The Vista Network Monitor is a utility which captures TCP/IP packets.
Then its GUI reveals the frames source and destination addresses along
with detailed information stored in the datagram header.
The secret of success with the Vista Network Monitor is that you must have a
clear purpose; you need a real problem to solve.
If you just toy with Network Monitor you will soon get bewildered
with all the data captured, and give up.
However, as soon as you have a mission, your desire to
succeed will ensure that you home in on just the facts you need. Then
as you solve the problem, so you become a minor expert on Network Monitor.
The classic mistake is thinking that Network Monitor is built-in to
the Vista operating system and you activate it via the 'Features' or
'Windows Components'. In fact, the secret of installing the Vista
Network Monitor
3.3 is to download this free
utility from
Microsoft's site.
What's New in Network Monitor 3.3
Ability to capture on WWAN and Tunnel interfaces on Win7.
Critical fixes to NM3.3 to operate correctly with Hyper-V.
Right-click-add-to-alias. Right-click a frame in the Frame
Summary window with an IPv4, IPv6, or MAC address to add that
address as a new alias.
What was New in Network Monitor 3.2
Network Conversations is a new feature which segregates related
frames and displays them in groups.
Process tracking works by categorizing packets based on the ID
of the process. Check for rogue processes, also learn about
'good' processes.
Improved GUI. Try resizing the windows, also drag and drop
windows to achieve a clearer interface.
Guy
Recommends:
SolarWinds Free Wake-On-LAN Utility
Encouraging computers to sleep when they're not in use is a great idea -
until you are away from your desk and need a file on that remote sleeping machine!
WOL also has business uses for example, rousing machines so that
they can have update patches applied. My real reason for recommending
you download this free tool is because it's so much fun sending those 'Magic
Packets'. Give WOL a try - it's free.
Troubleshooting connectivity problems. Let
us imagine that you cannot contact a server. If you capture the appropriate
frames with the Network Monitor, you may discover from the destination
address that your machine is trying to connect does not exist.
Calculating server response times. Each
packet has time /date information, thus you can measure response times
for conversations between your computer and other machines on the
network. If
necessary you could initiate a conversation with a ping command.
TCP re-transmissions.
A large number of TCP re-transmissions could indicate an faulty wire (or
wireless) connection.
Your first task is to find, and then research the P-Mode button. The 'P'
stands for
promiscuous capture.
In order to capture data, you should install both the Network Monitor and
its driver
on the local computer. The Network
Monitor driver enables the Netmon executable to receive and display frames from
your network card.
Once netmon.exe has captured the frames from the network card, its
parsers analyze the raw and display the information in the GUI. As a result you can read the
all the information carried within the packets,
including unencrypted passwords and other sensitive information.
Filters, especially capture filters, make all the difference between seeing
manageable data in the monitor, or viewing a mass of meaningless numbers.
For
example, create a filter which captures only http traffic.
Filter menu, Capture Filter --> Load Filter - Standard Filters. Scroll
down to: HttpWebpageSearch.
»
Check the Capture Options
Before you begin, it's worth checking the 'Options' in your Vista
network monitor.
Tools Menu --> Options --> Capture
Temporary capture file: Size (of Buffer)
Folder Location for the buffer
Capture only first bytes of a frame. A useful setting to improve
performance.
As the monitor driver (agent) receives network packets so it stores them in a temporary buffer.
Next the Vista Network Monitor compares the frames in the buffer with
the capture filter. Any frames which match the capture filter are shown in the GUI.
The rest of the frames are discarded.
Start with Standard Filters
Begin by at the Filter menu, click on the Capture Filter -->
Load Filter - Standard Filters. Now make your selection, for instance
IPv4Addresses.
You will soon learn of how the filter works, but does take a
tries to obtain the results that you want. Just 'playing'
can result in confusion, what helps is a clear mission, for example you
just want to capture IPv4 addresses.
Type your Filter in the dialog box
Once you have tested some of the Standard Filters, I suggest you try
using the IntelliSense of the Capture Filter box. Begin by typing a period (.) also called the
full stop. Now you should see the top level names. Type 'p'
and IntelliSense kicks in again and displays Protocol.
You could repeat the method and thus append TCP. The
result should look like: .Protocol.TCP.
An Alternative Filter Method
Another way of creating filters is to work from a frame that you have
already
captured. Focus on the Frame Summary screen, then right-click an
interesting entry. Next select: 'Add Source to Display Filter' from
the drop-down menu. The knack is to select the 'Source' column for
your click, filtering on the 'Time Offset' column does not make sense.
Save Captures
Save your capture to a file simply by clicking 'Save As' on the toolbar.
A good option when you save is to select only those frames which match
your filter criteria. Naturally you can revisit previous
captures by using the Open Capture dialog box.
Copy Frames
At first the prospect of copying frames did not seem very useful.
The benefit comes when you copy a bunch of frames into Excel and
then employ the spreadsheet's math functions on the numeric fields. For
example, calculating average response times.
Other uses of Copy include pasting the data into an email, and thus
alerting other people of of rogue processes the network.
Quick Capture Statistics
When capturing, the Vista Network Monitor shows stats in the
status bar at the bottom of the window:
Displayed: The number of frames in the Frame Summary
window.
Dropped: The number of dropped frames.
Captured: The total number of frames captured for a particular
session.
Recommended: Solarwinds' Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Analyzer because it enables me to see WHO has permissions
to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, and takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free SolarWinds utility saves when you are
troubleshooting authorization problems for user's access to a resource.
Give this permissions monitor a try - it's free!
Isolating conversations is a new feature of the Microsoft Network
Monitor 3.3. This feature groups captures, and
thus you can see more easily what is happening. The key point is to select
the conversation from the tree on the left of the Network Monitor GUI,
you can expand the tree to see individual processes.
Using this technique you could research unknown processes; one day you
may discover that a rogue program that has infected your network.
Advanced Topic - How Network Monitor Parses Headers
The Vista Network Monitor relies on two processes, firstly, capturing
network frames. Secondly, a parsing engine which analyses the raw bytes
of
data and displays the results in a GUI.
Once you have mastered the basics of capturing and filtering the
network traffic, you may wish to investigate a whole new world of
parsers. On the one hand parsers teach you how packet collection
works 'under the covers', on the other hand, parsers are the gateway to
a new level of controlling the way raw data is displayed in the monitor.
See here for a useful
network traffic
monitor.
Getting Started Click the 'Parsers' tab next to
the Start Page.
Begin with an overview of all the available parsers. As you
gain in confidence and experience, you could try modifying and saving
the new Parsers. However, to my mind being an expert at creating
parsers is a different and higher level skill from troubleshooting data.
Set 'Frame Truncation' to reduce your buffer size improve
collection
performance (Tools Menu, Options).
Lookout for context sensitive menu variations.
Copy and paste frames of your capture into Excel, then calculate totals.
Try creating an Alias for IP addresses.
Check out the Filters --> Color Filters.
Get out of jail 'Restore' View menu --> 'Window'
--> 'Restore Default Layout'.
It's worth checking the version number of the Network Monitor in
the Control Panel. Go to Programs and Features, right-click on the
Columns, choose 'More' and add the 'Version' tab.
»
The Vista Network Monitor has a Command-line Tool Called Nmcap.exe
If you prefer the command-line, you can control the Network Monitor
via the Nmcap executable.
For example: nmcap /network * /capture /file guycap.cap
You can even use the same filters at the command line as seen in the
Capture Filter GUI. Once you have created your filter in the
GUI you could copy and paste it into the Nmcap command-line. The
command-line syntax is /Frame 'Your Filter'.
If you like this page then please share it with your friends
Guy Recommends:
SolarWinds' NPM - Network Performance Monitor
SolarWinds' performance monitor is designed for detecting network outages,
making it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps; it also helps
identifying whether the
root cause is faulty equipment, or resource overload. Give NPM a try.
