Windows Network Monitor 3.4

Microsoft Network Monitor 3.4

Brief Description
Tool to allow capturing and protocol analysis of network traffic.
Quick Details
Version:3.4 2350
Knowledge Base (KB) Articles:KB933741
Date Published:6/24/2010
Language:English
Download Size:6.1 MB - 21.0 MB*

*Download size depends on selected download components.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f#filelist



以下為簡單教學:

Windows Network Monitor For Windows Server 2008

Review of the Windows 2008 Network Monitor (Netmon.exe)

The Microsoft Network Monitor v3.2 is a tool which captures TCP/IP packets and reveals their source and destination addresses along with detailed information stored in the datagram header.  All that is required to collect and display data is a computer with a network card, you don't need a router as you do with proprietary NetFlow traffic analyzers.


Server 2008 Network Monitor v 3.2

Topics for Windows 2008 Network Monitor 3.2

Intro to Microsoft Network Monitor 3.2
Typical Tasks for Microsoft Network Monitor
What's new in Network Monitor 3.2
Using Capture Filters
Enable Network Conversations
7 Tips for Windows Network Monitor
NetFlow Traffic Analyzer

Introduction to Microsoft Network Monitor 3.2

Reports of Windows Network Monitor's demise have been exaggerated.  Version 3.2 is thriving; furthermore Netmon is ready to capture network frames on a Windows Server 2008 computer.

What has caused the confusion is that in Windows Server 2008 you cannot add the Network Monitor as a 'Feature'; instead you must download the utility from Microsoft's site, and then install it from the Win32 Cabinet Self-Extractor.  In the old days with Windows 2000/3 you could install version 1, or 2 from the Add/Remove Programs, Windows Components.

Network Monitor 3.2 not only works on all modern Windows operating systems, such as Server 2008, Vista, Windows Server 2003 and XP, but it is also is supported by Microsoft.

Typical Tasks for Microsoft Network Monitor

Whilst it is easy to understanding the twin principles of capturing network traffic and displaying information, getting this tool to work can be frustrating for a beginner.  It reminds me of learning to windsurf, at first it seems impossible that I could stand up on that board, never mind manoeuvre the sails.

Most of the problems learning to use Network Monitor stem from being swamped by the volume of data that this utility collects.  The best way to start your voyage is to focus on the filters.  What really helps is if you have a clear purpose for each journey with Netmon, that way you don't get side-tracked by irrelevant menus.  Moreover, each successive journey will be easier because you can navigate by familiar landmarks.

Troubleshooting connectivity problems. 
Let us imagine that DNS is not working.  If you capture the appropriate frames with the Network Monitor, you may discover from the destination address that your machine is trying to connect to a non-existent DNS server.

Calculating server response times. 
Each packet has date / time information, thus you can measure response times for conversations between your computer and various servers.  If necessary you could instigate a conversation with ping.


TCP re-transmissions.


  P-mode Promiscuous mode capture for network monitor.

A significant number of re-transmissions could indicate an intermittent connection problem.

Identify broadcast traffic.
Broadcast traffic is an old enemy of network managers.  You could use seeking broadcast or multicast traffic as an opportunity learn more about Network Monitor, while you check for a well-known network problem.

Your first task is to find, and then research the P-Mode button.  The 'P' stands for promiscuous capture.

Guy Recommends:  A Free Trial of the Orion Network Performance Monitor (NPM) v10


Solarwinds' Orion performance monitor will help you discover what's happening on your network.  Also this utility will guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.  Because it produces network-centric views, the NPM is intuitive to navigate, and you can export the results to Microsoft Visio.

Perhaps Orion's best feature is the way it suggests solutions.  Moreover, if problems arise out of the blue, then you can configure Orion NPM v10 to notify members of your team what's changed and how to fix it.

If you are interested in troubleshooting, and creating network maps, then I recommend that you take advantage of Solarwinds' offer and download a free trial of Orion's Network Performance Monitor.

Network Monitor History

Version 3.2 is the latest version of Network Monitor for use with Windows Server 2008.  Previous versions, namely 2.0, 1.1, and 1.2, were for Windows Server 2003 and 2000.

What's new in Network Monitor 3.2

Find Network Conversations:  This new feature works by segregating related frames.
Process tracking:  Check for rogue processes.  Learn about 'good' processes.  It works by categorizing packets based on the ID of the process.
Better GUI for the Server 2008 monitor.  Easier to drag and resize the various windows.
Support for parser upgrades. 
Tip: Check the version number in Control Panel.  Go to Programs and Features, right click on the Columns, choose 'More' and add the 'Version' tab.  Scroll down to Microsoft Network Monitor: Parsers.

The Capture

To capture frame data, you must install both the Network Monitor and its driver on the local computer. The Network Monitor driver (also called the Network Monitor agent) enables the Netmon executable to receive and display frames from a NIC (network interface card).

Once netmon.exe has captured the packets from the network card, its parsers can convert raw data into information that you can analyze in the GUI.  As a result you (or anyone else) can read the rich seam of information carried within the packets, including unencrypted passwords and other sensitive information.

Using Capture Filters

The efficiency of Network Monitor's collection coupled with the parsers' detailed analysis results in an embarrassment of riches.  The key to getting the most from Network Monitor is to master the filters.  Actually, the capture and display filters use the same syntax.


Network Monitor Options


Before you start proper work, it's a good idea to set the Server 2008 monitor 'Options'.

Tools Menu --> Options --> Capture

Temporary capture file (Buffer Size)
Folder Location
Capture only first x bytes of a frame - useful if you want to conserver buffer space and you are only interested in the frame's header.

As fast as the driver or agent receives network packets so they are stored temporarily in a capture buffer.

Next the Network Monitor 3.2 compares the frames in the buffer with the capture filter. All the frames that match the capture filter are displayed in the GUI.  Frames which don't match are discarded.

Begin with Standard Filters

Begin by clicking on the Filter menu, Capture (or Display) Filter --> Load Filter - Standard Filters.  Now make your selection, for instance HttpWebpageSearch.

You will soon get the idea of how the filter works, but does take a while to achieve just the results that you want.  Just 'playing' can result in confusion, what helps is a clear goal, for example you just want to capture http traffic.

Master typing in the Filter dialog box


Monitor 
Filter


Once you have used some of the Standard Filters, the learning progression involves selecting data by harnessing the IntelliSense of the Capture (or Display) Filter box.  Begin by typing a period (.) also called the full stop.  Now you should see the top level names.  Type 'p' and IntelliSense kicks in again and displays Protocol.

You could repeat the method and thus append HTTP.  The result should look like: .Protocol.HTTP. 

Alternative Filter Method

Another way of creating filters is to reverse engineer a frame capture.  Start with the Frame Summary screen, then right click an interesting entry.  Next select: 'Add Source to Display Filter' from the drop-down menu.  The knack is to select the 'Source' column for your click, rather than the 'Time Offset'.

Save Your Captures

You can save a capture file by clicking Save As on the toolbar.  A good option when you save is to select only those frames which match your filter criteria.   Naturally you can load previous captured files by using the Open Capture dialog box.

Copy Frames

At first the idea of copying frames did not seem to offer much benefit.  But then I realized that you could copy a bunch of frames into Excel and then unleash the spreadsheet's maths on the numeric fields.  For example, calculating average response times.

On another occasion I pasted the data into an email and thus made the point forcibly to the party who was hogging the network.

Quick Capture Statistics

During a capture, Network Monitor 3.2 displays statistics in the status bar at the bottom of the window:

Displayed: The number of displayed frames in the Frame Summary window.
Dropped: The number of dropped frames.
Captured: The total number of frames captured for the active tab.

Network Monitor Conversations

Guy Recommends: SolarWinds Engineer's Toolset v10

The Engineer's Toolset v10 provides a comprehensive console of utilities for troubleshooting computer problems.  Guy says it helps me monitor what's occurring on the network, and the tools teach me more about how the system itself operates.

There are so many good gadgets, it's like having free rein of a sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.  Download your copy of the Engineer's Toolset v 10

Enable Network Conversations


Isolating conversations is a useful technique for grouping captures, and seeing more clearly what is occurring.  Displaying Network Conversations in a new feature of Netmon v 3.2, and the key point is to select the conversation from the tree on the left of the Network Monitor GUI.

You can take this troubleshooting technique one stage further by selecting 'Show Processes' (see Options screenshot above).

Using this technique you could research unknown processes; one day you may discover a rogue program that has infiltrated your network.

Network Monitoring with Virtual Machines and Windows Server 2008's Hyper-V

In a nutshell, network monitoring between Windows Server 2008 Virtual Machines is difficult.  A Network Monitor on the Server 2008 host computer cannot see traffic between VMs because this traffic never reaches the capturing agent or driver on the host.  The only traffic you can see on the host is traffic from the VMs to an external computer.  Remember that the Network Monitor on a VM can capture only traffic directed to or from that VM.

Advanced Topic - How Network Monitor Parses


All network traffic monitors rely on two processes, firstly, capturing your network's packets, frames or datagrams (call them what you like).  Secondly, a parsing engine which makes sense of the raw bits, bytes or data (call it what you like).

Once you have mastered the basics of capturing and filtering the network traffic, you may wish to investigate a whole new world of parsers.  On the one hand parsers teach you how packet collection works 'under the covers', on the other hand, parsers are the gateway to a new level of controlling the way raw data is displayed in the monitor.

Getting Started
Click the 'Parsers' tab next to the Start Page.

Begin with an overview of all the available parsers.  As you gain in confidence and experience, you could try modifying and saving the new Parsers.  However, to my mind being an expert at creating parsers is a different and higher level skill from troubleshooting data.

The built-in parsers are written in the Network Parsing Language (NPL), this is means that there is a whole industry who use a common standard when developing parsers.

7 Tips for Windows Network Monitor

Consider 'Frame Truncation' to conserve your buffer size improve collection performance (Tools Menu, Options).
Lookout for, and be aware of, context sensitive menu variations.
Copy and paste portions of your capture into Excel, then calculate totals or chart data.
Consider creating an Alias for IP addresses.
Check out the Filters --> Color Filters.
Get out of jail 'Restore'
View menu --> 'Window' --> 'Restore Default Layout'.
It's worth checking the version number of the Network Monitor in the Server 2008 Control Panel. Go to Programs and Features, right click on the Columns, choose 'More' and add the 'Version' tab.

Real-time Network Traffic Analyzer - An Alternative to Windows Network Monitor

Many network managers give up on Network Monitor.  This is because they find collecting network traffic tedious.  Even if they manage to capture network conversations they find it difficult to make sense of the data.

If you find the Server 2008 monitor frustrating, then try an alternative that takes the pain out of network traffic analysis.  One advantage of this NetFlow Analyzer is that you can view server availability instantly.  Download your copy of the SolarWinds free Real-time NetFlow Analyzer.

There is Also a Command-line Tool Called Nmcap.exe

For those who love the command-line, they can control the Network Monitor with the Nmcap executable.

You can use the same filters at the command line as seen in the Capture Filter GUI.   Once you have perfected filters in the GUI you could copy and paste them into the Nmcap command-line.  The syntax is /Frame <Your Filter>.



轉自
http://macivilian.blogspot.com/2010/06/microsoft-network-monitor-34.html
http://www.computerperformance.co.uk/Longhorn/windows_network_monitor.htm#Typical_Tasks_for_Microsoft_Network_Monitor_

0 意見: