Monitoring Network Activity with Network Monitor
The tool which you can utilize to both monitor and log network activity as it occurs on the network is the Network Monitor. You can use the information obtained from Network Monitor to optimize network traffic as well. Network Monitor stems directly from the Windows NT Network Monitor. Network Monitor is included with Windows Server 2003.
The key administration tasks which you can perform using Network Monitor are summarized below:
-
You can capture frames directly from the network which you are monitoring.
-
You can configure capture filters to specify the type of information which should be captured by Network Monitor.
-
You can view captured frames immediately once the capture is complete, or at some later stage.
-
You can filter captured frames by creating display filters. This allows you to find specific information in a capture.
-
You can create triggers if you want certain actions performed when the content of a packet(s) match a predefined condition.
-
You can edit captured frames and pass them on.
-
You can capture frames from a remote computer.
There are two versions of Network Monitor available:
-
The basic Network Monitor version which is included with Windows Server 2003.
-
The full Network Monitor version which is included with Microsoft Systems Management Server (SMS).
The main differences between the two versions of Network Monitor are:
-
Basic Network Monitor version: You can monitor network activity and capture frames only on the local computer running Network Monitor.
-
Full Network Monitor version: You can monitor network activity and capture frames on all devices on the network segment. The features listed below are solely available when the full version is utilized:
-
Capture frames from a remote computer
-
Edit captured frames and pass them on.
-
Resolve device names to MAC addresses
-
You can also determine information:
-
The user who is consuming the most bandwidth
-
The protocol that is consuming the most bandwidth
-
The devices which are routers
-
-
Network Monitor contains the following components:
-
Network Monitor Driver: The Network Monitor driver is the component of Network Monitor which captures frames passed to and passed from the network adapter on which it is installed. The Network Monitor driver therefore needs to be installed on the machine for which you want to monitor network activity.
-
Network Monitor Tools (application): The network monitor tools are used to examine and analyze traffic which was captured by the Network Monitor driver.
A few requirements to use Network Monitor for monitoring network activity are summarized below:
-
The basic version of Network Monitor included with Windows Server 2003 can only be used to capture frames on Windows 2000 and Windows XP clients.
-
The full version of Network Monitor included with Systems Management Server (SMS) has to be used to capture frames for Windows NT, Windows 98, and Windows 95 clients.
-
If you want to monitor network activity throughput the network, you have to utilize the full version of Network Monitor.
How to install Network Monitor included with Windows Server 2003
While Network Monitor is shipped with Windows Server 2003, it is not automatically installed when you install Windows Server 2003. When you install Network Monitor, the Network Monitor driver is automatically installed.
To install Network Monitor,
-
Click Start, and then click Control Panel.
-
Click Add Or Remove Programs to open the Add Or Remove programs dialog box.
-
Click Add/Remove Windows Components.
-
The Windows Components Wizard launches.
-
Select Management and Monitoring Tools an click the Details button.
-
On the Management and Monitoring Tools dialog box, select the Network Monitor Tools checkbox and click OK.
-
Click Next when you are returned to the Windows Components Wizard.
-
If prompted during the installation process for additional files, place the Windows Server 2003 CD-ROM into the CD-ROM drive. If the required files exist on the network, specify the location to these files.
-
Click Finish on the Completing the Windows Components Wizard page.
While the Network Monitor driver is automatically installed when you install Network Monitor, there may be situations when you need to manually install the Network Monitor driver.
To install the Network Monitor driver,
-
Click Start, click Control Panel, and then click Network Connections.
-
Right-click Local Area Connection, and click Properties from the shortcut menu.
-
Click the Install button on the Properties dialog box.
-
When the Select Network Component Type dialog box opens, click Protocol in the Component list, and then click Add.
-
In the Select Network Protocol dialog box, select Network Monitor Driver.
-
Click OK.
In Network Monitor, the Frame Viewer window is used to view the contents of any captured frames. To view captured data during the capture, select Stop And View from the Capture menu. The Capture window in Network Monitor displays information on the frames' statistics.
How to change the default size of the capture buffer
The size of the capture buffer determines how much data can be viewed in Network Monitor. The buffer setting which you specify cannot be more than the actual available physical memory. To change the buffer setting,
-
Open Network Monitor
-
Select Buffer Settings from the Capture menu.
-
The Capture Buffer Settings dialog box appears.
-
Proceed to change the Buffer Size (MB) setting and Frame Size (Bytes) setting.
How to configure Network Monitor to display address names over hexadecimal network addresses
-
Open Network Monitor
-
Select Show Address Names from the Options menu
-
A check mark is displayed alongside Show Address Names.
How to configure the amount of information that you want to print for captured frames
-
Open Network Monitor
-
The Frame Viewer window is used to configure the amount of information which you want to print.
-
Select Print from the File menu
-
When the Print dialog box appears, click the Netmon tab
-
In the Output Detail section, select one of the following
-
Print Frame Summary Lines
-
Print Protocol Details
-
Print Hex Data.
-
How to create a capture filter
Creating a capture filter involves defining those capture conditions which should be used to capture frames. You can define the capture conditions which should be used by specifying:
-
Capture filter protocols
-
Address pairs
-
Data pattern matches
To create a capture filter,
-
Open Network Monitor.
-
Select Filter from the Capture menu.
-
The Capture Filter dialog box opens.
-
All capture filters are illustrated in a decision tree.
-
To create a capture filter, double-click the default filter
How to create a display filter
-
Open Network Monitor
-
Select Filter from the Display menu.
-
The Display Filter dialog box appears.
-
Proceed to configure the required display filter.
Monitoring Network Activity with System Monitor
You can use System Monitor to monitor, collect and measure real-time performance data of the local computer or of a remote computer. You can monitor real-time activity by viewing current data, or you can monitor data from a log file.
System Monitor enables you to perform the following tasks to monitor network activity.
-
You can collect real-time performance data on different elements of system performance.
-
You can collect data from the local computer or from a remote network computer.
-
You can collect data from one computer or from multiple computers at the same time.
-
You can define which data should be collected by specifying certain objects and counters.
-
You can create specific monitoring configurations for monitoring data which you can export to, and use on other computers.
-
You can view real-time data, or you can view log files. You create log files by saving the collected data to file.
-
You can view and analyze collected data in a number of formats:
-
Graph view
-
Histogram view
-
Report view
-
-
You can also create HTML pages to view data
How System Monitor works
System Monitor uses objects, counters and instances to monitor the system. An object is a collection of counters which are associated with a system resource or service. As the object executes a function, its associated counters are updated. A counter represents data for a particular component of the system or service. Each object has a set of counters. An instance refers to the incident of multiple performance objects of the identical type on a computer. An object can have one or multiple instances.
The objects most commonly used for monitoring network activity are listed below:
-
Browser object, monitors the Browser service for the domain or the workgroup
-
Cache object, monitors disk cache usage
-
Memory object, monitors physical and virtual memory performance
-
Objects object, monitors the events, processes and threads on the computer as data is collected.
-
Paging File object, monitors page file usage
-
Physical Disk object, monitors the hard disks
-
Process object, monitors the processes running on the computer
-
Processor object, monitors the processors on the system.
-
Server object, monitors items such as bytes, sessions, pool paged usage, and pool non-paged usage.
-
System object, monitors counters associated with system hardware and software
-
Thread object. monitors threads running in the system
You have to be a member of one of the groups listed below to use System Monitor:
-
Administrators group
-
Server Operators group
-
Performance Log Users group
-
Performance Monitor Users group
The Network Interface performance object which you can use to monitor data sent to and from a computer, is automatically added in System Monitor when the TCP/IP protocol is installed. The counters which can be used to isolate network card problems/issues are listed below:
-
Packet Outbound Errors: Shows the number of outbound packets which could not be sent because of errors.
-
Packet Received Errors: Shows the number of received packets which could not be forwarded because they had errors.
-
Packets Outbound Discarded: Shows the number of packets that had no errors, which were discarded.
-
Packets Received Discarded: Shows the number of received packets that had no errors, which were discarded.
How to start System Monitor
-
Click Start, click Administrative Tools, and then click System Monitor.
-
If this is the first time that you are accessing System Monitor, you will notice that there are default counters which are tracked:
-
Memory – Pages/Sec
-
PhysicalDisk – Avg. Disk Queue Length
-
Processor – % Processor Time
-
How to add counters to System Monitor
-
Open System Monitor.
-
Click the Add button located on the toolbar.
-
When the Add Counters dialog box opens, choose one of the following options:
-
To monitor the local computer, click the Local Computer Counters option.
-
To monitor the remote computer, click Select Counters From Computer, and select the computer which you want to utilize.
-
-
Choose the performance object from the available list.
-
To monitor each counter associated with the object which you have selected, click the All Counters option. To monitor only certain counters, click the Select Counters From List option, and select the counters from the available list box.
-
To track all associated instances, click the All Instances option. To track only certain instances, click the Select Instances From List option, and then choose the instances from the available list box.
-
Click Add.
Follow Us!