Discover what Network Monitor does and what's new in version 2.0

Network Monitor isn't the most intuitive Microsoft Systems Management Server (SMS) program, but it's a useful tool that deserves your attention. After you understand the program's basic capabilities, you can put it to work for you. This knowledge will also help you recognize the new features in SMS 2.0's Network Monitor 2.0.

Network Monitor Basics
Network Monitor gives administrators the ability to watch packets (aka frames) traverse a network wire and copy the packets in the form of a capture to the system from which the administrators are viewing the packets. Network Monitor requires a NIC that the program can put into promiscuous mode (p-mode). In p-mode, the NIC accepts all packets regardless of their media access control (MAC) address. When the NIC isn't in p-mode, it accepts only packets that have the NIC's MAC address. To monitor a network, Network Monitor puts the NIC into p-mode, then returns the NIC to normal mode when Network Monitor completes monitoring. Most NICs support p-mode; however, if you're unsure whether your NIC provides this support, check the manufacturer's Web site.

Network Monitor is available in a junior model that Microsoft bundles with Windows NT 4.0 and a full-scale version that SMS includes. The NT 4.0 Network Monitor has limited capabilities and is a scaled-down version of the SMS 1.2 Network Monitor. For example, the NT 4.0 Network Monitor lets you observe only traffic coming to or from your system to a designated computer. You can't observe traffic going from one computer to another if you're not monitoring from either system. In addition, the NT 4.0 Network Monitor doesn't let you replay packets on the network. The SMS version of Network Monitor lets you capture packets traveling from one address to another (or several addresses) or view all packets traversing the LAN. The SMS version's only limitation is that to use Network Monitor you must install certain SMS components on the system from which you're viewing and capturing packets.

Network Monitor 2.0
To install Network Monitor 2.0, run Setup from the \nmext\i386 directory on the SMS 2.0 CD-ROM. If you run Network Monitor Setup before you install the Windows Management Instrumentation (WMI) service (i.e., before you install the SMS client software on the system), the installation will run but the system will prompt you with a warning that Network Monitor won't work until WMI is present.

Network Monitor 2.0 and 1.2 let you monitor and capture all packets that cross a network. Alternatively, you can input the MAC addresses and names of the computers you want to monitor and generate a capture from. Delimiting the computers you want to watch is called setting a capture filter. You can filter packets by computer, protocol, or properties. In addition, you can choose the direction of flow for the filter if, for example, you want to monitor the packet flow from one computer to another but you're not concerned with the response packet flow from the receiving system (e.g., to monitor a Windows browse-master contest).

To set up a filter, click Capture, Filter from the Network Monitor main menu. The system will present you with the Capture Filter dialog box, which Screen 1 shows. Click Address in the Add section of the dialog box, click Edit Address, then click Add. Input a name for the machine you want to add to the filter. Then, enter the machine's MAC address, and select whether you want to keep the name permanently or only for that session. Click OK until you reach the main menu.

To add addresses to your filter list after you configure the filter, click the Addresses option in Network Monitor's Capture menu. If you don't know a system's MAC address, you can ping the computer you want to add, then run the arp ­g command to obtain the address. A simple alternative is to open the data discovery record (DDR) in SMS 2.0 for the system you want to add. A client computer's DDR shows the computer's IP and MAC addresses. After you configure a filter, you can save it as a file for reuse. The system gives a saved filter a .cf extension.

After you determine which computers you want to observe and add their addresses to the capture filter list, you're ready to start capturing packets. Starting a network capture is easy. To enable capturing, click the Start option in the Capture menu (or press F10). To view the captured packets, click Capture, Stop and View (or press Shift+F11).

While Network Monitor is in capture mode, the captured data goes into a capture buffer (i.e., a temporary file) until you view the data. If you stop the capture by clicking Capture, Stop, the system asks whether you want it to save the capture to a permanent file (the system gives this file a .cap extension). This feature is useful if, for example, you want to generate baselines for computers that are coming online and haven't become fully functional. You can save the capture and compare it with a capture you create later—you can delineate changes by looking at changes in the number of packets that given stations sent. In this way, you can generate a performance baseline, which gives you some idea of a computer's network performance.

Capture Buffer
By default, Network Monitor sets the capture buffer to only 1MB, so the buffer fills quickly on busy networks. When the buffer reaches capacity, Network Monitor uses a first in/first out (FIFO) storage method to handle the data (i.e., the program deletes the oldest data). Thus, you might run into a snag if you want to view old data that Network Monitor has purged from the buffer. You can use one of three methods to work around this problem: Enlarge the capture buffer, scale down the scope of your capture, or set a trigger that automatically stops the capture when the buffer fills to a predetermined level.

Enlarge the capture buffer. A particularly useful solution if you're performing only a one-time capture is to enlarge the capture buffer by clicking Capture, Buffer Settings, then setting the buffer to a larger size. However, this option isn't feasible if you're performing many captures because it uses a lot of disk space.

Scale down your capture's scope. Another alternative is to scale down the scope. However, this method doesn't help you discover chatty NICs (i.e., cards that continuously send out broadcast packets to the LAN) or problematic Windows 95 master browser elections (i.e., a Win95 system that thinks it should be a master browser and declares an election).

Set a capture trigger. To set a capture trigger, click Capture, Trigger, and select the Buffer Space option in the Capture Trigger dialog box, which Screen 2 shows. Next, select the percentage of buffer space you want to set as the maximum space the buffer can consume before the trigger stops the capture.

Dedicated Capture Mode
Another problem—one that you might not be aware of while it's happening—is that Network Monitor can drop packets if the computer you're using to monitor packets multitasks monitoring and other processes. To counteract this problem, you can put the program in a dedicated capture mode so that other processes don't interrupt the capture. As you might imagine, interrupting server processes on production servers is a bad idea. Thus, production servers aren't good candidates from which to run Network Monitor in dedicated capture mode. Instead, on a different resource computer (e.g., a local workstation), select Dedicated Capture Mode from the Capture menu to set the capture session to dedicated capture mode.

Network Monitor Agent
The SMS 2.0 Network Monitor 2.0 Agent, which you install by running Setup from the \nmext\i386 directory of your SMS 2.0 or SMS 2.0 Service Pack 1 (SP1) CD-ROM, is a software device that lets you use a computer as a remote Network Monitor sniffer. For example, suppose you want to sniff a system in a subnet on the other side of a router without physically accessing the system. Install the Network Monitor Agent on an NT system in the remote network. Then, set up a capture session from the local system you regularly use to monitor the network. Launch Network Monitor on the remote system by entering the remote computer's name in the Remote NPP Connection dialog box, which Screen 3 shows, on your local system. When you end the capture, the remote system sends the capture to your computer for viewing as necessary. You can view the capture only after you've ended the capture process. Your local system receives the captured data, but the remote computer does the sniffing.

The Network Monitor Agent in NT 4.0's Control Panel Network applet isn't the same as the Agent in SMS 2.0's Control Panel Network applet. In fact, the NT 4.0 Network Monitor Agent isn't compatible with the SMS 2.0 Network Monitor 2.0 Agent. In addition, the capture buffer on a system running the Network Monitor 2.0 Agent can't exceed the size of that system's memory, and Network Monitor 2.0 can't communicate with a non-Network Monitor 2.0 Agent.

Experts and Monitors
Network Monitor 2.0 provides two enhancements that aren't available in earlier versions: experts and monitors. Microsoft designed experts and monitors to help make your network monitoring chores easier to perform.

Experts. When you run a Network Monitor sniff, you'll be amazed at the amount of data you quickly collect—a simple 10-minute capture can take up as much as 5MB of hard disk space. Moreover, the data can be cumbersome to read and difficult to analyze because it's in hexadecimal notation. Although Network Monitor provides a summary screen that helps you determine what protocol and frame you're looking at and decipher what information the frame provides, the screen's format isn't intuitive. Experts put captured data in a more logical and palatable format to help you read and analyze the data. Network Monitor 2.0 provides the following five experts:

  • Average Server Response Time—Provides the average response time of servers in your network.
  • Property Distribution—Calculates a protocol property's statistics.
  • Protocol Coalesce Tool—Helps you combine data in tens, hundreds, or thousands of little packets into one packet for in toto viewing (i.e., you can view one packet of data instead of multiple data fragments).
  • Protocol Distribution—Tells you which protocol your network (i.e., the systems you sniff) uses the most. This information is useful for calculating statistics about protocol distribution on your network. This expert can reveal massive UDP broadcasts from one box, which means that the system is initiating a master browser contest.
  • TCP Retransmit—Shows you TCP packets that a system needed to retransmit because the receiving host failed to acknowledge that it received the original packets. This expert provides information that is useful for diagnosing NIC difficulties and slow LAN connections.
  • Top Users—Provides a list of the users in a capture in an order relative to their network use (i.e., in terms of packets each user puts out onto the network). You can use this expert to discover a chatty NIC, a runaway process, or a poorly implemented three-tier client/server setup. However, the existence of a top user doesn't necessarily mean that you have a problem: the expert simply reveals the top user during your capture session.

    To run an expert or multiple experts after you end a capture, click Tools, Experts while you're in view-capture mode. From the Network Monitor Experts dialog box, which Screen 4 shows, select the expert you want to run and click Add to Run List after each expert you select. When you've added to the Run List all the experts you want to run, click Run Experts. For each expert you run, Network Monitor provides a tab that shows the expert's data, as Screen 5 shows. You can click the column heads to arrange the output in any order. This tool provides a simple way to view and analyze captured data.

Monitors. Monitors are software tools that perform a realtime watch for a specific condition or frame property on a network. When the event that you set the monitor to watch for occurs, the monitor posts the event to the Monitor Control Tool. When you install Network Monitor 2.0, you automatically install this tool as a separate program in the SMS group. You also automatically install the Monitor Control Service associated with the Monitor Control Tool. By default, this service is disabled; you must manually enable it. To start the Monitor Control Service, run the Monitor Control Tool. The system presents you with a Monitor Control Tool dialog box, which Screen 6 shows, in which you can configure monitors. SMS includes the following seven monitors (you can purchase additional monitors from third-party vendors):

  • ICMP Redirect Monitor—Routers use this monitor to inform a host that the route the host is attempting to use is old or defunct and suggest a new route. An attacker might send a host a fake Internet Control Message Protocol (ICMP) redirect packet in an attempt to get the host to redirect the packet's route to an invalid destination—subverting the host's traffic flow. The ICMP Redirect Monitor watches for this type of activity.
  • IP Router Monitor—Watches for failed IP routers.
  • IPRange Monitor—Checks for frames that have source IP addresses outside a range that you specify, which prevents spurious hosts from sending frames.
  • IPX Router Monitor—Monitors for failed IPX routers.
  • Rogue DHCP and WINS Monitor—Watches for unauthorized DHCP or WINS servers on the subnet.
  • Security Monitor—Checks for unauthorized users trying to use Network Monitor.
  • SynAttack Monitor—Monitors for an attack in which an unreachable source overloads the server by sending thousands of SYN requests to a host. Each SYN request requires as long as 189 seconds to time out on the server and subsequently makes the host useless.

Monitors are easy to start: Start the Monitor Control Tool by selecting the Start menu's Programs option, and clicking Systems Management Server, Monitor Control Tool. Next, connect to the computer that you'll run the monitor from (this system can be the system you're on or another Network Monitor 2.0 system), click the monitor you want to run, and click Enable. You can also use this method to add monitors to the list of running monitors.

A Useful Toolbox Addition
Network Monitor is a difficult SMS tool to master. However, after you understand the functionality that this SMS feature has to offer and you learn how to use the program, Network Monitor will be one of the most useful tools in your administrative toolbox.