The purpose of this article is to provide you with the information needed to
capture network traffic from a local area network using Microsoft's Network
Monitor. The text of this article comes directly from the Network Monitor's
Help file and should be referenced for more detailed instructions.
Network Monitor is a network diagnostic tool that monitors local area
networks and provides a graphical display of network statistics. Network
administrators can use these statistics to perform routine trouble- shooting
tasks, such as locating a server that is down, or that is receiving a
disproportionate number of work requests. While collecting information from
the network's data stream, Network Monitor displays the following types of
information:
| • |
The source address of the computer that sent a frame
onto the network. (This address is a unique hexadecimal (or base-16)
number that identifies that computer on the network.) |
| • |
The destination address of the computer that received
the frame. |
| • |
The protocols used to send the frame. |
| • |
The data, or a portion of the message being sent. |
The process by which Network Monitor collects this information is called
capturing. By default, Network Monitor gathers statistics on all the frames
it detects on the network into a capture buffer, which is a reserved storage
area in memory. To capture statistics on only a specific subset of frames,
you can single out these frames by designing a capture filter. When you have
finished capturing information, you can design a display filter to specify
how much of the information that you have captured will be displayed in
Network Monitor's Frame Viewer window.
To use Network Monitor, your computer must have a network card that supports
promiscuous mode. If you are using Network Monitor on a remote machine, the
local workstation does not need a network adapter card that supports
promiscuous mode, but the remote computer does.
To capture across networks, or to preserve local resources, use the Network
Monitor Agent to capture information using a remote Windows NT computer.
When you capture remotely, the Network Monitor Agent gathers statistics from
a remote computer, and then sends these statistics to your local computer,
where they are displayed in a local Network Monitor window.
Once data has been captured either locally or remotely, the data can be
saved to a text or a capture file, and can be opened and examined at a later
time.
Note The core functionality of Network Monitor, described in Help, is
supported by Microsoft Product Support Services. Network-dependent tasks,
such as interpreting data that you capture from your network, are not
supported. The Network Monitor Agent is supported for Windows NT, but is
unsupported on Windows 3.1 and Windows for Workgroups workstations.
Creating an address list
To use address pairs in a Capture filter, you should first build an address
database. Once this database is built, you can use the addresses listed in
the database to specify address pairs in a capture filter.
To create an address list, follow these steps:
| 1. |
From the Capture menu, select Start.
Optionally, open a .cap file in the Frame Viewer window. |
| 2. |
When you have finished capturing, select Stop
and View from the Capture menu to display the Frame
Viewer window. |
| 3. |
From the Display menu, select Find All
Names. Network Monitor processes the frames, then adds them to
the address database. |
| 4. |
Close the Frame Viewer window, and display the
Capture window. |
| 5. |
From the Capture menu, select Filter to
display the Capture filter dialog box. |
| 6. |
In the Capture Filter dialog box, double-click
on the Address Pairs line. Or, choose Address in the Add
groupbox. |
Network Monitor displays the address database you have created. You can use
the names in this database to specify address pairs in the Capture filter.
Capturing data between two computers
To monitor traffic between two computers, follow these steps:
| 1. |
From the Capture menu, choose Filter to
display the Capture Filter dialog box. |
| 2. |
Double-click on the ANY<->ANY line to display
the Address Expression dialog box. |
| 3. |
In the left window of the Address Expression
dialog box, select the address of a computer. |
| 4. |
In the right window of the Address Expression
dialog box, select the address of a computer. |
When you have done this, choose the
Next button at the top of this
window for more instructions.
| 1. |
In the Direction window, of the dialog box, choose
one of the symbols:
| • |
Choose the <--> symbol to
monitor the traffic that passes in either direction between
the addresses that you have selected. |
| • |
Choose the --> symbol to monitor
only the traffic that passes from the address selected in
the left window to the address selected in the right window. |
|
| 2. |
Choose OK. |
| 3. |
In the Capture Filter dialog box, choose OK. |
| 4. |
From the Capture menu, choose Start. |
Saving captured data
Use the Save As command to save capture statistics to a capture file or to
save changes to capture files that you have modified. Later, to view frames
saved to file, you can open this file and display the statistics in Network
Monitor's Frame Viewer window.
To save the captured frames to a capture file or text file:
| 1. |
Do one of the following:
| • |
On the Toolbar, click the File Save
button.
-or-
|
| • |
From the File menu, choose Save As. |
|
| 2. |
Do one the following:
| • |
To save the file to the current drive and
directory, in the File Name box, specify a file name
and an extension. If you are saving a file that you have
modified, you cannot save it under its original name in the
same directory. |
| • |
To save the file to a network share to which
you are not connected, choose the Network button, and
then use the Connect Network Drive dialog box to
establish the connection. |
| • |
To save the file to a different drive or
directory, do the following:
| a. |
In the Drives box, select a
new drive. |
| b. |
In the Directories box, select
a new directory. |
| c. |
Type the file name. |
|
|
| 3. |
To save only those frame statistics that meet the
specifications of the current display filter, choose Filtered.
This option is available only if you are saving data from the Frame
Viewer window. |
| 4. |
To save a particular range of frames, type the
beginning and ending frame numbers in the From and To
boxes. |
| 5. |
Choose OK. |
Note When a range of frames is saved to a capture file, the numbers
associated with the frames are changed; in a capture file, frame numbers
always begin with 1, regardless of the number associated with the original
frame. Similarly, if you apply a display filter, and then save the filtered
frames, the frame numbers in the capture file begin with 1. If, however, you
use the Print to File option in the Print dialog box, the original frame
numbers associated with the frames are preserved.
Buffer size settings
The default buffer size is 1 megabyte (MB). To increase the buffer size so
that you do not lose information, follow these steps:
| 1. |
Click Capture, and
then click Buffer Settings. |
| 2. |
Increase the value for the Buffer
Size (MB) setting, and then click OK. |
Tracing in a WAN Environment
Sometimes, you may be asked to make a capture of network traffic between two
specific computers that are separated by one or more routers. In these
cases, the support professional may want to analyze all network traffic
between the first computer and its nearest router, and all network traffic
between the second computer and its nearest router. Most of the time, this
is done to check whether or not network packets are being lost or corrupted
somewhere between the routers. To make these traces consistent and to be
able to read these traces simultaneously, the system clocks must be
synchronized between the two computers prior to making the trace. Use the
following steps to synchronize time between two computers:
| 1. |
Choose the computer against which to synchronize the
time. |
| 2. |
From the other computer, type the command
net time \\ComputerName /set
/yes
where ComputerName is the name of the computer from step
1. |
| 3. |
Verify the computers have the same time by typing TIME
at each one. |
| 4. |
Proceed with the trace. |
Finding Media Access Control Addresses
If the computer to be monitored is running:
| • |
An MS-DOS-based network client, run MSD at that
computer. |
| • |
Windows for Workgroups 3.11 (running TCP/IP), type IPCONFIG
/ALL from the command line. |
| • |
Windows 95, run WINIPCFG from the command line at the
local workstation. |
| • |
MacOS, Open Appletalk Control Panel. Select User
Mode from Edit Menu, change mode to Advanced. Appletalk
Control Panel now reveals Info button. Click this button to
obtain the MAC address |
| • |
Windows NT, at the local console, use one of these
options:
| • |
NET CONFIG SERVER from the command line |
| • |
IPCONFIG /ALL from the command line |
| • |
IPXROUTE config from the command line |
| • |
arp -a from the command line |
| • |
Getmac.exe from the Windows NT Resource Kit |
| • |
WinMSD |
|
| • |
Windows NT, remotely, run Getmac.exe from the Windows
NT Resource Kit |
