Network Monitor Basics

Dedicated Capture Mode
Another problem—one that you might not be aware of while it's happening—is that Network Monitor can drop packets if the computer you're using to monitor packets multitasks monitoring and other processes. To counteract this problem, you can put the program in a dedicated capture mode so that other processes don't interrupt the capture. As you might imagine, interrupting server processes on production servers is a bad idea. Thus, production servers aren't good candidates from which to run Network Monitor in dedicated capture mode. Instead, on a different resource computer (e.g., a local workstation), select Dedicated Capture Mode from the Capture menu to set the capture session to dedicated capture mode.

Network Monitor Agent
The SMS 2.0 Network Monitor 2.0 Agent, which you install by running Setup from the \nmext\i386 directory of your SMS 2.0 or SMS 2.0 Service Pack 1 (SP1) CD-ROM, is a software device that lets you use a computer as a remote Network Monitor sniffer. For example, suppose you want to sniff a system in a subnet on the other side of a router without physically accessing the system. Install the Network Monitor Agent on an NT system in the remote network. Then, set up a capture session from the local system you regularly use to monitor the network. Launch Network Monitor on the remote system by entering the remote computer's name in the Remote NPP Connection dialog box, which Screen 3 shows, on your local system. When you end the capture, the remote system sends the capture to your computer for viewing as necessary. You can view the capture only after you've ended the capture process. Your local system receives the captured data, but the remote computer does the sniffing.

The Network Monitor Agent in NT 4.0's Control Panel Network applet isn't the same as the Agent in SMS 2.0's Control Panel Network applet. In fact, the NT 4.0 Network Monitor Agent isn't compatible with the SMS 2.0 Network Monitor 2.0 Agent. In addition, the capture buffer on a system running the Network Monitor 2.0 Agent can't exceed the size of that system's memory, and Network Monitor 2.0 can't communicate with a non-Network Monitor 2.0 Agent.

Experts and Monitors
Network Monitor 2.0 provides two enhancements that aren't available in earlier versions: experts and monitors. Microsoft designed experts and monitors to help make your network monitoring chores easier to perform.

Experts. When you run a Network Monitor sniff, you'll be amazed at the amount of data you quickly collect—a simple 10-minute capture can take up as much as 5MB of hard disk space. Moreover, the data can be cumbersome to read and difficult to analyze because it's in hexadecimal notation. Although Network Monitor provides a summary screen that helps you determine what protocol and frame you're looking at and decipher what information the frame provides, the screen's format isn't intuitive. Experts put captured data in a more logical and palatable format to help you read and analyze the data. Network Monitor 2.0 provides the following five experts:

• Average Server Response Time—Provides the average response time of servers in your network.
• Property Distribution—Calculates a protocol property's statistics.
• Protocol Coalesce Tool—Helps you combine data in tens, hundreds, or thousands of little packets into one packet for in toto viewing (i.e., you can view one packet of data instead of multiple data fragments).
• Protocol Distribution—Tells you which protocol your network (i.e., the systems you sniff) uses the most. This information is useful for calculating statistics about protocol distribution on your network. This expert can reveal massive UDP broadcasts from one box, which means that the system is initiating a master browser contest.
• TCP Retransmit—Shows you TCP packets that a system needed to retransmit because the receiving host failed to acknowledge that it received the original packets. This expert provides information that is useful for diagnosing NIC difficulties and slow LAN connections.
• Top Users—Provides a list of the users in a capture in an order relative to their network use (i.e., in terms of packets each user puts out onto the network). You can use this expert to discover a chatty NIC, a runaway process, or a poorly implemented three-tier client/server setup. However, the existence of a top user doesn't necessarily mean that you have a problem: the expert simply reveals the top user during your capture session.

  To run an expert or multiple experts after you end a capture, click Tools, Experts while you're in view-capture mode. From the Network Monitor Experts dialog box, which Screen 4 shows, select the expert you want to run and click Add to Run List after each expert you select. When you've added to the Run List all the experts you want to run, click Run Experts. For each expert you run, Network Monitor provides a tab that shows the expert's data, as Screen 5 shows. You can click the column heads to arrange the output in any order. This tool provides a simple way to view and analyze captured data.

Monitors. Monitors are software tools that perform a realtime watch for a specific condition or frame property on a network. When the event that you set the monitor to watch for occurs, the monitor posts the event to the Monitor Control Tool. When you install Network Monitor 2.0, you automatically install this tool as a separate program in the SMS group. You also automatically install the Monitor Control Service associated with the Monitor Control Tool. By default, this service is disabled; you must manually enable it. To start the Monitor Control Service, run the Monitor Control Tool. The system presents you with a Monitor Control Tool dialog box, which Screen 6 shows, in which you can configure monitors. SMS includes the following seven monitors (you can purchase additional monitors from third-party vendors):

• ICMP Redirect Monitor—Routers use this monitor to inform a host that the route the host is attempting to use is old or defunct and suggest a new route. An attacker might send a host a fake Internet Control Message Protocol (ICMP) redirect packet in an attempt to get the host to redirect the packet's route to an invalid destination—subverting the host's traffic flow. The ICMP Redirect Monitor watches for this type of activity.
• IP Router Monitor—Watches for failed IP routers.
• IPRange Monitor—Checks for frames that have source IP addresses outside a range that you specify, which prevents spurious hosts from sending frames.
• IPX Router Monitor—Monitors for failed IPX routers.
• Rogue DHCP and WINS Monitor—Watches for unauthorized DHCP or WINS servers on the subnet.
• Security Monitor—Checks for unauthorized users trying to use Network Monitor.
• SynAttack Monitor—Monitors for an attack in which an unreachable source overloads the server by sending thousands of SYN requests to a host. Each SYN request requires as long as 189 seconds to time out on the server and subsequently makes the host useless.

Monitors are easy to start: Start the Monitor Control Tool by selecting the Start menu's Programs option, and clicking Systems Management Server, Monitor Control Tool. Next, connect to the computer that you'll run the monitor from (this system can be the system you're on or another Network Monitor 2.0 system), click the monitor you want to run, and click Enable. You can also use this method to add monitors to the list of running monitors.

A Useful Toolbox Addition
Network Monitor is a difficult SMS tool to master. However, after you understand the functionality that this SMS feature has to offer and you learn how to use the program, Network Monitor will be one of the most useful tools in your administrative toolbox.