Network Monitor Basics

Network Monitor isn't the most intuitive Microsoft Systems Management Server (SMS) program, but it's a useful tool that deserves your attention. After you understand the program's basic capabilities, you can put it to work for you. This knowledge will also help you recognize the new features in SMS 2.0's Network Monitor 2.0.

Network Monitor Basics
Network Monitor gives administrators the ability to watch packets (aka frames) traverse a network wire and copy the packets in the form of a capture to the system from which the administrators are viewing the packets. Network Monitor requires a NIC that the program can put into promiscuous mode (p-mode). In p-mode, the NIC accepts all packets regardless of their media access control (MAC) address. When the NIC isn't in p-mode, it accepts only packets that have the NIC's MAC address. To monitor a network, Network Monitor puts the NIC into p-mode, then returns the NIC to normal mode when Network Monitor completes monitoring. Most NICs support p-mode; however, if you're unsure whether your NIC provides this support, check the manufacturer's Web site.

Network Monitor is available in a junior model that Microsoft bundles with Windows NT 4.0 and a full-scale version that SMS includes. The NT 4.0 Network Monitor has limited capabilities and is a scaled-down version of the SMS 1.2 Network Monitor. For example, the NT 4.0 Network Monitor lets you observe only traffic coming to or from your system to a designated computer. You can't observe traffic going from one computer to another if you're not monitoring from either system. In addition, the NT 4.0 Network Monitor doesn't let you replay packets on the network. The SMS version of Network Monitor lets you capture packets traveling from one address to another (or several addresses) or view all packets traversing the LAN. The SMS version's only limitation is that to use Network Monitor you must install certain SMS components on the system from which you're viewing and capturing packets.

Network Monitor 2.0
To install Network Monitor 2.0, run Setup from the \nmext\i386 directory on the SMS 2.0 CD-ROM. If you run Network Monitor Setup before you install the Windows Management Instrumentation (WMI) service (i.e., before you install the SMS client software on the system), the installation will run but the system will prompt you with a warning that Network Monitor won't work until WMI is present.

Network Monitor 2.0 and 1.2 let you monitor and capture all packets that cross a network. Alternatively, you can input the MAC addresses and names of the computers you want to monitor and generate a capture from. Delimiting the computers you want to watch is called setting a capture filter. You can filter packets by computer, protocol, or properties. In addition, you can choose the direction of flow for the filter if, for example, you want to monitor the packet flow from one computer to another but you're not concerned with the response packet flow from the receiving system (e.g., to monitor a Windows browse-master contest).

To set up a filter, click Capture, Filter from the Network Monitor main menu. The system will present you with the Capture Filter dialog box, which Screen 1 shows. Click Address in the Add section of the dialog box, click Edit Address, then click Add. Input a name for the machine you want to add to the filter. Then, enter the machine's MAC address, and select whether you want to keep the name permanently or only for that session. Click OK until you reach the main menu.

To add addresses to your filter list after you configure the filter, click the Addresses option in Network Monitor's Capture menu. If you don't know a system's MAC address, you can ping the computer you want to add, then run the arp ­g command to obtain the address. A simple alternative is to open the data discovery record (DDR) in SMS 2.0 for the system you want to add. A client computer's DDR shows the computer's IP and MAC addresses. After you configure a filter, you can save it as a file for reuse. The system gives a saved filter a .cf extension.

After you determine which computers you want to observe and add their addresses to the capture filter list, you're ready to start capturing packets. Starting a network capture is easy. To enable capturing, click the Start option in the Capture menu (or press F10). To view the captured packets, click Capture, Stop and View (or press Shift+F11).

While Network Monitor is in capture mode, the captured data goes into a capture buffer (i.e., a temporary file) until you view the data. If you stop the capture by clicking Capture, Stop, the system asks whether you want it to save the capture to a permanent file (the system gives this file a .cap extension). This feature is useful if, for example, you want to generate baselines for computers that are coming online and haven't become fully functional. You can save the capture and compare it with a capture you create later—you can delineate changes by looking at changes in the number of packets that given stations sent. In this way, you can generate a performance baseline, which gives you some idea of a computer's network performance.

Capture Buffer
By default, Network Monitor sets the capture buffer to only 1MB, so the buffer fills quickly on busy networks. When the buffer reaches capacity, Network Monitor uses a first in/first out (FIFO) storage method to handle the data (i.e., the program deletes the oldest data). Thus, you might run into a snag if you want to view old data that Network Monitor has purged from the buffer. You can use one of three methods to work around this problem: Enlarge the capture buffer, scale down the scope of your capture, or set a trigger that automatically stops the capture when the buffer fills to a predetermined level.

Enlarge the capture buffer. A particularly useful solution if you're performing only a one-time capture is to enlarge the capture buffer by clicking Capture, Buffer Settings, then setting the buffer to a larger size. However, this option isn't feasible if you're performing many captures because it uses a lot of disk space.

Scale down your capture's scope. Another alternative is to scale down the scope. However, this method doesn't help you discover chatty NICs (i.e., cards that continuously send out broadcast packets to the LAN) or problematic Windows 95 master browser elections (i.e., a Win95 system that thinks it should be a master browser and declares an election).

Set a capture trigger. To set a capture trigger, click Capture, Trigger, and select the Buffer Space option in the Capture Trigger dialog box, which Screen 2 shows. Next, select the percentage of buffer space you want to set as the maximum space the buffer can consume before the trigger stops the capture.