Capture information about traffic patterns in your Windows 2000 network

Microsoft Network Monitor 2.0, a packet-capture and analysis tool that ships with Windows 2000 Server, reads traffic arriving at a network interface, captures the traffic to a buffer, and displays each packet’s contents. You can use Network Monitor to examine headers that networking protocols have applied to each packet and to trace message exchanges between systems. As a troubleshooting tool, Network Monitor helps you scrutinize specific systems’ activities.

Win2K Server Network Monitor 2.0 captures traffic that travels to the system on which Network Monitor runs. In contrast, Microsoft Systems Management Server (SMS) 2.0 includes a more powerful Network Monitor 2.0 version that places the NIC into p-mode to capture all packets traveling on the network, instead of capturing only those packets that have the NIC’s address. (For information about SMS Network Monitor, see Bill Heldman, "Network Monitor Basics," http://www.win2000mag.com/articles, InstantDoc ID 8407.) SMS Network Monitor also lets you edit and transmit frames (aka packets), and it provides drivers for OSs other than Win2K.

Network Monitor Components
Win2K Server Network Monitor consists of an administrative tool called Network Monitor and a driver that interacts with the network interface. (The Win2K Server Network Monitor driver is equivalent to the agent in Windows NT Server 4.0 Network Monitor.) To capture, display, and analyze network frames that a Win2K Server system sends to and receives from a LAN, install the administrative tool and the Network Monitor driver on the server. When you install the administrative tool, the setup program automatically installs the driver.

You can install the administrative tool only on a server, but the driver can run on any Win2K machine. You can install the driver on a Win2K workstation to troubleshoot problems with that machine. However, you must use SMS Network Monitor to analyze frames that originate at workstations.

Using Network Monitor
To run Win2K Server Network Monitor, install the administrative tool, the Network Monitor driver, and Microsoft Internet Explorer (IE) 5.0 on a Win2K Server system. You also need to log on to the server as an administrator. To install the administrative tool, go to the Control Panel Add/Remove Programs applet and select Add/Remove Windows Components. Install the driver by going to Settings, Network and Dial-Up Connections, and choosing Local Area Connection Properties.

To help you identify network problems and traffic patterns, Network Monitor lets you display, filter, save, and print captured frames. A frame consists of a header and footer for a network protocol (e.g., Ethernet) and data. The header specifies the media access control (MAC) addresses of the systems sending and receiving the frame and identifies the protocol that the frame carries. A typical Ethernet frame contains two 6-byte hexadecimal addresses identifying the NIC that sent the frame and the NIC that will receive the frame. Another field contains the EtherType value, which identifies the protocol within the frame, such as IP. Network Monitor displays IP information through another header and more data. You can examine successive layers of protocol headers until you reach the message from the application that created the packet.

Network Monitor supplies the Capture Window and the Capture Summary (aka Frame Viewer) window, so you can view frame information. The Capture Window, which Figure 1 shows, appears when you open Network Monitor and summarizes statistics about the captured frames. The graph pane in the upper-left corner of the Capture Window displays the total capture statistics of current network activity. The session statistics pane in the left center of the window displays summary statistics for individual current network sessions. The total statistics pane in the upper-right corner summarizes the current capture session’s statistics. The station statistics pane at the bottom of the window displays information about the server running Network Monitor.

The Capture Summary window, which Figure 2 shows, displays the contents of captured frames. The summary pane at the top of the window sequentially displays general information about captured frames. The detail pane in the center displays the frame contents, including protocols that sent the frame. The hex pane at the bottom displays the ASCII representation and form of the captured data.

For Network Monitor to start capturing frames, you need to choose the correct network interface. From the Capture Window’s Capture menu, select the network interface in the Networks dialog box. The network interface list includes all network interfaces, including modems. To start capturing frames, select Start from the Capture menu, click the Start Capture button on the toolbar, or press F10. Each of these actions causes Network Monitor to capture all the frames traveling through the server and put them in a temporary capture file. If you save the capture file, the program assigns it the .cap extension, and you can view the file later from within Network Monitor. To stop a capture and examine the frames, select Stop and View from the Capture Window’s Capture menu, click the Stop Capture button on the toolbar, or press F11. If you choose Stop and View, the Capture Summary window appears. If you select either of the other options, you need to open the Capture Summary window to examine the frames. To open the Capture Summary window, click the Display Captured Data button on the toolbar or press F12.

You can design a capture filter to control the amount of data that Network Monitor captures and help you isolate specific frames. A filter is similar to a database query that isolates specific information. Capture filters can sort frames according to several characteristics, including protocols, protocol properties, and source and destination addresses. You can’t design capture filters while Network Monitor is running.

To design a capture filter, go to the Capture Window and select Capture, Filter. You can filter captured data by protocols, address pairs, and data pattern matches, as Figure 3 shows. The protocols option lets you capture specific protocol frames. You can capture filter protocols by double-clicking SAP/ETYPE=Any SAP or Any ETYPE in the decision tree and picking protocols from a list. By default, Network Monitor enables all protocols, as Figure 4 shows. The Address Pairs option lets you capture traffic for specific source and destination addresses of data transmissions. You can specify as many as three address pairs by double-clicking AND (Address Pairs) in the decision tree and specifying address-pair properties in the Address Expression dialog box. The Pattern Matches option lets you capture frames that contain specific patterns. Pattern matching looks for specific character strings in packets. For example, Web servers send HTML code as ASCII text, so pattern matching can scan for key words in the Web pages that your system users access. You can define as many as four pattern matches by double-clicking AND (Pattern Matches) in the decision tree and specifying data pattern match properties in the Pattern Match dialog box.

You can also design a capture trigger, which tells Network Monitor when a capture meets one of two conditions: a specific data pattern occurs in a frame or the buffer reaches a specified capacity. The trigger can prompt the program to emit an alarm, stop the capture, or execute a command. To configure a capture trigger, go to the Capture Window, select Capture, Trigger, and choose a trigger condition.

To help isolate specific information types, display filters operate on frames that Network Monitor has already captured and sort frames by protocols, protocol properties, and source and destination addresses. You use display filters to show in the Capture Summary window only the frames that you want to analyze. To design a display filter, go to the Capture Summary window and select Display, Filter Double-click the ANY <- >ANY line in the decision tree to display the Expression dialog box, which Figure 5 shows. Then, select the protocols, address pairs, and properties that you want the Capture Summary window to display.

On a busy network, you might want to reconfigure Network Monitor’s buffer size (by default, the buffer holds as much as 1MB) to hold more captured frames. The buffer holds data from the NIC and can fill quickly. When the buffer is full, Network Monitor uses a first in/first out (FIFO) method to determine which data the buffer keeps, so the program might delete older frames before you can examine them. To reconfigure the buffer size, go to the Capture Window and select Capture, Buffer Settings. Then, set either the maximum amount of RAM that Network Monitor can use or the number of bytes of information you want the program to capture during each session. The buffer size that you choose depends on the amount of data you need to capture and the amount of memory available on the machine.

Comment frames, a new feature in version 2.0, let you add remarks to a captured file. For example, comment frames can mark beginning and ending points for a group of packets. To add comment frames, click the frame where you want to insert the comment, and select Insert Comment Frame from the Capture Summary window’s Tools menu. Alternatively, right-click the Capture Summary window’s Frame column and select Insert Comment from the pop-up menu at the point you want to insert the comment frame.

Network Monitor also lets you choose colors for protocols in the Capture Summary window. You might want to specify a color for comment frames, for example. To add colors, select Display, Colors from the Capture Summary window, then click the protocol names and color combinations you want.

Analyzing Traffic
You can analyze certain types of client-to-server traffic to determine how much traffic client-related services generate and whether you can control that traffic. Client-to-server traffic includes browser traffic, DHCP traffic, DNS traffic, and HTTP Web-browsing traffic. A client generates browser traffic when it retrieves lists of backup browsers, server resources, or network servers, and when it registers as a network-resource provider. To filter frames so that Network Monitor displays only browser traffic, select Browser and disable other protocols when you design a filter. Clients generate DHCP traffic during IP address acquisition, renewal, and release. To display only DHCP traffic, select DHCP and disable other protocols. TCP/IP hosts generate DNS traffic during TCP/IP host name resolution. To display only DNS traffic, select DNS and disable other protocols when you design a filter. The IE browser application generates HTTP traffic when it downloads pages from a Web site. To filter Web-browsing traffic, select HTTP from the protocol list and disable other protocols. To determine which frames are related to specific functions, perform those functions at the server, observe which frames the functions generate, then examine the frames.

Web-Browsing Traffic
Web browsing provides an example of how Network Monitor analyzes client-to-server traffic. Finding and connecting to a Web site creates little traffic, but downloading graphics can generate a large amount of activity.

The easiest way to capture Web-browser and server traffic is to set up a filter that captures only traffic traveling to and from the system that runs the browser. You might capture a few frames from other processes, but most of the frames will relate to Web browsing. The Web-browsing process begins with DNS name resolution, which a standard DNS name lookup accomplishes. DNS consists of a request and a reply. UDP datagrams that don’t require a prior connection contain the DNS messages. The first captured frames contain information similar to what you see in Table 1.

Frame 3 in Table 1 shows workstation WKST1’s query to the DNS server (i.e., Server1) and the DNS name that the browser needs to resolve (i.e., www.zacker.com). The DNS server must access Internet servers to resolve the name, so no more messages pass between the client and the server until the server discovers the IP address associated with the requested name. Server1’s response to WKST1 contains the address that the system needs to communicate with the Web server.

When the client receives the Web server’s IP address, the client and the server use a standard three-way handshake to establish a bidirectional TCP connection, as Table 2 shows. Frame 6, which the client sends, contains the synchronization (SYN) flag (S in the table’s Frame Description) that requests a server connection. The server responds with a frame that contains the acknowledgment (ACK) flag (A in the table’s Frame Description), acknowledging the client’s request and establishing the connection in one direction. The server also sends a SYN flag, which requests a connection in the other direction. The client replies with an ACK flag, establishing the connection in both directions.

After the client establishes the TCP connection to the Web server, the client generates HTTP get (GET in Table 3’s Frame Description) commands, which request specific server files. The server sends the files, and the systems use TCP messages to acknowledge the transmissions. Table 3 contains an example of this communication. As the Web page downloads, more HTTP GET messages can result if images or graphics need to go to the client. If a page contains graphics, the systems can exchange many TCP messages and HTTP GET commands to complete the download.

After the information downloads, the systems terminate their connections, which Table 4 shows. The Finish (FIN) flag (F in the table’s Frame Description) signals that a connection is about to terminate. The other system acknowledges the FIN and generates a FIN, which the first system acknowledges. For every Web site file that you download, systems carry on complex transactions. Depending on the standards that the Web server and browser support, systems might need to negotiate, utilize, and terminate TCP sessions for every HTML and graphic file on every page that you access. TCP connections facilitate all kinds of electronic communications, not just communications involving Web servers. Many kinds of information can follow a TCP connection.

Advanced network administrators are traditional users of protocol analyzers such as Network Monitor. However, with practice, even inexperienced users can scrutinize and troubleshoot network communications with Network Monitor.