Monitoring Network Traffic

Sometimes the best way to see what's happening on your network is to watch the traffic as it passes. A tool called Network Monitor is included with Windows Server 2003. This tool is a direct descendant of the Windows NT Network Monitor, which in turn is based on the same-named tool provided with the Systems Management Server (SMS) product. Network Monitor is a network analyzer (or "sniffer" after the Network General Sniffer toolset). Network analyzers capture raw traffic from the network and then decode it just as the protocol stack would. Because they don't depend on a protocol stack, you can use an analyzer to monitor traffic for protocol types you don't actually have installed; for example, you might use Network Monitor to capture and decode AppleTalk packets while troubleshooting a Mac connectivity problem, even without having AppleTalk on your workstation.

Network Monitor comes in two pieces: the application—which you install on Windows Server 2003 (see Figure 2.7)—and the driver, which you typically install on Windows 2000 or XP Professional client machines, although most versions of the Windows operating system can use the Network Monitor driver. To monitor traffic on a machine, it must have the driver installed (it's automatically installed when you install the application). The driver is required because it puts the network card into promiscuous mode, in which the card will accept packets not addressed to it—obviously a requirement to monitor overall network traffic.

Network Monitor allocates a big chunk of RAM to use as a capture buffer. When you tell it to start capturing network packets, it copies to the buffer every packet it sees on a particular NIC, gathering statistical data as it goes. When you stop the capture process, you can analyze the buffered data in a variety of ways, including by applying capture filters that screen out packets you're not interested in.

Before you install and use Network Monitor, there are a couple of caveats you need to know about. First, the Windows Server 2003 Network Monitor only works with Windows 2000 or XP clients—if you want to use it to monitor Windows NT, 95, or 98 clients, you need the Network Monitor drivers from the SMS CD. More importantly, the Windows Server 2003 version of Network Monitor allows you to watch traffic to and from only the server that it's installed on; the SMS version of Network Monitor supports watching traffic anywhere on your network.

FIGURE 2.7 The main Network Monitor window

FIGURE 2.7 The main Network Monitor window

Windows Server 2003 also includes a tool called System Monitor, which is used to monitor just about everything that goes on in the computer. The processor, memory, disk, and most importantly, the network can all be monitored in the System Monitor utility. The System Monitor does not provide as much information about network traffic as Network Monitor, but it's great for obtaining a quick graphical representation of the status of your network. In many cases, this is quicker and easier than deciphering the complex information that Network Monitor presents.

In the following sections, you will see how to install and use Network Monitor and System Monitor to monitor network traffic.

Was this article helpful?

0 0

Post a comment