first method, selectthe SMS Network Monitor option from the Systems Management Server Programs menuin NT 4.0. The Network Monitor will launch with no filtering defaults. Or,launch the Network Monitor within the SMS Administrator by double-clicking theNetwork Monitor option when you are reviewing a personal computer's propertieswithin the SMS Administrator. This approach will automatically set up NetworkMonitor to filter packets for only that specific machine.

Information Overload
When you first launch the Network Monitor, information overload occurs. Themain Network Monitor window, the Capture Window, appears and displaysinformation regarding the network adapter the monitor is observing. If your NTmachine is multihoming (i.e., you have more than one network adapter), switchbetween the adapters to make sure you're monitoring the correct network. Toswitch adapters, select Capture, Networks from the menu.

The Capture Window consists of four panes--Total Statistics Pane, GraphPane, Station Statistics Pane, and Session Statistics Pane--and gives you anoverview of network performance and information on the monitor's capture status,as Screen 1 shows. Above the four panes, you'll see a toolbar with severaloption buttons that let you turn individual panes on and off and start, stop,and view the packet capture buffer.

Before you can collect network performance statistics, you must specify apacket filter and tell the Network Monitor to start collecting packets. A packetfilter is a set of Boolean rules to tell the Network Monitor the packets youwant to capture in the capture buffer and compute statistics with. Packetfilters have two components: an origin address and a destination address. Youcan collect all packets that you plan to send to a particular address or thosethat originate from a particular address, or a combination of the two. You canalso use a wildcard, ANY, to specify any address the Network Monitor observes.By default, if you start the Network Monitor directly from the Start menu,Network Monitor will use the ANY wildcard for both inbound and outbound packets.If you start from the SMS Administrator, the packet filter will select packetsonly for the particular machine you specify.

Display Panes
When you use the Network Monitor, keep an eye on the Total Statistics Pane,which contains ASCII information on network statistics and captured framestatistics. In particular, watch % Buffer Utilized. If this number exceeds 100percent, you will begin to lose capture data in your buffer, and you probablyneed to design a tighter capture filter or increase the buffer size.

The Graph Pane provides five different graphical representations of theactivity on your network: percent of network utilization (from 0 to 100), numberof frames per second, number of bytes per second, number of broadcasts persecond, and number of multicasts per second. Three numbers under each barrepresent, from left to right, the minimum, average, and maximum number achievedin the category.

With the Graph Pane, you can quickly assess which category network activityoriginates from. For instance, if your network shows a high percent forutilization, you can use the Graph Pane to examine traffic classification. Isthe traffic normal or showing a large number of multicasts or broadcasts? Withthe data on the bar graphs, you can determine the type of traffic on yournetwork. For example, if you see high utilization (resulting in slow networkthroughput) but a high number of broadcasts, determining and correcting thebroadcast problem will improve performance.

To identify stations consuming a great deal of network bandwidth, refer tothe Station Statistics Pane at the bottom of the window. This pane summarizesall traffic on the network on a station-by-station basis. It shows the networkaddress, number of frames sent and received, number of bytes sent and received,and number of broadcasts from the station. Review the information on the lineappropriate for the station in question. For example, assume that your users arecomplaining of sluggish output. A review of the Graph Pane shows you have asignificant amount of activity but nothing extraordinary (such as a significantnumbers of broadcasts). How do you determine the source of the problem?

Double-click any column header within the Station Statistics Pane to sortin ascending order all rows by the values in the column. Double-click a columntitle a second time to re-sort all data in descending order. Thus, to identifyusers consuming a large amount of bandwidth, you can double-click on the BytesSent or Bytes Received columns to observe the stations consuming the mostbandwidth.

The Session Statistics Pane contains information about the individualsessions running on your network and other useful details. It tells you wherethe packets originate and their destinations, with a packet count from theoriginating station sent to the destination and vice-versa. This pane also listsvarious system addresses, such as the NetBIOS multicast and IP Broadcastaddresses, so you can identify stations that are sending a lot of packets inthose categories.

Once you identify the offending station, you may have to take the processone step further and retrieve the machine name for the station (if the NetworkMonitor does not provide the machine name by default) so you can determine whichuser is causing the traffic. You can obtain this name through the SMS databaseand determine whether the traffic you observe is normal or a potential problem.

Buffer Review
Statistics collection and review are only two of Network Monitor'scapabilities. By far, Frame Viewer Window is a more powerful feature. With it,you can review the contents of the packets traversing your network.

To access the Frame Viewer Window, stop the Network Monitor's packetcollection: Click Stop on the toolbar and then View, or use the Network Monitorshortcut key (Shift+F11) to stop and immediately view the capture buffercontents.

The Frame Viewer Window consists of three panes, as Screen 2 shows: theSummary Pane, Detail Pane, and Hex Pane. The Summary Pane displays a summary ofpackets in the capture buffer. The Detail Pane displays the frame's contents,including protocol information. The Hex Pane shows a hexadecimal and ASCIIrepresentation of the captured frames.

To use the Frame Viewer Window, you first shuffle through the overview offrames in the capture buffer listed in the Summary Pane. The data in this paneincludes a frame number, time of capture, source and destination MAC addresses,the protocol used to transmit the frame, and a description of the frame'scontents.

From the Summary Pane, identify the frame you want to view, and click it.The data in the Detail and Hex panes will change to reflect the frame youselected. The Detail Pane uses an Explorer-like, drill-down method for viewingcapture data. When you select a packet from the Summary Pane, the Detail Panewill automatically show you the packet components. Each component will have aplus or minus symbol next to it to show whether you have exploded the view ofthat component. Each time you click an entry in the Summary Pane, you highlightthe hexadecimal data the Network Monitor uses to decode the frame.

For example, for a typical Ethernet packet, you'll view three or morepacket components. The first component is the base frame properties, the secondconsists of flags marking the packet as an Ethernet packet (including whichEthernet frame type is in use, such as 802.2 or 802.3), and finally thecomponents of the particular protocol (FTP, DNS, etc.). When you click the plussymbols, you expand the individual components and can view their structure. Hereyou might discover that a TCP checksum or message became corrupt duringtransmission.

The true power of the Frame Viewer Window is that it lets you viewfirsthand the data traversing your network. This feature is powerful foradvanced network administrators who want to view the types of requests and datafrom both source and destination addresses. When you selectively targetindividual workstations, you can inspect transmissions to look for telltaleproblems such as data corruption in frame headers or data packets. In theseinstances, you might have a physical-layer networking problem where an outsideinfluence, such as electromagnetic interference, is causing your networkproblem.

Monitor Caveats
Network Monitor's limitations include its small default capture buffer andthe need to have this capture buffer in real memory. The default size is 1MB, avalue that causes the buffer to rapidly fill up if you have a busy network. Tochange this value, choose Capture from the menu-bar and select Buffer Settings.Because the capture buffer must consume real, not virtual, memory (and thusavoid potentially losing network frames), keep this buffer size to a small,reasonable value (based on a percentage of your total system memory) to preventsystem degradation.

Another Network Monitor limitation is its ability to capture statisticsonly on the first 128 nodes it detects on the network. If your network has morethan 128 nodes, the network monitor will detect only the first 128 nodes andgenerate statistics from them. This data might falsely show less activity onyour network than you have.

Another potential problem is segmented network traffic. If you segment yournetwork using an Ethernet switch, the Network Monitor will see only packets thattransmit over the leg of the network that the monitor is physically connectedto. Again, this data might show an apparent decrease in the amount of traffic,especially if you use workgroup features on a segmented leg of a network whereyou don't run the Network Monitor. To combat this problem and obtain moreprecise statistics on your network's performance, install Monitor Agents onqualifying client machines on each leg of your segmented network. You can theninterrogate and collect statistics from those agents with the centralizedNetwork Monitor utility.

Even with these caveats, SMS's Network Monitor utility is powerful andflexible. A network administrator will find it helpful in diagnosing networkproblems.