Get IT Done: Use Windows 2000's Network Monitor to track network activity

by Sarah Ness | Feb 10, 2003 8:00:00 AM

Tags: Monitors & displays, NETWORKING, Microsoft Windows 2000, Sarah Ness, Get IT Done, Network Monitor tool, network, Network Monitor, monitor, Microsoft Windows

Takeaway: Monitor network activity for patterns of usage and overall activity load by using Windows 2000s Network Monitor

Monitoring network activity allows you to pinpoint problems and respond to network bottlenecks. More importantly you can monitor network activity for patterns of usage and overall activity load. Using this information you can determine if your network can handle its current load, accommodate more traffic, or benefit from an expansion.

You may think you have to invest lots of money to obtain a good network-monitoring tool for your network. If you’re running Windows 2000, Network Monitor is sitting, probably unused, on your Windows 2000 Server CD-ROM. Not only can you use it to monitor network connections, you can also capture activity in a log for later review or identify patterns in network activity.

What does it do?
Microsoft’s Network Monitor tracks information sent to or from the local computer including the originating address, the destination address, the header information, and the body of the transmission. On a system with multiple Ethernet ports, the communications to each can be captured separately in order to pinpoint patterns to specific addresses.

For even more granularity and flexibility in capturing data, Network Monitor allows the user to create filters, which produce results based on a specific source or destination address, protocols, or patterns in the offset.

Some of the features within Network Monitor are only available after you’ve also installed Microsoft’s System Management Server. These features allow you to:

• Find routers.
• Resolve addresses from names.
• Filter from any computer other than the local computer.

Installing Network Monitor
Network Monitor is easy to add to your existing 2000 computer. Although Network Monitor is included on the Windows 2000 Advanced Server CD, it is not installed using the basic installation routine. To install Network Monitor, your machine must also have Windows Explorer 4.01 SP1 or greater on the server. You must be logged on to the computer as a user who has administrative rights.

The Network Monitor tool is installed from the Network And Dial Up Connections screen. To install Network Monitor, click Start | Settings | Network And Dial Up Connections. Click on the Add Network Components link that appears along the left portion of the screen. You will be presented with the Windows Components screen. When the Windows Component screen appears, select Management And Monitoring and click Next.

The Wizard will prompt you for files required from your Windows 2000 CD. Insert the CD in your CD drive, click Browse, and choose the location of your CD ROM and the appropriate directory, such as the I386 directory on the CD. When you find it, click OK. The wizard will then copy the necessary files to your Windows 2000 server. After the files finish copying, you’re ready to start using Network Monitor.

Using Network Monitor
To start the Network Monitor Tool, click Start | Control Panel | Administrative Tools | Network Monitor. If you’re more comfortable with using the command line, you can open a command prompt and type netmon to start Network Monitor. Starting Network Monitor from the command line has other benefits because you can specify switches that allow you to set the capture directory and network interfaces.

When you start Network Monitor, an error may appear telling you your default network is invalid. You can safely ignore this error. Just click OK to continue.

On the next screen, you choose the connection you wish to monitor. Choose the network interface you wish to monitor by expanding the list and clicking on one of the interfaces, which you can change at any time.

Now the Network Monitor interface is started as shown in Figure A. The default screen contains several panes of information concerning the network interface you choose to monitor. Some of the things you’ll find on this screen include:

• A graph of network utilization.
• Session statistics.
• Station statistics.
• Total statistics.

By clicking within each pane, you give the pane focus. When the pane has focus, you can then click the zoom icon to expand the specific pane to a full screen. Alternatively, you can click on the icons in each pane to open or close that specific pane, as shown in Figure B.


Choosing the network
Recall that when you first started Network Monitor, you were prompted to choose the network interface you wished to monitor. Once chosen, this will remain the default interface for the session. To save the configuration, choose Capture | Save Configuration. You can change the network to be monitored by choosing Capture | Networks. The screen will present you with a list of network interfaces as shown in Figure C. Here you can edit, add, and delete network information to customize the Network Monitor to suit your environment’s needs.


Adding addresses to the Network Monitor Database
Network Monitor contains a database of addresses that identify the server on the network. This database can be viewed and maintained from the Capture | Addresses option. You will notice when you access this database that Network Monitor has already added the default address from your local machine. Each address is identified by a name and further described by an address, protocol, and comment. From this screen you may add, edit and delete addresses. You may also wish to save the address database to a file so it can be used for filtering capture data or load a previously created address file.

To save the address database to a file, click on the Save button from the Capture | Addresses option. To load a pre-existing address file, click on the Load button from the Capture | Addresses option and choose the file in which to load.

Monitoring activity
Now that you have chosen the network interfaces you wish to monitor, it is a simple matter to start a capture and monitor the activity. Choosing Capture | Start option will start the capture of data as shown in Figure D.


The data is written to a temporary capture file, but you will have the option of saving this information when you choose to stop the capture. In addition you can stop and view the captured information or simply pause the capture by choosing the Stop And View or Stop options from the Capture menu.

Capture files can become large and use up valuable temporary space used by other applications on your machine. You may wish to change the temporary capture file location if you plan on capturing activity over a long period of time. The location of the capture file defaults to the temporary directory you have defined in your Windows 2000 installation. You can change the default location by selecting Change Temporary Capture File Location from the Tools menu. Temporary capture files are removed when you save the captured data to a file when stopping the capture activity.

Capturing data can also be controlled on the basis of a trigger. You can set up a trigger using the Trigger option from the Capture menu. Triggers can be set up based on a pattern match, buffer space, or some combination of patterns and buffers. You can use triggers to stop the capture if a pattern is matched in the frame. Alternatively, you can have Network Monitor signal you that the pattern was matched or—if you want to get really fancy—you can trigger the execution of a predefined executable file.

As an added feature, the monitor can be put into dedicated capture mode by choosing the Dedicated Capture Mode from the Capture menu. This mode will capture data continuously, until you choose to stop the capture. When this mode is invoked, clicking on the minimized monitor window will cause the tool to prompt you if you wish to stop the capture, view the capture or return to normal mode. The interactive interface will not be available to you while the tool is in dedicated mode. Think of this as the equivalent of running a job in the background. This mode can be very handy if you wish to use Network Monitor as part of your overall system management.

Viewing captured information
You can view the captured information by choosing the Stop | View option on the Capture menu or by simply opening a pre-existing capture file from the File | Open menu. Viewing the capture file opens the Frame Viewer window. This window contains three panes of information, the Summary, Detail, and Hex.

The Summary Pane contains the segments in the order they were captured. In this way you can see the sequence of events on the monitored network. The Detail pane contains the detail with regards to the address and protocols of the segment. The Hex frame contains the data sent or received.

As you click on the segments in the summary pane, you will notice the detail and hex pane change to the corresponding information about the segment that is highlighted. You can replay the sequence of events that occurred at a given time and scrutinize the data to determine patterns or anomalies. You can pinpoint exactly when an event occurred, where the data was sent, and who received it.

You can also navigate through the data using the Display menu to step to the Next and Previous Frames and the toggles to close and open the three panes. To make searching for information easier, you can apply filters to the captured data. Filtering is described in more detail in the next section.

Filtering
While capturing network data is wonderful for pinpointing those network hogs, the amount of data captured can be tedious to wade through. To address this problem, Network Monitor allows you to invoke filtering by clicking Filter from the Capture menu. Filters can be set up on the basis of addresses or patterns as shown in Figure E.


Network monitor allows you to set up filters and save these configurations to files to be reused. It should be noted that when filtering on an address, the address must have been previously set up in the Network Monitor Database. To set up an address, choose the Addresses option from the Capture menu and add a specific address.

Filters can be extremely helpful in ongoing Network Monitoring. For example, if specific persons are complaining about network slow downs, you can monitor the activity specifically to and from their network addresses and then review the information for any patterns of activity.

Additional features
Some additional options found in Network Monitor are Clear Statistics, Capture Buffer Settings, and Identify Network Monitor Users. Clear Statistics is found on the Capture menu and clears the current screen statistics. This is useful after stopping and saving captured data in order to start a fresh monitoring session.

Capture Buffer Settings is also found on the Capture menu and allows you to set the size of the capture buffer. The capture buffer should not exceed the size of your machine's memory. The default buffer size is 1 MB. Setting the size affects the performance of the Network Monitor tool. The larger the buffer the more information is captured prior to writing to a temporary file.

The Capture Buffer Settings option also allows you to set the Frame Size. The default is Full, however, using the drop-down list, you may set this to between 64 and 65472 bytes. Changing the Frame Size changes the size of the number of bytes that are captured for each frame. Unless you know specifically how many bytes you wish to capture, the default is the better choice so that no information is missed.

Once you have been monitoring your system for awhile you will probably start to recognize patterns of activity and learn the maximum number of bytes in a frame; then, you can adjust this setting accordingly. The less bytes captured obviously means the less space used by the capture file.

Network Monitor allows you to identify other Network Monitor users. Choose this option from the Tools menu. A list of Network Monitor Users will be shown. Any of the users can be added to your Network Monitor Database by highlighting the user and clicking the Add Names to Database check box, and then clicking OK.

Launch Network Monitor to boost your network strategy
As you use Network Monitor you will become more familiar with the power and flexibility of this tool. You’ll quickly notice its benefits as part of your overall network management strategy for your Windows 2000 network. There is a wealth of information within the help files if you need additional help while using Network Monitor.