Programming4us
         
 
 
Windows Server

Windows Server 2008: Using Capacity-Analysis Tools (part 2) - Network Monitor

3/13/2011 3:19:17 PM

Network Monitor

Network Monitor is a crucial tool that system administrators should have in their arsenal. Network Monitor, now in its third version, has been overhauled to support the new networking changes introduced with both Windows Server 2008 R2 and Windows 7. Network Monitor 3.3 includes several enhancements for capturing network traffic and parsing the captured data for use in troubleshooting, capacity analysis, and performance tuning. The next few sections cover using Network Monitor to capture network traffic between two computers, on a wireless connection, over remote access connections; how to analyze captured data; and how to parse captured data for analysis. Network Monitor 3.3, shown in Figure 3, can be downloaded from the System Tools section in the Microsoft Download Center at www.microsoft.com/downloads/.

Figure 3. The Network Monitor 3.3 interface.

Note

The Network Monitor TechNet blog located at http://blogs.technet.com/netmon contains a wealth of information regarding Network Monitor, capturing, and analyzing data.


Note

Network Monitor 3.3 is available in ia64, x64, and x86 versions and can run on Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 7, Windows Vista, and Windows XP systems.


What’s New in Network Monitor 3.3

Network Monitor 3.3 expands on the capabilities of the previous versions of Network Monitor by including several more features and fixes for issues that were discovered in the 3.x versions. Network Monitor 3.3 is very flexible and can even stop a capture based on an event log entry in Event Viewer.

The previous versions of Network Monitor included the following:

  • An optimized interface that included network conversations and an expandable tree view of frames for the conversation(s)

  • A real-time display and updating of captures

  • The ability to capture traffic on multiple network cards simultaneously

  • The ability to run multiple capture sessions simultaneously

  • A script-based protocol parser language

  • Support for Windows Server 2008, Windows Vista, Windows XP, and Windows Server 2003 on 32- or 64-bit platforms

  • The ability to capture wireless traffic, scan one or all wireless channels supported by the network card, and view signal strength and transfer speed of the connection

  • The ability to trace traffic inside of a Windows Vista virtual private network (VPN) tunnel by capturing remote access server (RAS) traffic

  • The ability to right-click in the Frame Summary pane and click Add to Filter

  • Support for the Windows Update service by periodically checking for updates to the Network Monitor program

  • A redesigned filter toolbar

  • A redesigned engine for supporting more protocol schemes

  • New public parsers like ip1394, ipcp, PPPoE, and more

Some of the new features in Network Monitor 3.3 include the following:

  • Support for Windows Server 2008 R2, Hyper-V, and Windows 7

  • The ability to capture WWAN and tunnel traffic on Window 7 computers

  • Support for both IPv4 and IPV6

Using Network Monitor 3.3

Before you can start using the advanced features of Network Monitor, analyzing captured data, and identifying potential issues and bottlenecks, a basic understanding of Network Monitor and how it works is necessary.

To capture network traffic, install Network Monitor 3.3 and do the following:

1.
Run Network Monitor (Start, All Programs, Microsoft Network Monitor 3.3, Microsoft Network Monitor 3.3).

2.
Click the Create a New Capture Tab link in the left pane.

3.
Click the Start button or press F5 to start capturing traffic.

To apply filters to a captured stream of information, do the following:

1.
With a capture running and the tab selected, as shown in Figure 4, click the Filter menu in the menu bar at the top of the Network Monitor program.

Figure 4. Capturing and Configuring Filters in Network Monitor 3.3.

  • To create a capture filter— Click on Capture Filter, Load Filter, Standard Filters to select a preconfigured filter that will capture traffic relative to a specific item such as DNS.

  • To create a display filter— Click on Display Filter, Load Filter, Standard Filters to select a preconfigured filter that will only display information relative to a specific item such as DNS from captured data.

  • To create a color filter— Click on Color Filter, Load Filter, Standard Filters to apply a color effect to specific items such as DNS.

2.
After a filter has been added, it must be applied. Filters can be applied by clicking the Apply button in the Capture Filter pane, pressing the Ctrl+Enter keys simultaneously, or clicking Apply in the Filter menu for the added filter.

3.
Apply the filter(s) by clicking the Filter menu at the top of the Network Monitor program.

  • To apply a capture filter, highlight Capture Filter, and click Apply Filter.

  • To apply a display filter, highlight Display Filter, and click Apply Filter.

  • To add a color filter, click Color Filter, click Add, add an expression (for example, RDP or 192.168.1.5), and format the font for your preference. Click OK, and click OK again to apply the filter and close the Color Filter window.

Alternatively, a capture or display filter can be applied by right-clicking on an item in the Frame Summary pane and selecting Add Cell to Display Filter, as shown in Figure 5. Figure 6 shows a sample capture with a DNS capture filter applied and all RDP packets color-coded in red using a color filter.

Figure 5. Choosing to add a cell to display filter.

Figure 6. Sample capture with red highlighted filtered data.

To remove a filter, simply highlight the correct filter type from the Filter menu and select Remove Filter, click the Remove button in the Capture Filter pane, or press the Ctrl+Shift+Enter keys simultaneously.

Note

Removing a filter does not remove it from the filter list. It just removes it from being applied.


Capturing Network Traffic Between Computers

As outlined previously, Network Monitor 3.3 includes the ability to capture wireless, remote, local area network (LAN), and wide area network (WAN) traffic using a remote agent. In some cases, network administrators want to diagnose or monitor a conversation between two computers. The steps necessary to monitor traffic between two different computers are outlined in the following list.

To capture network traffic between two different computers using IPv4 source and destination addresses, as shown in Figure 7, do the following:

1.
In Network Monitor, click the Create a New Capture Tab button on the left.

2.
Click the Filter menu, select Capture Filter, Load Filter, Standard Filters.

3.
Select Addresses, and then IPv4 Addresses.

4.
Edit the filter to specify the IP addresses that should be filtered in the Capture Filter window (for example, 192.168.0.100 and Any).

5.
Click the Apply button in the Capture Filter pane.

6.
Click the Start button on the main Network Monitor menu bar or press the F5 key to start the capture.

Figure 7. Network Monitor capture of network traffic between two IP addresses.

Parsing Captured Network Traffic Data

Parsing captured data allows the information to be converted into a format that is more legible to the naked eye. Parsing captured data makes analysis of the captured data easier—in fact, it’s almost essential. The Network Monitor parsing engine was completely rewritten to support the new functionality of Network Monitor 3.3.

To modify parsing of captured data in Network Monitor 3.3, do the following:

1.
With a capture running or loaded from a saved file, select the Parsers tab in Network Monitor, as shown in Figure 8.

Figure 8. Parsers tab of Network Monitor 3.3.

2.
Expand the appropriate parsing category and double-click on the desired parser to load the parser code into the editor. Parsers use Network Monitor Parser Language (NPL), a simple-to-use language. Help for NPL is included in the Network Monitor 3.3 Help file.
Other -----------------
- Windows Server 2008: Defining Capacity Analysis
- Windows Server 2008: Performance and Reliability Monitoring (part 3) - Reports
- Windows Server 2008: Performance and Reliability Monitoring (part 2)
- Windows Server 2008: Performance and Reliability Monitoring (part 1)
- Windows Server 2008: Using Event Viewer for Logging and Debugging (part 3) - Conducting Additional Event Viewer Management Tasks
- Windows Server 2008: Using Event Viewer for Logging and Debugging (part 2)
- Windows Server 2008: Using Event Viewer for Logging and Debugging (part 1)
- Windows Server 2008: Using the Task Manager for Logging and Debugging (part 2)
- Windows Server 2008: Using the Task Manager for Logging and Debugging (part 1)
- Windows Server 2008: Enhancing Replication and WAN Utilization at the Branch Office
- Windows Server 2008: Understanding and Deploying BranchCache (part 3)
- Windows Server 2008: Understanding and Deploying BranchCache (part 2)
- Windows Server 2008: Understanding and Deploying BranchCache (part 1)
- Windows Server 2008 Server Core : Setting Security
- Windows Server 2008 Server Core : Creating LNK Files
- Configuring BitLocker Drive Encryption on a Windows Server 2008 R2 Branch Office Domain Controller (part 4)
- Configuring BitLocker Drive Encryption on a Windows Server 2008 R2 Branch Office Domain Controller (part 3) - Enabling BitLocker Drive Encryption when TPM Is Not Available
- Configuring BitLocker Drive Encryption on a Windows Server 2008 R2 Branch Office Domain Controller (part 2) - Enabling BitLocker Drive Encryption with TPM
- Configuring BitLocker Drive Encryption on a Windows Server 2008 R2 Branch Office Domain Controller (part 1)
- Windows Server 2008: Understanding BitLocker Drive Encryption
 
 
Most View
- A Technical Overview of the Mobile Web : THE MOBILE NETWORK
- Windows Vista: Windows Firewall Settings - Advanced Configuration
- SharePoint 2010 : Configure Access Requests for Lists and Libraries
- Windows Azure Queue Overview
- Optimizing SQL Server for SharePoint 2010 (part 2) - Database Files and Their Location
- Windows Small Business Server 2011 : A Networking Primer - Understanding Domains
- Windwos Server 2008 : Recovering from a Server or System Failure (part 3)
- Navigating the Central Administration Home Page (part 1) - Central Administration Site Actions Menu
- SharePoint 2010 : Create a New Folder in a Document Library
- Exchange Server 2010 : Planning for Messaging Security
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS