Display Panes
When you use the Network Monitor, keep an eye on the Total Statistics Pane,
which contains ASCII information on network statistics and captured frame
statistics. In particular, watch % Buffer Utilized. If this number exceeds 100
percent, you will begin to lose capture data in your buffer, and you probably
need to design a tighter capture filter or increase the buffer size.
The Graph Pane provides five different graphical representations of the
activity on your network: percent of network utilization (from 0 to 100), number
of frames per second, number of bytes per second, number of broadcasts per
second, and number of multicasts per second. Three numbers under each bar
represent, from left to right, the minimum, average, and maximum number achieved
in the category.
With the Graph Pane, you can quickly assess which category network activity
originates from. For instance, if your network shows a high percent for
utilization, you can use the Graph Pane to examine traffic classification. Is
the traffic normal or showing a large number of multicasts or broadcasts? With
the data on the bar graphs, you can determine the type of traffic on your
network. For example, if you see high utilization (resulting in slow network
throughput) but a high number of broadcasts, determining and correcting the
broadcast problem will improve performance.
To identify stations consuming a great deal of network bandwidth, refer to
the Station Statistics Pane at the bottom of the window. This pane summarizes
all traffic on the network on a station-by-station basis. It shows the network
address, number of frames sent and received, number of bytes sent and received,
and number of broadcasts from the station. Review the information on the line
appropriate for the station in question. For example, assume that your users are
complaining of sluggish output. A review of the Graph Pane shows you have a
significant amount of activity but nothing extraordinary (such as a significant
numbers of broadcasts). How do you determine the source of the problem?
Double-click any column header within the Station Statistics Pane to sort
in ascending order all rows by the values in the column. Double-click a column
title a second time to re-sort all data in descending order. Thus, to identify
users consuming a large amount of bandwidth, you can double-click on the Bytes
Sent or Bytes Received columns to observe the stations consuming the most
bandwidth.
The Session Statistics Pane contains information about the individual
sessions running on your network and other useful details. It tells you where
the packets originate and their destinations, with a packet count from the
originating station sent to the destination and vice-versa. This pane also lists
various system addresses, such as the NetBIOS multicast and IP Broadcast
addresses, so you can identify stations that are sending a lot of packets in
those categories.
Once you identify the offending station, you may have to take the process
one step further and retrieve the machine name for the station (if the Network
Monitor does not provide the machine name by default) so you can determine which
user is causing the traffic. You can obtain this name through the SMS database
and determine whether the traffic you observe is normal or a potential problem.
Buffer Review
Statistics collection and review are only two of Network Monitor's
capabilities. By far, Frame Viewer Window is a more powerful feature. With it,
you can review the contents of the packets traversing your network.
To access the Frame Viewer Window, stop the Network Monitor's packet
collection: Click Stop on the toolbar and then View, or use the Network Monitor
shortcut key (Shift+F11) to stop and immediately view the capture buffer
contents.
The Frame Viewer Window consists of three panes, as Screen 2 shows: the
Summary Pane, Detail Pane, and Hex Pane. The Summary Pane displays a summary of
packets in the capture buffer. The Detail Pane displays the frame's contents,
including protocol information. The Hex Pane shows a hexadecimal and ASCII
representation of the captured frames.
To use the Frame Viewer Window, you first shuffle through the overview of
frames in the capture buffer listed in the Summary Pane. The data in this pane
includes a frame number, time of capture, source and destination MAC addresses,
the protocol used to transmit the frame, and a description of the frame's
contents.
From the Summary Pane, identify the frame you want to view, and click it.
The data in the Detail and Hex panes will change to reflect the frame you
selected. The Detail Pane uses an Explorer-like, drill-down method for viewing
capture data. When you select a packet from the Summary Pane, the Detail Pane
will automatically show you the packet components. Each component will have a
plus or minus symbol next to it to show whether you have exploded the view of
that component. Each time you click an entry in the Summary Pane, you highlight
the hexadecimal data the Network Monitor uses to decode the frame.
For example, for a typical Ethernet packet, you'll view three or more
packet components. The first component is the base frame properties, the second
consists of flags marking the packet as an Ethernet packet (including which
Ethernet frame type is in use, such as 802.2 or 802.3), and finally the
components of the particular protocol (FTP, DNS, etc.). When you click the plus
symbols, you expand the individual components and can view their structure. Here
you might discover that a TCP checksum or message became corrupt during
transmission.
The true power of the Frame Viewer Window is that it lets you view
firsthand the data traversing your network. This feature is powerful for
advanced network administrators who want to view the types of requests and data
from both source and destination addresses. When you selectively target
individual workstations, you can inspect transmissions to look for telltale
problems such as data corruption in frame headers or data packets. In these
instances, you might have a physical-layer networking problem where an outside
influence, such as electromagnetic interference, is causing your network
problem.
Monitor Caveats
Network Monitor's limitations include its small default capture buffer and
the need to have this capture buffer in real memory. The default size is 1MB, a
value that causes the buffer to rapidly fill up if you have a busy network. To
change this value, choose Capture from the menu-bar and select Buffer Settings.
Because the capture buffer must consume real, not virtual, memory (and thus
avoid potentially losing network frames), keep this buffer size to a small,
reasonable value (based on a percentage of your total system memory) to prevent
system degradation.
Another Network Monitor limitation is its ability to capture statistics
only on the first 128 nodes it detects on the network. If your network has more
than 128 nodes, the network monitor will detect only the first 128 nodes and
generate statistics from them. This data might falsely show less activity on
your network than you have.
Another potential problem is segmented network traffic. If you segment your
network using an Ethernet switch, the Network Monitor will see only packets that
transmit over the leg of the network that the monitor is physically connected
to. Again, this data might show an apparent decrease in the amount of traffic,
especially if you use workgroup features on a segmented leg of a network where
you don't run the Network Monitor. To combat this problem and obtain more
precise statistics on your network's performance, install Monitor Agents on
qualifying client machines on each leg of your segmented network. You can then
interrogate and collect statistics from those agents with the centralized
Network Monitor utility.
Even with these caveats, SMS's Network Monitor utility is powerful and
flexible. A network administrator will find it helpful in diagnosing network
problems.
Register
