Adding Parsers to Network Monitor
The process of reading, analyzing, and describing the contents of frames is known as parsing.
In Network Monitor, parsers are .dll files that are responsible for
breaking down and reading messages from various protocols. By default,
Network Monitor includes more than 20 parsers that are responsible for
parsing over 90 protocols.
You
can extend the functionality of Network Monitor by adding new parsers.
For example, if your organization uses a proprietary protocol, the
development team can provide a .dll that Network Monitor can use to
parse the new protocol. To perform this task, you must first add the
.dll to the WINDOWS\System32\Netmon\Parsers folder, which is where all
parsers for Network Monitor are stored. In addition, you must then add
an entry for the new parser and protocol in the Parser.ini file. This
file, which includes entries for all parsers and protocols used by
Network Monitor, is stored in the WINDOWS\System32\Netmon folder.
Off the Record Adding
an entry to the Parser.ini file looks intimidating until you realize
that the syntax for every entry is exactly the same. First, in the
[parsers] section, merely add the following without the quotations,
substituting the name of your parser and protocol as appropriate: “parser_name.dll = 0: protocol_name” Then,
lower in the file you will find a section corresponding to each
protocol. Simply copy and paste one of these areas and substitute the
name and description of your protocol, as appropriate. |
Tip On
the exam, you will need to remember the two steps necessary for adding a
new parser to Network Monitor. In addition, you will need to know the
precise names and locations of both the Parser.ini file and the Parsers
folder. Remember, the Parser.ini file is in the \System32\Netmon folder,
which is the parent folder of the Parsers folder. |
Practice: Using Network Monitor
In this practice, you install Network Monitor, perform a sample network capture, and save captured data.
Exercise 1: Installing Network Monitor
In this exercise, you install the Windows components necessary to run the Network Monitor tool.
1. | Log on to Computer1 as Administrator.
| 2. | Insert the Windows Server 2003 installation CD into a local CD-ROM drive.
| 3. | In Control Panel, open Add Or Remove Programs.
| 4. | In
the left column of the Add Or Remove Programs window, click Add/Remove
Windows Components. The Windows Components page of the Windows
Components Wizard appears.
| 5. | In
the Components area, select the Management And Monitoring Tools
component. Do not select the Management And Monitoring Tools check box.
| 6. | Click Details. The Management And Monitoring Tools dialog box appears.
| 7. | In the Subcomponents Of Management And Monitoring Tools area, select the Network Monitor Tools check box.
| 8. | Click OK.
| 9. | On
the Windows Components page of the Windows Components Wizard, click
Next. The Configuring Components page appears while the Network Monitor
Tools component is installing. When installation is complete, the
Completing The Windows Components Wizard page appears.
| 10. | Click Finish.
| 11. | Close the Add Or Remove Programs window.
|
Exercise 2: Creating a Network Capture in Network Monitor
In this exercise, you capture and view traffic using the Network Monitor tool.
1. | While
you are logged on to Computer1 as Administrator, open Network Monitor
by clicking Start, selecting Administrative Tools, and then clicking
Network Monitor.
The Microsoft Network Monitor dialog box appears, indicating that you should specify a network on which to capture data.
| 2. | Click OK.
The Select A Network window appears.
| 3. | In the Select A Network window, expand the Local Computer icon in the left pane.
The network adapters and modems available on your local computer are displayed.
The modem connection is named Dial-up Connection Or VPN.
| 4. | Select the network named Local Area Connection, and then click OK.
The Microsoft Network Monitor tool opens, displaying the Capture
window associated with the network adapter you have just selected.
| 5. | In the Capture window, click the Start Capture button on the toolbar.
| 6. | Open a command prompt.
| 7. | At the command prompt, type ping computer2 and then press Enter. This command is used to test network connections.
You will see four lines of output resembling those shown in Figure 7. This output demonstrates that Computer1 and Computer2 are communicating on the network segment.
| 8. | After
the output has completed, switch to Network Monitor and click the Stop
And View Capture button on the toolbar. Alternatively, to perform this
step you can press Shift+F11.
The Frame Viewer window opens, named Capture: 1. The word Summary
also appears in parentheses, indicating that the summary pane, which is
the only visible pane, is the active pane in the window. The purpose of
the summary pane is to list in order all of the frames you have just
captured.
| 9. | Double-click any one of the frames listed in the summary pane.
The Frame Viewer window opens two additional panes: the details
and hexadecimal panes. These panes provide more information about the
frame you have just double-clicked.
| 10. | Double-click again any one of the frames listed in the summary pane.
The details and hexadecimal panes disappear. You can toggle
between the one-pane view and the three-pane view by double-clicking a
frame in the summary pane.
| 11. | From the File menu, select Save As.
The Save As dialog box appears.
| 12. | In the File Name text box, type Ping Capture, and then click Save.
The Ping Capture.cap file is saved in the \Desktop\My Documents\My Captures folder.
| 13. | From the File menu, select Close.
The Frame Viewer window closes, revealing the Capture window again in Network Monitor.
|
Exercise 3: Saving a Frame to a Text File
In this exercise, you
copy the contents of a packet into a text file. Perform the exercise in
Network Monitor while you are logged on to Computer1 as Administrator.
1. | From the File menu, select Open.
The Open dialog box appears, displaying the Ping Capture.cap file in the My Captures folder.
| 2. | Select the Ping Capture file, and click Open.
The Ping Capture.cap file appears in the Frame Viewer window.
| 3. | In the summary pane, find a frame that lists ICMP under the Protocol heading.
| 4. | Select this ICMP frame.
| 5. | Press Ctrl+C to copy the frame.
| 6. | Open the Notepad utility in Windows.
The Untitled – Notepad window opens.
| 7. | In the Untitled – Notepad window, press Ctrl+V to paste the frame into the new text file.
The complete data contents of the copied frame are pasted into
the window. Notice how the first line contains all of the fields, in
sequence, of the summary pane in the Frame Viewer window. Next, the bulk
of the pasted output, about 40 lines, corresponds to the information
from the details pane in the Frame Viewer window. Here, all of the
details pane information is expanded, and none of the protocol headers
are collapsed into a summary form. Finally, the last group of lines of
the pasted output represents the hex data from the hexadecimal pane of
the Frame Viewer window.
| 8. | In Notepad, press Ctrl+S to save the file.
The Save As dialog box appears.
| 9. | Using
the navigation buttons and folder icons available within the dialog
box, adjust the target folder so that the file will be saved in
\Desktop\My Documents \My Captures. Do not save the file yet.
| 10. | In the Encoding drop-down list box, select Unicode.
| 11. | In the File Name text box, replace *.txt by typing ICMP frame, and then click Save.
| 12. | Close the ICMP Frame.txt – Notepad window.
| 13. | In
Network Monitor, from the File menu, select Exit to quit Network
Monitor. If you are prompted to save entries in your address database,
click No.
| 14. | Log off Computer1. |
|
