Network Monitor is available in two versions: a full version that ships with Microsoft Systems Management Server (SMS) and a "lite" version that ships with Windows Server 2003, Windows 2000 Server, and Windows NT Server 4.0. The lite version contains a subset of the full version's commands. In this article, I focus primarily on the lite version of Network Monitor because more people have this version. The two versions have some significant differences.

  • Traffic capture. The most significant difference between the two versions is the type of traffic they can capture. The lite version captures only broadcast traffic and traffic that's sent to or received from the computer running Network Monitor. The full version can capture traffic from the current network segment regardless of where the traffic originated or was directed. On switched networks, most servers (and sometimes workstations) are connected to their own dedicated switched port. This configuration makes it more difficult to capture network traffic from other network segments because Layer 2 and 3 switches often isolate network traffic to the segments where the two devices are communicating. The full version of Network Monitor can capture data from remote agents that run on different network segments. This capability is helpful when you're trying to troubleshoot a problem on a remote network segment.
  • Experts. This tool, which is available only in the full version, provides in-depth explanations about traffic capture and packet decoding.
  • Find Routers. This command, which is under the Tools menu and is available only in the full version, identifies the IP addresses of routers on your network.
  • Resolve Addresses from Name. This command, also under the Tools menu and available only in the full version, resolves an address based on its Fully Qualified Domain Name (FQDN).

If you need to monitor remote segments or need additional functionality not included in the lite version, consider purchasing SMS to obtain the full version of Network Monitor, or buy a third-party network monitor that has remote-segment monitoring capability. Before switched networks became popular, it was much easier to capture network data because several computers shared the same network segment. Before switched networks, I used Network Monitor primarily to find a beaconing or faulty NIC that caused the network to crash. Today, managed switches perform this type of function. If you have a managed switch and suspect a faulty NIC or device, check the switch statistics and look for ports that have a high number of packets and/or packet errors on the port. After you identify potential problematic ports, you can use Network Monitor to capture network traffic on those ports. Of course, you can still use Network Monitor as a packet-capturing tool to troubleshoot specific problems with protocol connectivity, examine network utilization, and monitor server network traffic.