To analyze network traffic, you need to use a
protocol analyzer such as Network Monitor. You can install Network
Monitor by using the Windows Components Wizard. This wizard is available
through the Welcome To Microsoft Windows Server 2003 screen or through
the Add Or Remove Programs tool in Control Panel.
Understanding Network Monitor
Network Monitor is a software-based traffic analysis tool that allows a user to perform these tasks:
Capture frames directly from the network
Display and filter captured frames, immediately after capture or at a later time
Edit captured frames and transmit them on the network (full version only)
Capture frames from a remote computer (full version only)
For example, as a
network administrator, you might use Network Monitor to diagnose
hardware and software problems when the server computer cannot
communicate with other computers. Frames captured by Network Monitor can
be saved to a file and reviewed for later analysis. Network application
developers can also use Network Monitor to monitor and debug network
applications as they are developed.
Note
A frame
is an encapsulation of layer 2, or network interface–layer, data. To
say that Network Monitor captures frames is to say that it reads and
displays encapsulations that include both network interface–layer data
(such as Ethernet data) and higher-layer data from protocols such as
Address Resolution Protocol (ARP), IP, Transmission Control Protocol
(TCP), and Domain Name System (DNS). Technically speaking, a frame is
distinct from a packet in that a packet is an encapsulation of layer 3, or internet-layer, data. However, these terms are often used interchangeably. |
Two versions of
Network Monitor are available. The basic version is shipped with Windows
Server 2003, and the full version is shipped with Microsoft Systems
Management Server. Table 1 summarizes the differences between these two versions of the Network Monitor tool.
Table 1. Network Monitor Versions
| Function | Network Monitor (Basic) | Network Monitor (Full)
|
|---|
| Local capturing | To and from only the computer running Network Monitor | All devices on the entire network segment |
| Remote capturing | Not available | Yes |
| Determining top user of network bandwidth | Not available | Yes |
| Determining which protocol consumes the most bandwidth | Not available | Yes |
| Determining which devices are routers | Not available | Yes |
| Resolving a device name into a Media Access Control (MAC) address | Not available | Yes |
| Editing and retransmitting network traffic | Not available | Yes |
Off the Record
In
theory, there’s a huge difference between the two versions of Network
Monitor: in the basic version, you can capture only the local computer’s
communication exchanges, and in the full version, you can capture
traffic exchanges among any computers on the entire network segment.
Sadly, however, this distinction really holds only for networks that use
hubs instead of switches to connect hosts. In reality, most modern
networks use switches, which forward frames only to the recipient
computer. Switches effectively limit the functionality of protocol
analyzers such as Network Monitor by screening out all traffic that is
not originating from or destined for the computer on which the protocol
analyzer is running. So if, like most others, your network is using
switches instead of hubs, you unfortunately won’t be able to experience
the supposedly enormous benefit of the full version. |
Exploring Network Monitor Components
Network Monitor is
composed of an administrative tool called Network Monitor and an agent
called the Network Monitor Driver. Both components must be installed for
you to capture, display, and analyze network frames.
Using the Network Monitor Administrative Tool
You use Network Monitor to display the frames that a computer running Windows Server 2003 sends or receives.
To install Network Monitor, complete the following steps:
1. | Open Add Or Remove Programs in Control Panel.
|
2. | In Add Or Remove Programs, click Add/Remove Windows Components to launch the Windows Components Wizard.
|
3. | On
the first page of the Windows Components Wizard, select Management And
Monitoring Tools, and then click Details. (Do not select the Management
And Monitoring Tools check box.)
|
4. | In the Management And Monitoring Tools window, select the Network Monitor Tools check box, and then click OK.
|
5. | In
the Windows Components Wizard, click Next. If you are prompted for
additional files, insert your Windows Server 2003 CD, or type a path to
the location of the files on the network.
|
6. | Click Finish when installation has completed.
|
Installing the Network Monitor Driver
When you install
Network Monitor, the Network Monitor Driver is installed automatically
on the same computer. However, sometimes you need to install the Network
Monitor Driver without installing the Network Monitor tool itself. For
example, if a user of the full version of Network Monitor wants to
capture traffic from a remote Windows XP Professional computer, he or
she must install the Network Monitor Driver on that remote computer. You
can install the Network Monitor Driver only on computers running
Windows Server 2003, Microsoft Windows XP Professional, or Microsoft
Windows 2000.
You must be logged on as
Administrator or be a member of the Administrators group to complete
this procedure. If your computer is connected to a network, network
policy settings might also prevent you from completing this procedure.
To install the Network Monitor Driver, complete the following steps:
1. | Open Network Connections.
|
2. | In
the Network Connections window, right-click the network connection for
which you want to install and enable the Network Monitor Driver, and
then click Properties.
|
3. | In the Local Area Connection Properties dialog box, click Install.
|
4. | In the Select Network Component Type dialog box, click Protocol, and then click Add.
|
5. | In the Select Network Protocol dialog box, select Network Monitor Driver, and then click OK.
|
6. | If prompted for additional files, insert your Windows Server 2003 CD, or type a path to the network location of the files. |
