نمایش نتایج: از شماره 1 تا 6 از مجموع 6

موضوع: Using the New Microsoft Network Monitor (netmon) 3.3 with Network Experts

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Using the New Microsoft Network Monitor (netmon) 3.3 with Network Experts

    کد:
    http://www.windowsnetworking.com/articles_tutorials/Using-New-Microsoft-Network-Monitor-netmon-33-Network-Experts.html

    David Davis

    Introduction

    Here at WindowsNetworking.com, we have a number of great articles on installation and usage of the Windows Network Monitor.

    • Working With Network Monitor (Part 1)
    • Working With Network Monitor (Part 2)
    • Working With Network Monitor (Part 3)
    • Working With Network Monitor (Part 4)
    • Analyzing Traffic With Network Monitor
    • Installing the Windows Server 2003 Network Monitor

    These articles give us a strong foundation to build on and I certainly do not discount what they bring to the table. However, there is a new version of Network Monitor out with even more new features! In this article I will be covering the following:

    1. The new features of Network Monitor 3.3
    2. What the newly integrated “network experts” offer and how to use them

    With that, let us answer a few basic questions about netmon first.
    Network Monitor 3.3 – the Essentials

    Here are 5 essential questions and answers about Network Monitor:
    1. What is Network Monitor?
    According to Microsoft’s official definition, Network Monitor is:
    “A tool used for viewing the contents of network packets that are being sent and received over a live network connection or from a previously captured data file. It provides filtering options for complex analysis of network data.”
    In other words, Network Monitor is a “protocol analyzer” or a “packet sniffer”.
    2. What can Network Monitor do for me?
    All that sounds great but what can it really DO FOR YOU? Protocol analyzers, like Network Monitor, can answer:

      • What is REALLY going on in your network
      • What device or what type of traffic is causing slowness
      • Why is an application is failing

    In general, it will give you insight into your network like no other solution can!
    3. How much does Network Monitor cost?
    Unlike many other protocol analyzers that can cost hundreds or thousands of dollars, Microsoft’s Network Monitor is free (thanks Microsoft!)
    4. Where do I obtain Network Monitor?
    You can download the latest version (3.3) of Network Monitor from the Microsoft Download Center – Network Monitor 3.3 webpage.
    5. What operating systems is netmon compatible with?
    One of the new features of Network Monitor 3.3 is that it is compatible with Windows 7. However, it is also compatible with Windows Server 2003, Windows Server 2003 Itanium-based editions, Windows Server 2008, Windows Vista (32 and 64 bit), and Windows XP (32 and 64 bit)
    What’s new in Network Monitor version 3.3 ?

    Now let’s look at the new features in Network Monitor 3.3:

    • Frame Comments – as you analyze the network frames that netmon sees, you can attached comments to those frames for future reference and documentation.


    Figure 1: Adding a Frame Comment

    • Netmon API – There is now an API that programmers can use to put information into or pull information out of Network Monitor.
    • Autoscroll – Allows you to see the most recent packets in a live capture as they come in. You can click Autoscroll to enable this or to freeze traffic.


    Figure 2: Autoscroll in action

    • Rick-Click Add-to-Alias – Gives you the option to quickly add aliases, compared to having to manually go to the alias tab and add a new alias by entering the IP address.
    • Tunnel Capture Support – Allows you to capture traffic over tunnel adapters in Windows Vista SP2, Windows Server 2008, and Windows 7.
    • WWAN Capture Support – Captures traffic over mobile broadband data cards on Win7.
    • Experts to analyze your network captures – Experts are stand-alone applications that analyze Network Monitor capture data. You can install Experts and run them directly from the UI on a capture file. To search for experts, from an open capture file, click Experts on the main menu, and select Download Experts. (Read more about Expert below when I show you how to use these step by step)
    • Right-Click Go-to-Definition - Right-click a field in the Frame Details window and select Go To Data Field Definition or Go To Data Type Definition to see where the field is defined in the NPL parsers.

    To me, the biggest new features are Windows 7 support, Autoscroll, and Experts. Speaking of Experts, let me show you how to use them.
    What are Network Monitor 3.3 Experts and how do you use them?

    The Experts feature of netmon 3.3 is a major feature. I have seen this feature before in packet analyzers that cost thousands of dollars so it is nice to gain this ability now in Microsoft’s free packet analyzer. Essentially, Experts act as 1) more advanced and knowledgable network admins who can analyze your data for you and 2) assistants who can crunch data for you.
    In other words, Experts are going to save you time and give you the answers that you might otherwise not have been able achieve.
    There are no Experts included with netmon 3.3 so you need to download these tools from the Internet (at no cost). Something else of note related to Experts… To use experts, you must first save your capture files, and then reopen them. Experts are not going to work on live data.
    Experts can be downloaded here.
    Once you take a capture, close it, and reopen it, you will have access to Experts. You can access experts in two ways –



    1. Right-click on a frame and go to the Expert menu.
    2. Go to the Experts menu from the top menu drop-down.


    Figure 3: How to apply and expert to a particular frame

    Figure 4: Access the Expert drop-down for the top menu
    The Expert shown (Top Users by Conversation) was one that I downloaded and installed.
    Experts are tiny programs that you install, just like any other application.
    In fact, here are the partial results of the Top Users by Conversation Expert that I downloaded and installed:

    Figure 5: Results of Top Conversations by User
    These results can be sorted by clicking on the headers. If you install the recommended add-ins you can graph the response as well.
    Currently, the Network Monitor Team has published 2 Experts for download and more are on the way. Here are the two that are currently offered:

    Figure 6: Available Experts from Network Monitor team
    If you do not see the Expert you are looking for, you can download the SDK and write an expert of your own!
    Summary

    The new Network Monitor 3.3 has some very useful new features including Windows 7 support and the newly integrated Experts. I am really glad that Microsoft has chosen to continue to improve this powerful network protocol analyzer!
    You can find more information about Network Monitor at the Microsoft Network Monitor Blog




    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    Working With Network Monitor Part 1



    Although networks are certainly more reliable than they used to be, problems do sometimes occur. For example, the network might be running more slowly than it normally does, or one device on a network might be having trouble communicating with another device. In such situations, a protocol analyzer is often the troubleshooting tool of choice. In this article series, I will show you how to install and use a free protocol analyzer called Network Monitor.
    Acquiring Network Monitor

    Technically, Network Monitor isn't really free. It might as well be free though, because it is included with various Microsoft products, including Windows Server 2003. There are actually two different versions of Network Monitor available; the basic version and the full version. The basic version of Network Monitor is included with Windows Server 2003, and the full version ships with SMS Server. Both versions will allow you to analyze network traffic, but there are some considerable differences between the two versions. The chart below illustrates these differences.
    Feature
    Basic Version
    Full Version
    Packet Capturing
    Captures packets sent to and from the local host only
    Captures traffic from across the entire network segment
    Capture Remote Frames
    Not Supported
    Supported
    View Bandwidth Consumption by Protocol
    Not Supported
    Supported
    View Bandwidth Consumption by User
    Not Supported
    Supported
    Modify and Retransmit Network Traffic
    Not Supported
    Supported
    Differentiates Between Routers and Network Hosts
    Not Supported
    Supported
    Resolve Device names into MAC Addresses
    Not Supported
    Supported
    As you can see in the chart above, there are some fairly significant differences between the basic version and the full version of Network Monitor. By far the biggest difference is that the basic version is only capable of analyzing traffic sent to or from the computer that Network Monitor is being run on, while the full version can analyze all of the traffic flowing across the network segment. At first this difference probably seems huge, and all at once it was, but the two versions are not as dissimilar as you might think.
    To see why this is the case, you need to understand the difference between hubs and switches. When networked computers are connected to a hub, all of the computers exist in a common collision domain. This means that when a computer transmits a packet of data, every computer on the segment sees the packet. Each computer checks the packet’s destination MAC address to see if it is the intended recipient and ignores the packet if not.
    The problem with using hubs is that if two computers transmit packets simultaneously, then a collision occurs and the packets are destroyed and must be retransmitted. That being the case, hub based networks can be terribly inefficient. As such, most modern networks are switch based.
    When a computer on a switch based network transmits a packet, the switch itself looks at the recipient’s MAC address, and then sends the packet directly to the recipient. This eliminates the need for every computer on the network to see the packet.
    Using a switch instead of a hub improves efficiency and security, but it also limits what you can do with a protocol analyzer. As you will recall, I mentioned that the full version of Network Monitor can analyze all of the traffic on the network segment. The problem is that a switch creates a logical segment consisting only of the sender and the recipient. Therefore, on switch based networks, the full version of Network Monitor is as limited as the basic version. Even so, Network Monitor is still a great troubleshooting tool, and is also good for gaining a better understanding of your network. In order to use Network Monitor effectively, you just have to be sure and run it directly on the computers that you are trying to troubleshoot.
    Installing the Basic Version

    As I mentioned before, the basic version of Network Monitor is included with Windows Server 2003. To install it, select the Add / Remove Programs option from the server’s Control Panel. When you do, Windows will display the Add / Remove programs dialog box. Click the Add / Remove Windows Components button, and after a brief delay, Windows will launch the Windows Components Wizard. Scroll through the list of available components until you locate the Management and Monitoring Tools option. Select Management and Monitoring (don’t select the check box), and click the Details button. Windows will now reveal a list of the various management and monitoring tools. Select the Network Monitor Tools check box and click OK. Now, click Next and follow the prompts to complete the installation process. Depending on how your server is configured, you may be asked to supply your Windows Server 2003 installation disk.
    Installing the Full Version

    Installing the full version of Network Monitor is equally easy. To do so, just insert your SMS Server 2003 installation CD and navigate through the CD’s directory structure to \NETMON\I386. Now, just double click on the NETMONSETUP.EXE file to launch the installation wizard.
    Click Next to bypass the wizard’s Welcome screen, and the wizard will display the end user license agreement. After accepting the license agreement, click Next and the wizard will display the required disk space alongside the available disk space. After making sure that your computer has sufficient disk space, click Next and Network Monitor will be installed. Click Finish to complete the installation process.
    The Network Monitor Agent

    Network Monitor is designed primarily to monitor the network traffic flowing in and out of the machine that it is running on (although the full version does allow you to monitor an entire network segment). Sometimes you may need to perform a detailed analysis of the network traffic related to a computer other than the one that network monitor is running on. In these types of situations, you should install the Network Monitor Agent (also known as the Network Monitor driver) onto any machine that you want to monitor.
    In case you are wondering, the Network Monitor driver is automatically installed when Network Monitor is installed. For machines that do not have Network Monitor installed, the Network Monitor driver must be installed manually. The Network Monitor driver is compatible with Windows XP and Windows Server 2003 (no word yet on Windows Vista).
    To install the Network Monitor Driver on a machine that’s running Windows XP, open the Control Panel and click on the Network and Internet Connections link, followed by the Network Connections link. Now, right click on the network connection that corresponds to the NIC that you want to monitor, and select the Properties command from the resulting shortcut menu. When the connection’s properties sheet appears, click the Install button, and you will be asked if you want to install a Client, Service, or Protocol. Choose the Protocol option and click the Add button. Finally, choose the Network Monitor Driver from the list of available protocols, and click OK. You may be prompted to provide your Windows installation disk.
    Conclusion

    In this article, I have explained that Network Monitor is a great tool for troubleshooting network problems. I then went on to discuss the differences between the two versions of Network Monitor. Finally, I walked you through the Network Monitor installation process. In Part 2 of this series, I will begin showing you how to use Network Monitor




  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    Working With Network Monitor Part 2

    In the first part of this article series, I discussed the differences between the two versions of Network Monitor and talked about the installation process. In this article, I want to continue the discussion by showing you how to use Network Monitor.
    As I explained in the previous article, there are two different versions of Network Monitor. For the purposes of this article, I will be using the full version that comes with SMS Server 2003 with Service Pack 1.
    The Network Monitor Interface

    When you launch Network Monitor, the first thing that you will see is a message asking you to select the network interface on which you want to capture data. This is important, because if you neglect to select an interface, then Network Monitor will pick one for you, and it might not chose the interface that you would have chosen.
    Click OK, and you will be taken to a screen that is similar to the one that is shown in Figure A. Simply select the network interface that you want to use and click OK.

    Figure A: You must select the network interface that you want to monitor
    At this point, the Network Monitor will display the main capture screen, shown in Figure B. Before I show you how to use this screen, I just want to mention that Network Monitor only prompts you to select the network that you want to monitor the first time that you use it. If your computer only has one network adapter, then this will not be a problem. If your system is multihomed though, you will probably want to be able to monitor traffic across all of the network segments.

    Figure B: This is Network Monitor’s capture screen
    Unfortunately, you cannot monitor traffic across multiple segments simultaneously, but you can switch segments even though Network Monitor does not automatically prompt you for the segment that you want to monitor. To do so, simply select the Networks command from the Capture menu. Doing so will display a screen similar to the one shown in Figure A. The biggest difference between the two screens is that this screen also has a Remote option that you can use for remote packet capturing.
    Having said that, let’s take a look at the capture screen. As you can see in the figure, this screen is made up of four different panes. The pane in the upper left portion of the window is known as the graph pane. The graph pane graphically displays the current level of activity during the capture process. It contains graphs that display the overall percentage of network utilization, the number of frames captured per second, the number of bytes captured per second, and the number of broadcasts and multicasts per second.
    You might have noticed in the figure that there is a scroll bar associated with the graph pane. This scroll bar is deceptive because there are no graphs beyond the ones that are shown in the figure.
    Just below the graph pane is the session statistics pane. The session statistics pane is designed to display a quick summary of the traffic that has been captured. This section displays things like the network addresses of the hosts involved in a conversation, and which host initiated the conversation.
    The bottom section of the screen contains the session statistics pane. This pane displays capture summary information on a per host basis. The network address of each host is displayed along with the number of frames sent and received, bytes sent and received, and the number of directed frames, multicasts, and broadcasts sent.
    The upper right section of the window contains the total statistics pane. As the name implies, this pane displays statistics related to all of the traffic that has been captured as a whole. This pane displays the same types of information as the other panes that I have mentioned. The difference is that the total statistics pane does not break the statistics down on a per host basis.
    Capturing Network Traffic

    Now that I have given you a quick orientation of the Network Monitor interface, it is time to capture some network traffic. If you look at Figure B, you will notice the tool bar just above the graph pane. This toolbar is used to control the capture process. The capture related buttons on the toolbar are as follows:
    Capture Data
    Pause the capture or resume a paused capture
    Stop the capture process
    Stop the capture and view the captured data
    View the captured data
    Help
    To capture data using the Network Monitor, just click the Capture Data button. Network Monitor will begin capturing data and will not stop until you either pause or stop the capture. The data capture process looks something like the what you see in Figure C.

    Figure C: This is what the Network Monitor interface looks like while data is being captured
    As you look at the figure, the first thing that you will probably notice is that it contains lots of statistics, but no real data. If you want to view the data that has been captured, you will have to click the View Data button on the toolbar. Upon doing so, you will see a screen similar to the one that is shown in Figure D.

    Figure D:
    This is what the captured data looks like (click here for larger image)
    If you look closely at the captured data you will notice that what Network Monitor is really displaying is a summary of the individual frames that have been captured. This particular screen lists the frame number, the time that the frame was captured, the source and destination addresses, the protocols used, and things like that, but it does not actually show the data contained within the frame. Fortunately, there is an easy way to view more detailed information.
    If you look at the toolbar, you will notice three buttons that consist of three rectangles each, as follows

    These buttons allow you to toggle the summary pane, details pane, and hexadecimal pane. When all three panes are enabled, you can see a comprehensive view of the selected frame, as shown in Figure E.

    Figure E: The three pane view gives you comprehensive information regarding the currently selected frame (click here for larger image)
    As you can see in the figure, the Details pane displays protocol information for the currently selected frame. When a frame contains multiple protocols, the outermost protocol is listed first. The hexadecimal pane displays the actual data that makes up the frame. Notice in the figure that a portion of the frame is selected in the Details pane. The selected portion is then highlighted in the Hexadecimal pane to help you isolate the data.
    Conclusion

    In this article, I have discussed the basics of using Network Monitor. In Part 3, I will walk you through a sample capture and teach you how to analyze the captured data




  4. #4
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    Working With Network Monitor Part 3

    So far in this article series, I have shown you some basic techniques for capturing data using Network Monitor. In this article, I want to continue the discussion by showing you how to analyze the data that you have captured.
    For the purposes of keeping things simple, let’s perform a packet capture against a simple ping operation. To do so, log on to the server that you will be running Network Monitor on, and open a Command Prompt window. When the command prompt window opens, type the PING command followed by a space and the fully qualified domain name or the IP address of a computer on your network, but do not press Enter yet. Now, open the Network Monitor and select the Start command from the Capture menu. Immediately switch over to the Command Prompt window and press Enter to execute the PING command. The command should return four results, as shown in Figure A. As soon as the command finishes executing, switch back to the Network Monitor screen and select the Stop command from the Capture menu. In doing so, you will have captured the packets associated with the PING command, but will likely have captured some unrelated traffic as well.

    Figure A: The PING command should return four results
    After you stop the capture process, click the Display Captured Data icon ( ) to view the data that you have captured. The actual amount of data that will be displayed as a part of the capture depends on how busy your network is and on how long the PING command takes to complete. On a lab network, you may only capture a few dozen frames, while you will almost certainly capture many more frames if you are capturing data from a production network. For example, when I tried this procedure while writing this article, I captured nearly six hundred frames over the course of about five seconds.
    The point is that if you were using the Network Monitor to troubleshoot a network problem in the real world, you would almost certainly capture some irrelevant data. Knowing how to sift through this excess data is an essential skill because otherwise locating the data that you are actually interested in could be like looking for a needle in the proverbial haystack.
    If you look at Figure B, you will notice that there were quite a few packets captured. Our job is to filter the packets that are unrelated to the activity that we were trying to capture so that analyzing the captured packets will be easier.

    Figure B: Network Monitor will often capture traffic that is unrelated to the activity that you are trying to analyze
    To do so, click the Filter icon found on the tool bar. When you do, you will see a rather intimidating looking dialog box, as shown in Figure C. What this dialog box is telling you is that right now Network Monitor is showing you all of the captured data, regardless of protocol or IP address.

    Figure C: The Display Filter dialog box can appear a bit intimidating
    However, we performed a PING from one machine to another, and we know the IP addresses that were involved in the PING. Therefore, we can filter on those addresses. To do so, select the ANY <-> ANY line and click the Edit Expression button. You will now see a screen similar to the one that’s shown in Figure D.

    Figure D: The Expression dialog box allows you to select the addresses involved in the conversation
    This screen allows you to select the addresses of the two machines involved in the conversation. Normally, you would simply select the source and destination addresses, verify that the direction column was set to <-> and click OK. In this particular case things are a bit more complex.
    You will notice in the figure that there are multiple IP addresses associated with the machine FUBAR. That’s because this machine is a Web server and is hosting multiple sites, each with their own address. In a situation like this, you would select the machine’s primary address unless you had a specific reason for using one of the other addresses.
    The other thing that makes this screen a bit difficult is that the address of the destination machine is not displayed. You can fix this by clicking the Edit Addresses button. Doing so will display a list of all of the addresses from the previous list. Click the Add button and you will be given the chance to add an address to the list. Notice in Figure E that you must choose the type of address (IP or MAC) that you are adding. Click OK followed by Close, and the address will be added to the address filter.

    Figure E: You can manually add an address to the list
    Now select the IP addresses involved in the conversation that you are interested in and click OK twice. The list of captured frames is now filtered to display only traffic from the selected machines, as shown in Figure F.

    Figure F: We have filtered the list of captured data to display only the frames that we are interested in
    Since our capture only involved the PING command you shouldn’t have any trouble locating the data that you are looking for. In the real world though, there is a chance that the data that you are trying to capture may not even exist within the capture. There are two primary conditions that can cause this to happen.
    The first reason why your capture file may not contain the data that you are interested in is because most companies have made the move from hubs to switches. On a network in which hubs are used, every computer on the hub receives the exact same traffic. When a computer needs to communicate with another computer, it places a packet on the wire, and that packet travels to every computer that’s attached to the hub. Each computer looks at the destination address found in the packet header to check to see if the packet is intended for that computer. If the destination address matches the computer’s MAC address then the computer opens the packet and processes its contents. Otherwise the packet is ignored.
    Things work differently if a switch is involved. When a computer sends a packet, the switch actually looks at the packet header to determine the packet’s intended recipient. The switch then forwards the packet to the switch port that the recipient is attached to. Computers other than the sender and the recipient are completely oblivious to the conversation.
    The reason why switches have begun replacing hubs is because switches are far more efficient (and more secure) than hubs. If a hub is in use and two computers attempt to transmit data at the same time, a collision occurs, destroying both packets in the process. The two computers each wait a random amount of time before retransmitting the data. The more computers that are attached to a network, the more collisions occur. Of course more collisions mean slower network performance. Therefore, dropping prices and the need for greater performance has driven many companies to make the move to switches.
    Switches are particularly problematic when it comes to capturing data with Network Monitor. Because of the way that switches work, you will only be able to capture data sent to or from the computer that Network Monitor is running on.
    Another condition that may lead to the desired packets not being captured is the use of virtual machines. If a single server is hosting multiple virtual machines, then the traffic flowing between those virtual machines will most likely not be captured because traffic between virtual machines hosted by a single server typically does not flow across the wire. It is possible to configure virtual machines so that traffic between them is placed on the network, but doing so is beyond the scope of this article.
    Conclusion

    In this article, I have explained the need for filtering captured data, and why you may not capture all of the data that you expect. In Part 4, I will continue the discussion by showing you how to analyze the filtered data




  5. #5
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    Working With Network Monitor Part 4

    In the previous part of this article series, I showed you how to filter a Network Monitor capture so that only the communications between the desired hosts are shown. Filtering out conversations with hosts that you have no interest in goes a long way toward getting rid of “noise” in the capture file, but there may still be a lot of clutter that you have to sort through in order to locate the information that you are interested in. For example, in our sample capture we performed a ping against one of the other hosts on the network. A standard PING command typically produces twelve packets of data. If you look at Figure A you will see that even after filtering out conversations with other hosts, there are far more than twelve packets displayed.

    Figure A: When you typically perform a capture there will be a lot of clutter to cut through
    The scary part about this capture is that all of these packets were captured over a span of about five or six seconds. You can only imagine how many packets would be captured had the capture duration been longer, or had the hosts been busier, as would likely be the case in the real world.
    Fortunately, there are a few other things that you can do to cut through the clutter. In this particular case, we are interested in seeing the packets that are related to a PING. Any time that you issue a PING command, Windows invokes the ICMP protocol. That being the case, we can filter the list so that only ICMP related packets are shown.
    Remember that we have already filtered the list so that we are looking at the correct hosts. To further filter the list by protocol, click the Filter icon (the icon that looks like a funnel). When you do, you will see the Display Filter dialog box, shown in Figure B.

    Figure B: The Display Filter dialog box allows you to filter by host and by protocol
    To filter by protocol, select the Protocol==Any line, and click the Edit Expression button (This button will appear in place of the Change Operator button that is shown in the figure). Upon doing so, you will see a screen similar to the one that is shown in Figure C. As you can see in the figure, this window lists all of the protocols that Network Monitor is aware of, as well as a brief description of each protocol.

    Figure C: The Expressions dialog box lists each protocol that Network Monitor is aware of
    To create the filter, simply click the Disable All button. Doing so will move all of the protocols shown in the figure from the Enabled Protocols list to the Disabled Protocols list. Now, scroll through the Disabled Protocols list until you locate the ICMP protocol. Select the ICMP protocol and click the Enable button. After doing so, ICMP should be the only protocol that’s listed on the Enabled Protocols list. Click OK twice, and the capture will be filtered to show you only the packets that you are interested in, as shown in Figure D.

    Figure D: You can filter by host and by protocol simultaneously
    The technique that I just showed you works great if you know exactly which protocols you are interested in. Sometimes you might need to just get a general sense of what is going on in a conversation between two hosts, and may not know specifically which protocols will be involved in the conversation. Even in these types of situations there are techniques that you can use to cut through the clutter.
    The technique that I am about to show you is nowhere near as efficient as the one that you just saw, but I have used it in real life. The idea behind this technique is to filter out the “noise” packets one at a time. Before I show you how this technique works, I just want to mention that the criteria for classifying a packet as noise will vary greatly from one situation to the next. The more thoroughly you want to investigate a capture file, the fewer packets you will want to filter out. On the other hand, if you just want to get a general idea of what is going on with a trace, then there will usually be quite a few packets that you can filter out.
    As you have already seen, we used a computer named FUBAR to perform a PING against a server named TAZMANIA. Let’s pretend that we know that these two computers are the machines that we are interested in analyzing, but let’s also pretend that we do not know that ICMP is the protocol that is used by the PING command.
    If that were the case, then the first thing that we would do is to filter the list of captured packets so as to eliminate conversations with hosts other than the ones that we are interested in. To do so, we will use the exact same technique used in Part 3, and the results should look like what you see in Figure A.
    When we knew that we were only interested in seeing ICMP packets, we used the filter to eliminate every packet except for ICMP. In this technique, we are going to do the opposite. Rather than eliminating every protocol except for the one that we are interested in, we are going to leave all of the protocols enabled initially, and then filter out individual protocols as we realize that we are not interested in them.
    As you look at Figure A, one of the protocols that you will see used the most often is the TCP protocol. The TCP/IP protocol tends to fragment data. Often when you see a TCP packet, it is a fragment of something that is left over from another frame. If I am trying to get a general understanding of what is happening in a trace, the very first thing that I will usually do is to filter out the TCP packets.
    It would seem that you should be able to click the filter icon, to access the Display Filter dialog box. Click the Protocol==Any line and click the Edit Expression button. Select the TCP protocol, and click the Disable button. Unfortunately, a bug in the current version of Network Monitor keeps this from working the way that it should. As a work around, I make a list of each protocol that was used in the capture. I then disable all of the protocol, but enable the protocols that were actually used by the capture. From there I can disable protocols as I find that they are irrelevant to what I am doing. For example, if you compare Figure E to Figure A, you can see just how much I was able to shorten the trace by filtering out the TCP protocol.

    Figure E:
    Filtering out protocols that are irrelevant to what you are looking for can greatly decrease the number of packets that you have to sort through
    Conclusion

    In this article, I have shown you two different techniques for isolating the packets that you need. In Part 5, I will continue the series by showing you how to extract data from an individual captured frame




  6. #6
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    Analyzing Traffic With Network Monitor


    As an administrator, it’s important for you to keep tabs on the traffic that’s flowing across your network. I’m not saying that you need to be intimately familiar with every single packet that’s sent or received, but you need to know what types of protocols are flowing across your network. Monitoring the network allows you to have a better understanding of how bandwidth is being used. It also allows you to find out if users are running file sharing programs, or if some kind of evil Trojan is silently transmitting information in the background. What you might not realize is that Microsoft has given you a tool that you can use for monitoring network traffic. Appropriately, the tool is called Network Monitor. In this article, I will introduce you to this tool and show you how to use it.

    Microsoft has given you a tool that you can use for monitoring network traffic. Appropriately, the tool is called Network Monitor. There are actually two different versions of Network Monitor that ship with Microsoft products. The version that comes with Windows Server 2003 is the watered down version. It is very similar to the full version, except that it only allows you to analyze traffic sent to or from the server that Network Monitor is running on. The full version of Network Monitor is included with SMS Server. It allows you to monitor any machine on your network and to determine which users are consuming the most bandwidth. You can also use the SMS version of Network Monitor to determine which protocols are using the most bandwidth on the network, locate network routers, and resolve device names into MAC addresses.
    Another feature that is left out of the Windows version of Network Monitor is the ability to capture, edit, and retransmit a packet. This functionality is used by hackers when performing a replay attack. The idea behind a replay attack is that a hacker can capture some sensitive piece of information, such as an authentication packet. Later, if the hacker wants to log on as someone else, they can edit the packet to change the source address and then retransmit it. The actual process is a little more complicated than that, but not much.
    Installing Network Monitor

    As you may have already figured out, the Windows Setup program doesn’t install Network Monitor by default. To install the Windows version of Network Monitor, open the Control Panel and select the Add / Remove Programs option. Next, click the Add / Remove Windows Components button to launch the Windows Components wizard. Scroll through the list of components until you locate the Management and Monitoring Tools option. Select the Management and Monitoring Tools option and click the Details button. Select the Network Monitor Tools option and click Next. Windows will now begin the installation process. You may be prompted to insert your Windows installation CD. Click Finish to complete the installation process.
    Running Network Monitor

    After the installation process completes, you can launch Network Monitor by selecting the Network Monitor command found on Window’s Administrative Tools menu. When Network Monitor initially loads, you will see a dialog box asking you to select a network that you can capture data from. Click OK and you will see the Select a Network dialog box. Simply expand the My Computer container and then select the network adapter that you want to monitor. Click OK to continue.
    At this point, you will see the main Network Monitor screen, shown in Figure A. Right now, Network Monitor isn’t capturing any data. It’s up to you to initiate the data capture process. Before you do though, you might want to set up a capture filter.

    Figure A: This is the main Network Monitor screen
    The reason why filtering is so important is because there is a tremendous amount of traffic that flows into and out of most servers. You can easily capture so much traffic that analyzing it becomes next to impossible. To help cut down on the amount of traffic that you must analyze, Network Monitor allows you to use filters. There are two different types of filters that you can use; capture filters and display filters.
    Capture filters allow you to specify which types of packets will be captured for analysis. For example, you may decide that you only want to capture HTTP packets. The main advantage to implementing a capture filter is that by filtering packets during the capture, you will use a lot less hard disk space than you would if you captured every packet.
    Display filtering works similarly to capture filtering except that all network traffic is captured. You filter the data that you want to analyze at the time of analysis rather than at the time of capture. Display filtering uses a lot more hard disk space than capture filtering, but you will have the full dataset on hand just in case you decide to analyze something other than what you originally intended.
    Capturing Data

    If you have decided that you want to filter the data being captured, select the Filter option from the Capture menu, and configure your filter. Otherwise, you can start the capture process by selecting the Start command found on the Capture menu. You can see what the capture process looks like in Figure B. When you have captured the data that you want, then select the Stop command from the Capture menu.

    Figure B: This is what the capture process looks like
    Analyzing the Data

    To analyze the captured data, select the Display Captured Data command from the Capture menu. When you do, you will see the screen shown in Figure C.

    Figure C: This is a summary of the captured data
    The screen shown in Figure C shows a summary of all of the captured packets in the sequence that those packets were captured. The data that you are looking at is unfiltered. You could set up a display filter at this point by selecting the Filter option from the Display menu.
    Once you have located a packet that you are interested in, double click on the packet to see it in greater detail. When you do, you will see the screen that’s shown in Figure D.

    Figure D: This is the screen that you will use to analyze a packet
    As you can see in the figure, the packet screen is divided into three sections. The top section is simply a condensed view of the summary screen. You can use this section to select a different packet to analyze without having to go back to the mail summary screen.
    The second section contains the packet’s contents in a decoded, tree format. For example, in the screen capture, you can see that the top portion of the tree says FRAME: Base Frame Properties. If you expand this portion of the tree, you can see the date and time that the frame was captured, the frame number, and the frame length.
    The third section contains the raw data that makes up the frame. In this section, the column to the far left shows the base address of the bytes on that line in hexadecimal format. The middle section shows the actual hexadecimal data that makes up the frame. The hexadecimal code is positions wide. To determine the address of any of the hex characters, start with the base address for that line, and then count the position of the character that you are interested in. For example, if the base address is 00000010, and the character that you are interested in is in the twelfth position, then the character’s address would be 0000001B.
    The column to the far right contains a reprint of the data in decimal notation. This is probably the most useful part of the screen because anything that has been transmitted in clear text is clearly readable in this column. For example, if an E-mail were transmitted in an unencrypted format and the transmission were captured, you could read the contents of the message in this location (assuming that you could locate the correct packet). If you look closely at Figure D, you will notice that this is an LDAP packet that I have captured. The decimal portion of the packet clearly shows a call to the Active Directory (CN=Configuration,DC=production,DC=com).
    Conclusion

    In this article I have explained that Microsoft includes the Network Monitor tool with Windows so that you can monitor the types of traffic flowing in and out of a server. I then went on to demonstrate the installation and use of this tool





کلمات کلیدی در جستجوها:

43

mac address

compare watered down and full version network monitor windows server 2003

ping monitor

Before using a network monitor or protocol analizer on a network it is important to know what ___ on your network normally looks like.

network monitoring

monitoring

netmon decode ldap frames

netmon replay

netmon expert sdk

microsoft network monitor any&lt;-&gt;any

internet access monitor

netmon i want to see only icmp

33

netmon 3.3 virutal machine

Microsoft System Center Essentials 2010

network monitor

netmon 3.3 download

download netmon 3.3

window screen

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •