Using Netmon to analyze network traffic in Windows Server 2003

The Network Monitor tool can be considered both a network troubleshooting tool and a packet analysis tool. But the version of Netmon that comes with Windows Server 2003 allows only the capture of frames sent to and from your local server.

Network Monitor, a tool that comes with Windows Server 2003, allows administrators to analyze network communications traffic. The tool, also called Netmon, also provides network utilization statistics and packet traffic as well as captures frames for analysis.

Netmon can be considered both a network troubleshooting tool and a packet analysis tool. However the version of Netmon that comes with Windows Server 2003 allows only the capture of frames sent to and from your local server. The full-featured version of Netmon, which provides enterprise-wide network monitoring, allowing network traffic to be monitored or analyzed to and from any computer in the network, can be found in the Microsoft Systems Management Server (SMS).

To install Netmon:

  1. Open the Control Panel.
  2. Click Add or Remove Programs.
  3. Click Add/Remove Windows Components to open the Windows Components Wizard.
  4. Select Management and Monitoring Tools. Click Details.
  5. Check Network Monitor Tools, then click OK.
  6. Click Next. If prompted for additional files, insert the installation CD.
  7. At the end of the installation, click Finish.

Now go to Administrative Tools and select Network Monitor to open the utility. Once Netmon is loaded, you can capture all frames sent to or retained by the network adapter of the machine on which it is installed. These captured frames can then be saved or viewed for further analysis.

Netmon provides several types of information. The capture window display is divided into system statistics, network and captured statistics, and station statistics.

Netmon console

On opening the Netmon console, you'll see in the upper-left pane the Netmon graph, which display current activities on the network in a horizontal bar-like fashion.

The Total Statistics pane located in the upper right displays the total network activity detected since a capture began.

The Session pane in the lower left shows the established session between two nodes.

The Station Statistics pane in the bottom pane shows statistics about frames sent and received on a per-node basis. This pane has fields to help you identify the largest broadcaster in a network. To do so, right-click the Broadcasts Sent column and then click the Sort button. Capturing Frames Within Netmon

Before you start capturing frames, select a network adapter from the Capture menu (typically the primary network adapter of the system being monitored). Then select buffer settings from the Capture menu. Next, click the Start Capture button.

Another option is the F10 key. Capture will proceed to fill the memory with frames until it is full, so capture only the frames needed and over a short duration of time. This decreases the effect that Netmon will have on the performance of the server being monitored.

To stop, pause or display the captured data from the Capture menu, simply select Stop, Pause, or Display Captured Data. You also can stop and display the capture by clicking Stop and View. To save a captured frame for future analysis, select File, Save As and specify a path and filename to store the captured frame.

To set a capture trigger, select Capture, Trigger to open a property page. On the Capture Trigger property page, select Pattern Match to initiate a trigger action when a specific hexadecimal or ASCII string appears in a frame. In the Pattern text box, type a string and specify ASCII or Hex. It is possible to have an action occur whenever there is a trigger. To do so, select Audible Signal Only to have the machine beep, select Stop Capture to stop the capture, or check Execute Command Line and specify the command or program that runs when a trigger occurs.

Capture Trigger property page

To initiate a trigger based on the size of the buffer, select Buffer Space and choose the percentage. It is also possible to have an action occur whenever there is a trigger. To initiate a trigger when a specific pattern in a frame is detected, select Buffer Space Then Pattern Match and specify the percentage and pattern needed.

Using the Capture Filter

Filtering can help reduce the amount of data being reviewed and analyzed. A capture filter can be specified based on addresses, protocols and frame data patterns. To set up a filter, select File, Capture and then Filter.

To capture data based on specified frame data patterns, double-click the AND (Pattern Matches) line in the Capture Filter decision tree and then specify the hexadecimal or ASCII data pattern that captured frames should match.

To specify captured filters based on address pairs, double-click the AND (Address Pairs) line in the decision tree or double-click the address pair to edit. In the Address Expression dialog box, specify address pair properties, and then click OK.

Captured data can be displayed by selecting File, Capture, Display Captured Data. You'll see a summary page. The captured data displays the frame, time duration, source MAC address, destination MAC address, protocol, and so on.

Besides Netmon, utilities such as EventCombMT and Checkrepl.vbs in the Windows Server 2003 Resource Kit can help network admins analyze and diagnose network-related functions.

About the author: Rahul Shah currently works at a software firm in India, where he is a systems administrator maintaining Windows servers. He has also worked for various software firms in testing and analytics, and also has experiences deploying client/server applications in different Windows configurations.

More information on this topic:

  • Tip: Software gathers network traffic stats on bandwidth use
  • Topics: Windows network management
  • Sign up for our RSS feed to receive expert advice every day.

Dig Deeper on Microsoft cloud computing and hybrid services

Cloud Computing
Enterprise Desktop
Virtual Desktop