Chapter
14, Monitoring Network Activity
Chapter
14, Lesson 1
Monitoring
Windows 2000 Activity
1. Using
Event Viewer
A. Windows 2000 tracks various system events and stores
information about them in a series of logs.
1. Event Viewer is a program that enables
you to view these logs using a single interface.
|1| B. By
default, all computers running Windows 2000 maintain three logs that are
accessible with Event Viewer:
6.
System log. Contains information about events generated by
Windows 2000 components, such as services and device drivers
7.
Security log. Contains information about security-related events,
such as failed logons, attempts to access protected resources, and success or
failure of audited events
3. Application log. Contains information
about specific programs running on the computer, as determined by the
application developer
|2| C. When you promote a computer running Windows 2000 Server to a
domain controller, three additional logs are added to Event Viewer:
1. Directory service log. Contains information
about the Active Directory service events
2. File replication service log. Contains information
about the success or failure of file replication activities
3. DNS server log. Contains information
about the status and operations of the DNS service
D. Viewing event logs
|3| 1. The simplest method for viewing the
contents of the Windows 2000 event logs is to select Event Viewer from the
Administrative Tools program group on the Start menu.
2. The scope pane of the Event Viewer
console lists the various logs maintained by the computer.
a. Selecting one of the logs displays its
events in chronological order (most recent first) in the detail pane.
|4| b. Each event in a log is flagged with a type
indicator, which can have any of the values shown in the table on Slide 4.
3. Every logged event is summarized in the
detail pane with the date and time that the event occurred, plus an event
number and the software module associated with the incident.
|5| a. Double-click an event to display an Event
Properties dialog box, which gives a more complete description of the event,
plus any related raw data.
E. Locating events
1. When you first start Event Viewer, it
automatically displays all events that are recorded in the selected log.
2. When a computer running Windows 2000 has
been operational for some time, the logs can grow quite large.
a. To limit the display of what appears in
the log so that you can focus on the important events, use the Filter command
to select the events you want to see.
|6| 3. To implement filters in Event Viewer,
from the View menu, select Filter to display the Filter tab of the System Log
Properties dialog box.
a. In this tab, you can specify the event
types you want to display and select other event criteria to reduce the event
list to a manageable size.
b. Similarly, you can select Find from the
View menu to perform a search on a log for particular events.
F. Accessing remote event logs
1. You can use Event Viewer to view the logs
on other computers running Windows 2000 on the network as well as the computer
on which you are working.
a. In the scope pane, select the Event Viewer
(Local) icon, and then select Connect To Another Computer from the Action menu.
b. In the Select Computer dialog box, specify
the name of the computer whose event logs you want to see.
2. Using
the Performance Console
|7| A. The Performance console is a built-in Microsoft Management Console (MMC) that
contains two preinstalled snap-ins: System Monitor, and Performance Logs And
Alerts.
1. These snap-ins enable you to view
real-time data about the computer’s performance and set system alerts to notify
you when a counter reaches a specific value.
B. You can use performance data for the following purposes:
1. To understand your workload and its
effect on your system resources
2. To observe changes and trends in
workloads and resource use so that you can plan for future upgrades
3. To test configuration changes or other
tuning efforts by monitoring the results
4. To diagnose problems and target
components or processes for optimization
|8| C. Using the System Monitor snap-in
1. System Monitor enables you to perform the
following tasks:
a. Collect and view real-time performance
data on a local computer or from remote computers
b. View data collected either currently or
previously in a counter log
c. Present data in a printable graph,
histogram, or report view
d. Automatically incorporate System Monitor
functionality into Microsoft Word or other applications in the Microsoft Office
suite
e. Create Hypertext Markup Language (HTML)
pages from performance views
f. Create reusable monitoring configurations
that can be installed on other computers that use the MMC console
2. With System Monitor, you can define the
data you want the graph to collect in the following ways:
a. Type of data. To select the data to be
collected, you can specify one or more counters, which are instances of
performance objects.
b. Source of data. System Monitor can
collect data from your local computer or from other computers on the network
for which you have the appropriate permissions.
c. Sampling parameters. System Monitor supports
manual, on-demand sampling or automatic sampling based on the time interval you
specify.
3. When you open the Performance console, it
shows the two snap-ins in the scope pane.
a. System Monitor is selected by default, and
a blank graph view and a toolbar appear in the detail pane.
|9| b. After you add counters to the graph,
System Monitor begins charting counter values in the graph area.
4. The System Monitor interface has three
main areas: the graph area, the legend, and the value bar.
a. You can choose to have the data in the
graph area updated automatically or on demand.
(1) For updating on demand, use the Update Data
toolbar button to start and stop the collection intervals.
|10| 5. To add counters to the graph, click Add
to display the Add Counters dialog box.
a. Make a selection in the Performance Object
drop-down list, and a list of the counters for that object is displayed
underneath.
b. You can then select the counters you want
to display, or you can choose to display all the counters for the object.
(1) Selecting large numbers of counters is
generally not a good idea because it makes the resulting graph difficult to
read.
6. The movement of the timer bar (the
vertical line crossing the entire graph) indicates the passing of each update
interval.
a. Regardless of the update interval, the
view shows up to 100 data samples.
b. System Monitor compresses log data as
necessary to fit it in the display.
c. To see the compressed data in a log,
click Properties, click the Source tab, select a log file, and then select a
shorter time range.
7. You can also define the following
attributes of the Sytem Monitor graph:
a. Type of display, with options for graph,
histogram, or report
b. Background color of the detail pane and of
the data display area
c. Size, type, and style of font used to
show text in the display
d. Color, width, and style of line used to
chart data
8. The names and associated information for
the counters you select are shown in the legend (the set of columns beneath the
graph). The legend displays the following information:
a. Object. A logical collection of
counters associated with a resource or service that can be monitored
b. Counter. A data item associated
with an object. For each counter selected, System Monitor presents a value
corresponding to an aspect of the performance defined for the object.
c. Instance. A term used to
distinguish between multiple occurrences of the same counter on a computer
9. The value bar is located beneath the
graph area and above the legend.
a. The value bar contains the Last, Average,
Minimum, Maximum, and Duration values for the counter currently selected.
b. The values are calculated over the time
period and number of samples displayed in the graph, not over the time that has
elapsed since monitoring was started.
D. Monitoring system and network performance
1. Although network administrators tend to
be concerned primarily with the network performance characteristics that System
Monitor can track, network activity can also influence the performance of the
computer as a whole.
2. You should monitor other resources along
with network activity, such as disk, memory, and processor activity.
|11| a. The counters that are suggested as part of
your normal monitoring configuration are shown on Slide 11.
3. Monitoring network activity with System
Monitor involves examining performance data at each network layer.
4. When monitoring performance data for your
network, begin with the lowest-level components and work your way up.
a. Monitor the objects over periods ranging
from days to weeks to a month.
b. Using this performance data, determine a
performance baseline (the level of performance you expect under a typical
workload).
(1) A performance baseline is a reference point
that you can use to compare performance over time and to identify growth
trends, changing demands, or the emergence of a bottleneck.
c. If performance within the baseline range
becomes unsatisfactory, tune the network.
d. When performance data is incompatible with
your baseline values, investigate the cause.
E. Using the Performance Logs And Alerts snap-in
1. With Performance Logs And Alerts, you can
collect performance data automatically from local or remote computers.
2. You can view logged counter data by using
System Monitor, or you can export the data to spreadsheet programs or databases
for analysis and report generation.
|12| 3. The Performance Logs And Alerts snap-in
enables you to perform the following tasks:
a. Collect data in a comma-delimited or
tab-separated format for easy import to spreadsheet programs.
b. View counter data during collection and
after collection has stopped.
c. Define start and stop times, file names,
file sizes, and other parameters for automatic log generation.
d. Manage multiple logging sessions from a
single console window.
e. Set an alert on a counter, instructing the
console to send a message, run a program, or start a log when the selected
counter reaches a specified value.
4. Similar to System Monitor, the
Performance Logs And Alerts snap-in supports the definition of performance
objects, performance counters, and object instances.
5. Performance Logs And Alerts also offers
the following additional options related to recording performance data:
a. Starting and stopping logging. Start and stop logging
based on a user-defined schedule: manually, on demand, or automatically.
b. Creating trace logs. Using the default system
data provider or another provider, trace logs record data when certain
activities occur, such as disk I/O operations or page faults.
(1) When the event occurs, the provider sends
the data to the Performance Logs And Alerts snap-in.
c. Defining a program that runs when a log is
stopped
d. Configuring additional settings for
automatic logging, such as automatic file renaming, and setting parameters
for stopping and starting a log based on the elapsed time or the file size
|13| 6. In Performance Logs And Alerts, you can
define settings for counter logs, trace logs, and alerts.
a. The detail pane of the console window
shows logs and alerts that you have created.
(1) You can define multiple logs or alerts to
run simultaneously.
(2) Each log or alert is a saved configuration
that you define.
(3) If you have configured the log for
automatic starting and stopping, a single log can generate many individual log
data files.
7. The columns in the detail pane provide
the following query summary information:
a. Name. Provides the name of the log or alert
b. Comment. Includes any descriptive information about the log or
alert
c. Log File Type. Contains the log-file format you define
d. Log File Name. Lists the path and base file name you defined for the
files generated by this log
(1) The base file name is used for
automatically naming new files.
6.
To see the parameters defined for each log, select the
log file name in the detail pane and, from the Action menu, select Properties.
a. In the Properties dialog box that appears,
choose how to name your log files, determine when logging is scheduled to
occur, and decide which performance objects and counters you want to monitor in
your log.
(1) If a green data icon appears next to the
log or alert, a log is currently running and collecting data.
(2) If a red icon appears, the log or alert has
been defined but is not currently running.
3. Using
the Shared Folders Snap-In
A. The Shared Folders snap-in in Windows 2000 lets you
1. Easily monitor access to network
resources
2. View sessions and open files
3. Disconnect users from shared folders
4. Send administrative messages to users
B. Three primary reasons why it is important to assess and manage
network resources
1. Maintenance. To perform maintenance
tasks on network resources, you might need to periodically make certain
resources unavailable to users.
a. You first have to determine which users
are currently accessing a resource so that you can notify them before taking
the resource offline.
2. Security. You might want to
monitor user access to confidential resources to verify that only authorized
users are accessing them and to maintain network security.
3. Planning. Meeting the expanding
needs of the network’s users requires that you determine how resources are
being used, so that you can plan for future system growth.
C. The Shared Folders snap-in is included as part of the Computer
Management console, which you can access from the Administrative Tools program
group.
1. As with any MMC snap-in, you can also add
the Shared Folders snap-in to a custom console and monitor the resources on the
local computer or on a remote computer.
|14| D. The
Shared Folders snap-in appears in the MMC console with three folders, called Shares,
Sessions, and Open Files.
1. The Shares folder contains a list of all
the shares on the computer.
2. The Sessions folder lists the users who
are currently connected to the computer shares.
3. The Open Files folder lists the files
that the connected users are accessing.
E. Monitoring shared folders
1. You monitor access to shared folders to
determine how many users are currently connected to each shared folder on a
computer running Windows 2000.
2. You can also monitor open files to
determine which users are gaining access to the files.
a. You can disconnect users from one open
file or from all open files.
3. You use the Shares folder in the Shared
Folders snap-in to view a list of all shared folders on the computer and to
determine how many users have a connection to each folder.
|15| 4. On Slide 15, the Shares folder is
selected in the Computer Management scope pane, and all the shared folders on
the computer are listed in the detail pane.
5. The columns in the detail pane provide
the following information about each share on the computer:
a. Shared Folder. The shared folders on
the computer, using the names assigned to the folders when the shares were
created
b. Shared Path. The paths to the shared
folders on the host computer
c. Type. The operating system
that must be running on a computer so that it can gain access to the shared
folders
d. # Client Redirections. The number of clients
who have made a remote connection to the shared folders
e. Comment. Descriptive text about the
shared folders, using the information provided when the shares were created
F. Determining how many users can access a shared folder
concurrently
1. You can use the Shared Folders snap-in to
view and modify the maximum number of users who are permitted to access a
folder.
2. With the Shares folder selected in the
scope pane, select the shared folder for which you want to determine the
maximum number of concurrent users in the detail pane.
a. Then select Properties from the Action
menu to display the Properties dialog box for the shared folder.
b. The General tab in the Properties dialog
box contains a User Limit box in which you can impose a limit by selecting the
Allow option button and specifying a number of users in the Users selector.
G. Sharing a folder
1. You can use the Shared Folders snap-in to
share an existing folder or to create a new folder and share it.
a. The biggest advantage: this snap-in lets
you create and share folders on other computers on the network.
|16| 2. To create a new shared folder using the
Shared Folders snap-in, you select the Shares folder in the scope pane, and
then select New File Share from the Action menu.
a. The Create Shared Folder Wizard appears.
3. When you use the Shared Folders snap-in
to create a share, Windows 2000 assigns the shared folder Full Control
permission to the Everyone group by default.
H. Monitoring user sessions
1. You can also use the Shared Folders
snap-in to monitor which users are currently accessing the shared folders on a
server from a remote computer.
2. You can disconnect users and send
administrative messages to computers and users, including computers and users
who are not currently accessing network resources.
a. This information enables you to determine
which users to contact when you need to stop sharing a folder or shut down the
server on which the shared folder resides.
b. You can disconnect one or more users in
order to free idle connections to the shared folder, to prepare for a backup or
restore operation, to shut down a server, or to change group membership and
permissions for the shared folder.
|17| 3. Use the Sessions folder in the Shared
Folders snap-in to view a list of the users with a current network connection
to the computer that you are monitoring.
4. The columns in the detail pane of the
Sessions folder provide the following information about each of the computer
connections:
a. User. The users with a current
network connection to the computer being monitored
b. Computer. The name of the user’s
computer
c. Type. The operating system
running on the user’s computer
d. Open Files. The number of files that
the user has open on the computer being monitored
e. Connected Time. The time that has
elapsed since the user established the current session
f. Idle Time. The time that has
elapsed since the user last gained access to a resource on the computer being
monitored
g. Guest. Whether this computer
authenticated the user as a member of the built-in Guest account
I. Disconnecting users
1. From the Sessions folder, you can
disconnect one or all of the currently connected users.
2. You might have to disconnect users to do
any of the following:
a. Cause changes to shared folder and NTFS file system permissions to take effect
immediately
(1) A connected user retains all permissions
for a shared resource that Windows 2000 assigned when the user connected to it.
(2) Windows 2000 evaluates the permissions
again the next time the user establishes a connection.
b. Free idle connections on a busy computer
so that other users can access the shared resources
(1) User connections to resources might remain
active for several minutes after a user finishes accessing the resource.
(2) Disconnecting user connections frees up the
connection immediately.
c. Shut down a server
3. Disconnecting a user session immediately
severs all access to the files on the connected share, including files that the
user currently has open.
a. You can also disconnect all the current
sessions at one time.
(1) To do this, select the Sessions folder in
the scope pane, and then select Disconnect All Sessions from the Action menu.
J. Sending administrative messages to users
1. Using the Shared Folders snap-in, you can
send administrative messages to one or more users or computers on the network.
2. To send an administrative message:
a. Select the Shared Folders icon in the
scope pane.
b. On the Action menu, point to All Tasks.
c. Select Send Console Message to open the
Send Console Message dialog box.
K. Monitoring open files
|18| 1. You can use the Open Files folder in the
scope pane of the Shared Folders snap-in to view a list of a shared folder’s
currently open files and find out which users are connected to them.
2. When you select the Open Files folder,
the columns in the detail pane provide the following information about each of
the files currently in use:
a. Open File. The name of the open
file on the computer
b. Accessed By. The logon name of the
user who has the file open
c. Type. The operating system
running on the computer where the user is logged on
d. # Locks. The number of locks on
the file. Programs can request the operating system to lock a file to gain
exclusive access and prevent other programs from changing it.
e. Open Mode. The type of access that
the user’s application requested when it opened the file, such as Read or Write
3. You can use the Open Files folder to
disconnect users from one open file or from all open files.
Chapter
14, Lesson 2
Monitoring
Network Services
1. Monitoring
DHCP Activity
A. The primary reason for monitoring DHCP activity is to ensure
that the Internet Protocol (IP) address scopes you have created are not being
depleted.
B. Viewing DHCP statistics
|19| 1. To view statistics for your DHCP server,
open the DHCP console from the Start menu’s Administrative Tools program group,
select the icon for your server in the scope pane, and then select Display
Statistics from the Action menu to open a Server Statistics dialog box.
2. By default, the information in the Server
Statistics dialog box is static.
a. You must click Refresh or configure the
DHCP console to automatically update the display.
3. Just because the Server Statistics dialog
box indicates that IP addresses are available for allocation does not mean that
the server is capable of assigning an address to any DHCP client on your
network.
a. The In Use and Available statistics refer
to all the DHCP server’s allocatable addresses, in all its scopes.
b. If all the available addresses are located
in one scope, clients on subnets serviced by the other scopes cannot obtain
addresses.
C. DHCP logging
D. Every DHCP server’s Properties dialog box also contains an
Enable DHCP Audit Logging check box, which causes the server to maintain a
daily log of DHCP activities.
1. The log files are located in the %systemroot%\System32\Dhcp folder and are
named DhcpSrvLog, with an extension consisting of the three-letter abbreviation
for the day of the week.
2. The logs are comma-delimited text files
in which each line is an entry denoting an event.
|20| a. The fields on each line of a log are
listed on Slide 20.
E. Using DHCP performance counters
1. In addition to the Server Statistics
dialog box and the logs, installing DHCP on a computer running Windows 2000
Server also adds a series of specialized DHCP counters to the System Monitor
snap-in, which is accessible from the Performance console.
2. Monitoring
WINS Activity
A. WINS is a service that is largely self-sufficient—its core
functions rarely need monitoring.
1. However, in an environment where multiple
WINS servers coexist on the same network, it is important to make sure that the
replication between the servers proceeds as intended.
B. To view information about the ongoing operation of a WINS
server:
1. Open the WINS console from the
Administrative Tools program group in the Start menu.
2. Select the icon for your WINS server in
the scope pane.
3. Choose Display Server Statistics from the
Action menu to open a WINS Server Statistics dialog box.
|21| a. The information supplied in the WINS
Server Statistics dialog box (shown on Slide 21) is listed in the textbook on
pages 565–67.
(1) This information does not change unless you
click Refresh to update it or configure the WINS console to update it
automatically.
C. You can also track WINS activities by configuring the server to
log the events that occur.
1. Unlike DHCP, WINS can save its log
information to the Windows 2000 system log, viewable in the Event Viewer
console.
3. Monitoring
DNS Activity
A. The DNS Server service included with Windows 2000 differs from
the DHCP and WINS servers in that it has its own separate log that appears in
the Event Viewer console.
1. Any errors that occur are easily visible
from the Event Viewer console, along with informational messages about the
service’s ongoing activities.
|22| 2. The DNS Server service also can maintain
an additional log that you can use for debugging purposes.
a. This alternate log is a simple text file
stored in the %systemroot%\System32\Dns
folder with the name Dns.log.
4. Monitoring
RRAS Activity
A. The Routing And Remote Access console has a variety of screens
that display information about the RRAS service’s ongoing activities.
1. You can use the Routing And Remote Access
console to manage the RRAS service on multiple servers.
a. This is a quick way to check on port
availability on all your servers.
|23| b. To do this, select the Server Status icon
in the console’s scope pane.
(1) This displays a list of the servers you
have added to the console, along with the current state of each one, the number
of ports on the server, and the number of ports that are currently in use.
2. To display information about the
individual ports on a RRAS server, you can select the Ports icon in the scope
pane, which causes a list of the ports on the computer to appear in the detail
pane.
a. Select a port and select Status from the
Action menu to open a Port Status dialog box.
3. To display information about the RRAS
service’s routing activities, you can expand a server icon to display the IP
Routing icon.
|24| a. Select General under IP Routing, and then
select Show TCP/IP Information from the Action menu to display the TCP/IP
Information window.
B. Monitoring routing protocols
1. If you run dynamic routing protocols such
as the Routing Information Protocol (RIP) and Open Shortest Path First (OSPF)
on your RRAS server, you can use additional information windows to monitor the
activities of the protocols.
C. RRAS logging
1. RRAS maintains its own logs, and you can
configure the amount of information that the service stores in the logs.
2. Every server listed in the Routing And
Remote Access console has a folder called Remote Access Logging beneath it,
with one Local File entry.
a. The Local File entry specifies the
location of the log, which by default is in the %systemroot%\System32\Log Files folder.
b. To configure logging for the entire RRAS
server, you open the Properties dialog box for the server, and then select the
Event Logging tab.
3. In addition to the global logging options
in the Event Logging tab, you can also configure each individual log by
selecting it in the Remote Access Logging folder and selecting Properties from
the Action menu to display the Properties dialog box.
5. Monitoring
IPsec Activity
A. To monitor the activities of the Internet Protocol security (IPsec)
extensions on a computer running Windows 2000, you can check the system log in
Event Viewer for IPsec-related events.
1. There is also an IP Security Monitor tool
included with Windows 2000 that displays more detailed information.
a. The program is called Ipsecmon.exe and is
located in the %systemroot%\System32
folder.
Chapter
14, Lesson 3
Using
Network Monitor
1. Overview
of Network Monitor
A. Network Monitor tracks network activity by capturing network
traffic.
1. The version of Network Monitor included
with Windows 2000 Server can monitor traffic transmitted only to or from the
computer on which it is running.
2. To monitor traffic passing between other
computers on the network or on remote networks, you must use the version of
Network Monitor that ships with Microsoft Systems Management Server (SMS)
version 1.2 or 2.0.
B. SMS Network Monitor monitors the network data stream, which
consists of all information transferred over a network at any given time.
1. Prior to transmission, this information
is divided by the network software into smaller pieces, called frames or
packets.
2. The process by which Network Monitor
copies frames is called capturing.
a. You can use Network Monitor to capture all
local network traffic or you can single out a subset of frames to be captured.
3. After you have captured data, you can
view it in the Network Monitor user interface.
a. Network Monitor does much of the data
analysis for you by translating the raw captured data into its logical frame
structure.
b. Network Monitor also displays overall
network segment statistics.
C. Network Monitor security
1. Security is one of the reasons Windows
2000 Network Monitor captures only the frames sent to or from the local
computer, including broadcast and multicast frames.
2. The ability to capture and analyze the
packets on the network means that the program can read the data carried within
the packets, which contains passwords and other sensitive information.
3. Network Monitor uses a Network Device
Interface Specification (NDIS) feature to copy all the frames leaving and
arriving at the network interface adapter to its capture buffer, a resizable
storage area in memory.
2. Installing
Network Monitor Tools
A. The Windows 2000 Network Monitor tools include both the Network
Monitor console and the Network Monitor driver.
B. To install the Network Monitor tools from Control Panel:
1. Click Start, point to Settings, and then
select Control Panel.
2. Double-click the Add/Remove Programs
icon.
3. Click Add/Remove Windows Components to
start the Windows Components Wizard.
4. In the Components list, select Management
And Monitoring Tools, and then click Details.
5. Select Network Monitor Tools, and then
click OK.
6.
Click Next to perform the installation.
a. You might be prompted to insert your
Windows 2000 installation CD-ROM into the CD-ROM drive.
7. Click Finish to close the wizard and
complete the installation.
3. Capturing
Frame Data
A. To capture frame data, open Network Monitor and, from the
Capture menu, select Start.
1. As frames are captured from the network,
statistics about the frames are displayed in the Network Monitor Capture
window.
4. Using
Capture Filters
A. Network Monitor often captures thousands of packets in only a
few minutes.
1. Sometimes the most difficult part of
analyzing network traffic is locating the packets that are significant to you.
2. For this reason, Network Monitor includes
an extensive system of capture filters that enable you to specify the types of
network information you want to monitor.
|25| 3. To design a capture filter, open the
Capture Filter dialog box.
a. In Network Monitor’s Capture window, on
the Capture menu, select Filter, click the funnel toolbar icon, or press F8.
(1) The dialog box displays the decision tree
of a filter, which is a graphical representation of the filter’s logic.
(2) When you include or exclude information
from your capture specifications, the decision tree reflects these
specifications.
B. Filtering by protocol
1. To capture frames that use a specific
protocol, specify the protocol on the SAP/ETYPE = line of the capture filter.
C. Filtering by address
1. To capture frames from specific computers
on your network, specify one or more address pairs in a capture filter.
2. You can monitor up to four specific
address pairs simultaneously.
a. An address pair consists of the following:
(1) The addresses of the two computers between
which you want to monitor traffic
(2) Arrows that specify the traffic direction
you want to monitor
(3) The Include or Exclude statement,
indicating how Network Monitor should respond to a frame that meets the
specifications of a filter
3. Regardless of the sequence in which
statements appear in the Capture Filter dialog box, Exclude statements are
evaluated first.
a. If a frame meets the criteria specified in
an Exclude statement in a filter containing both an Exclude and Include
statement, that frame is discarded.
b. Network Monitor does not test the excluded
frame with Include statements to see whether it also meets those criteria.
D. Filtering by data pattern
1. By specifying a pattern match in a
capture filter, you can do the following:
a. Limit a capture to only those frames
containing a specific pattern of ASCII (American
Standard Code for Information Interchange) or hexadecimal data
b. Specify how many bytes (offsets) into the
frame the pattern must occur
2. When you filter frames based on a pattern
match at a specific point in the data, you must specify where the pattern
occurs in the frame (how many bytes from the beginning or end).
a. If your network medium uses variable-sized
frames, specify a place to begin counting in from the end of the topology
header for a pattern match.
5. Displaying
Captured Data
A. To simplify the packet analysis process, Network Monitor
interprets the raw data collected during the capture and displays it in the
Capture Summary window.
1. You can display captured information in
one of two ways:
a. In the Capture Summary window, while the
capture is running, choose Stop And View from the Capture menu.
b. Open a captured data file with the .cap
extension.
2. If you have stopped a capture, you can
view the data in the Capture Summary window by selecting Display Captured Data
from the Capture menu, by clicking the glasses toolbar icon, or by pressing
F12.
B. Using display filters
1. You can use a display filter to specify
which frames in a captured sample of network traffic you want to display.
a. Like a capture filter, a display filter
enables you to single out specific types of information.
b. Because a display filter operates on data
that has already been captured, it does not affect the contents of the Network
Monitor capture buffer.
2. You
can filter the display of captured data using the following criteria:
a. The source or destination address of the
frame
b. The protocols used to construct the frame
c. The contents of the protocol header and
footer fields in the frame
3. The Capture Summary window must be active
in Network Monitor for the Display Filter dialog box to appear.
|26| a. Slide 26 shows the Display Filter dialog
box, which you access from the Display menu in the Capture Summary window by pressing F8 or by
clicking the funnel toolbar icon.
4. To create a display filter, specify
Decision statements in the Display Filter dialog box.
a. Information in the Display Filter dialog
box is in the form of a decision tree, which is a graphical representation of a
filter’s logic.
b. When you modify display filter
specifications, the decision tree reflects these modifications.
c. You must click OK to save the specified
Decision statement and add it to the decision tree before adding another
Decision statement.
5. Although capture filters are limited to
four address filter expressions, display filters are not.
a. With display filters, you can also use
AND, OR, and NOT logic.
6. To display only those frames generated by
a specific protocol, edit the Protocol line in the Display Filter dialog box.
a. The values in protocol header and footer
fields define the purpose of the protocol.
b. Because the purpose of protocols varies,
the fields and their functions differ from one protocol to another.
7. To display only those frames originating
from a specific computer, edit the ANY < — > ANY line in the Display
Filter dialog box.
6. Network
Monitor Performance Issues
A. Network Monitor creates a memory-mapped file for its capture
buffer.
1. For best results, make sure you create a
capture buffer large enough to accommodate the traffic you need.
2. In addition, although you cannot adjust
the frame size, you can configure Network Monitor to store only part of the
frame, thereby reducing the amount of wasted capture buffer space.
a. For example, if you are interested in the
data only in the frame headers, you can set the frame size (in bytes) to the
size of only the headers.
(1) Network Monitor then discards the frame
data as it stores the frames in the capture buffer.
3. Running Network Monitor in the background
is a way to reduce the amount of system resources necessary to operate the
program.
a. To run Network Monitor in the background,
from the Capture menu, select Dedicated Capture Mode.
b. You can use this strategy to reduce
resource use if network packets are being dropped rather than captured.