Windows Server Troubleshooting - Network Monitor

Click here to start saving with ING DIRECT!

Home | Up | Methodology | Architecture | Tools | Memory | Processor | Registry | File System | Active Directory | Contents

Get the Book

Major Topics
Methodology
Architecture
Tools
Memory
Processor
Registry
File System
Network
Active Directory
Contents
Other Topics
Counters
Browser
Bindings
Network Monitor
Commands
Name Resolution
Ethernet
Protocols
More Detail
Filter

eXpert Genealogy

Memory from Crucial.com


2003-2006 Team Approach Limited
All rights reserved


Network Monitor is a software protocol analyzer. Protocol analyzers eavesdrop on data communications. With Ethernet, every message sent includes a destination address. LANs share the media with all workstations and although every NIC detects each message, normally only the NIC that matches the address will read the message. Protocol analyzers take advantage of the shared environment by putting the NIC in promiscuous mode so that every message can be read.

Windows Server includes the Lite version of Network Monitor. It captures only traffic to and from the local server. Microsoft's SMS package includes the full version of Network Monitor that uses promiscuous mode thereby capturing all LAN traffic. The binary network frames are then decoded and displayed, identifying the sender and receiver and labeling all of the protocol layers and fields.

  Client LAN packets   Server LAN packets
 
 packet
 
 packet
 
packet  
 
packet 
 
   

Network Monitor capturing LAN packets

An important field in TCP and UDP is the port number. The port number identifies the destination service on the server. For example, web requests using HTTP will have the port number set to 80. Other well known port numbers are identified in a table below

UDP port number Description
53 DNS name queries
69 Trivial File Transfer Protocol (TFTP)
137 NetBIOS name service
138 NetBIOS datagram service
161 Simple Network Management Protocol (SNMP)
520 Routing Information Protocol (RIP)
TCP port number Description
20 FTP server (data channel)
21 FTP server (control channel)
23 Telnet server
53 Domain Name System zone transfers
80 Web server (HTTP)
139 NetBIOS session service

Visit www.ethereal.com to get a protocol analyzer similar to Network Monitor. It will run on Windows Professional which does not include Network Monitor.

Understanding everything about network protocols requires long-term study. Network Monitor is an excellent tool to use in this study. Without much understanding of protocols, you can still use Network Monitor to study network problems by capturing LAN packets and noting source and destination addresses for

  • MAC Media Access Control addresses such as Ethernet addresses
  • IP addresses
  • Port numbers addressing network services

Network Monitor displays real-time statistics while capturing data as shown below. The windows is divided into panes as follows.

Position Pane Description
Top Graph Histograms
Right Total stats Numeric statistics
Middle Session Frames between every pair. Identifies which network conversations
Bottom Station Statistics for each station. Identifies stations producing excess traffic or broadcasts.

Take special note of broadcast traffic because broadcasts cause interrupts on all machines in the subnet. Broadcasts from remote computers will cause interrupts on every local computer thereby affecting performance on every local computer.

Once captured, each frame can be viewed and investigated in the capture window. Initially, the summary pane displays a summary of each frame in each line. If you double-click one of the frames, the window then divides into three panes as follows.

Position Pane Description
Top Summary One line for each frame
Middle Detail One frame decoded
Botton Hexadecimal Raw data

Keyboard Exercise

Start Network Monitor, start the capture and then wait until some network traffic is collected. Select the Stop and View option and then investigate some of the captured packets.