Microsoft

ID network snafus with Netmon

You'll see troubleshooting questions on your Win2K exams, guaranteed. This week's Paperchase Digest explains how to use Win2K's Netmon, which can help spot network bottlenecks and failures.


Sit for a Windows 2000 exam, and you’re sure to find several questions targeting monitoring, optimization, and troubleshooting. Ensure you’re ready by studying up on Win2K’s monitoring utilities.
Receive Paperchase Digest in your e-mail box every Friday. Be sure you catch every single column, as well as timely tips and reviews not found on the site! It’s easy, and it’s free. Just go to the TechMails page and sign up for Erik Eckel’s Paperchase Digest to ensure you keep up-to-date on the latest certification tips, shortcuts, news, and more!
Last week, I examined the first of Windows 2000’s triumvirate of monitoring and optimization tools, Performance Monitor. This week, I’ll take a look at Network Monitor, and next week I’ll target the Simple Network Management Protocol.

Before you can use Network Monitor …
By capturing and viewing network traffic, Network Monitor can help you diagnose hardware and software errors on your network. First though, you have to install Netmon. Of course, you have two choices: You can select it as a networking component to add when installing Windows 2000, or you can install it later. Netmon is not installed by default. If you’re working on a Windows 2000 server that hasn’t had the utility installed, installation’s a snap. Just follow these steps:
  1. Open Control Panel.
  2. Click on Add/Remove Programs.
  3. Select Add/Remove Windows Components.
  4. Select Management And Monitoring Tools.

Network Monitor Tools are included within Management And Monitoring Tools. Both the Network Monitor utility and the Network Monitor agent, or driver, are installed.

Once installed, you can trigger Network Monitor by typing netmon at a command prompt or selecting Start | Programs | Administrative Tools | Network Monitor.

How’s it work?
Netmon captures data traffic traveling on the local network segment. You can also use Netmon to capture data streams on remote segments, but Systems Management Server (SMS) version 1.2 or 2.0 is required.
The Netmon version that ships with Win2K captures only data frames sent to or from the local computer. SMS versions 1.2 or 2.0 permit the collection of data from remote systems, including those located across a dial-up connection.
Data that travels across the network is broken into packets, as any IP aficionado can tell you. These packets each contain the following:
  • Source address
  • Destination address
  • Protocol headers
  • The actual data payload
  • A cyclical redundancy check, or CRC

Using Netmon
When you fire up Netmon, you’ll be greeted with a dialog box asking you to specify which network you want to monitor, as shown in Figure A.

Figure A


Once you’ve selected a network, you can begin capturing data by selecting Start from the Capture menu or clicking the Play button on the toolbar.

Network Monitor then begins capturing session information, which is displayed in the Netmon interface. Netmon displays data stream information from the first 100 unique sessions it detects.

Network Utilization, Frames Per Second, Bytes Per Second, Broadcasts Per Second, and Multicasts Per Second information is provided in graph form in the top-left pane, as shown in Figure B.

Figure B


Network address information appears in the next pane, while session data information is tabulated in the bottom pane. The top-right pane, meanwhile, collects network and captured statistics.

You can use capture filters to control the amount of information captured in the data stream. You can do so by selecting Filter from the Capture menu and adding or deleting those values you want to track by building a logical data tree.

Should you want to monitor a single protocol, just enter the protocol on the SAP/ETYPE= line within the capture filter. All protocols are enabled by default.

You can also filter captures by address and data pattern. Address pairs include the addresses of the two systems that are trading packets and the direction in which you want to monitor traffic (indicated by arrows). You then use INCLUDE or EXCLUDE values to specify whether you want to capture the specified data or pass it on without recording it. Data patterns allow you to filter packet information based on either ASCII or hexadecimal patterns.
For security purposes, Network Monitor detects other Netmon installations. In the event Netmon finds other Netmon incidences running, it displays a wealth of information, including the names of the user and computer running the offending utility.
Once your data is captured, it’s time to study it. You can display captured data by selecting Stop And View from the Capture menu on the toolbar. Ensure that the capture is operating; otherwise, you’ll need to view the data you’ve recorded by choosing Display Captured Data from the Capture menu (or by pressing [F12]). Doing so reveals the information that’s been recorded, as shown in Figure C. (We highlighted the session and then selected a specific frame.)

Figure C


You can use yet another filter, the Display Filter, to simplify your review of the data you’ve collected. You create a filter by using a similar logical data tree as that used for Capture Filters. You can simplify your search for a network culprit by filtering the display based on source or destination addresses, protocols, and/or properties and values contained in the packet.

As with Perfmon and Sysmon, your server takes a slight performance hit when running the Netmon utility. You can lessen the impact Netmon has on your systems’ resources by running it in the background. Just open the Capture menu and choose Dedicated Capture Mode. You should use this strategy if data packets are being dropped. Also, be sure your capture buffer is large enough to store the network data traffic you want to record.

For more information on Network Monitor and its use on TCP/IP networks, visit Microsoft’s Web site. TCP/IP troubleshooting tips, including strategies employing Netmon, can be found here.

Erik Eckel MCP+I, MCSE, is editor in chief of TechRepublic's IT communities. He's previously held positions as a high-speed IP access product manager and a communications representative for nationwide long-distance, data networking, and Internet services providers.

If you’d like to share your opinion, please post a comment below or send the editor an e-mail.

Editor's Picks

Free Newsletters, In your Inbox