Q1. Should I Run Network Monitor On The Client, The Server, Or Both? What If The Client And Server Are The Same Computer?
Usually, when client and server applications are on the same computer, there is no network traffic. Thus, you cannot use Network Monitor to understand what is happening between the applications.
When you are troubleshooting HTTP or other text-based protocols, if you have two computers, and the client is getting back unexpected results, run Network Monitor on the server to see if the server is sending the correct data.
You may need to trace on both the client and server if a firewall or intranet is causing network problems. In this scenario, you can compare traces more efficiently if you use the Net Time command to synchronize the system time on the computers.
If you have three computers that communicate in a three-tier architecture, you can run Network Monitor on the middle tier because all traffic crosses that computer.
Q2. Can Capture And Display Filters Be Saved As The Default?
To save a Capture or Display filter as the default, you must write over the existing file. The default Display filter file is named Default.df, and the default Capture filter file is named Default.cf. These files are usually located in the WinNT/System32/Netmon/Captures/ folder.
Alternatively, you can save and load various filter files as needed from within Network Monitor. To do this, click Load on the Capture Filter or Display Filter dialog box.
Q3. Where Do I Get The Network Monitor Tool?
There are two versions of Network Monitor. The full version is shipped with Microsoft Systems Management Server (SMS). A “lite” version is included with Windows NT Server and Windows 2000 Server and contains a subset of the features that are available in the full version.
Q4. Can The User Run Other Applications While Network Monitor Is Capturing Or Filtering The Network Traffic?
Yes, the overhead of NetMon is minimal, and other applications should not be impacted by Network Monitor.
Q5. Which Version Should I Use?
It depends on what kind of traffic you need to capture. Both versions of Network Monitor can capture traffic that is sent to or from the host computer (the computer that is running NetMon), including broadcasts and traffic over a dial-up network connection. The full version of Network Monitor also allows you to capture and display any frames from the network segment on which the computer that is running NetMon resides, regardless of whether they are addressed to the host computer.
Q6. What If The Network Adapter Card Does Not Support Promiscuous Mode? What Is Promiscuous Mode Anyway?
Promiscuous mode is a state in which a network adapter card copies all the frames that pass over the network to a local buffer, regardless of the destination address. This mode enables Network Monitor to capture and display all network traffic.
To use Network Monitor, your computer must have a network card that supports promiscuous mode. If you are using Network Monitor Agent on a remote computer, the local workstation does not need a network adapter card that supports promiscuous mode, but the remote computer does.
Q7. What Is The Difference Between The Network Monitor Agent And Network Monitor Tools And Agent?
The two primary components of Network Monitor are the Network Monitor Agent and the user interface. The Network Monitor Agent monitors the network and passes traffic up to the “program” (the user interface). The Network Monitor Agent can run on any compatible computer while the program is running on a separate computer.
computer can only see network traffic that passes across its network segment. Thus, it can be helpful to have a Network Monitor Agent that is running on a network where the problem is occurring, while the Network Monitor user interface runs from (for example) the local area network (LAN) Administrator’s computer on a different network segment. The LAN Administrator can then manage the capture and view the captured data from his or her computer, even though the LAN Administrator is not on the segment where the problem is occurring.
Q8. What Security Risks Are Introduced By The Use Of Network Monitor?
Network Monitor is a “sniffer,” namely, it detects problems on the network. Because you can analyze traffic at the frame level, all non-encrypted data is visible in a trace. For example, when you use Microsoft Internet Information Server (IIS) with Basic Authentication, the password is passed as clear text and can be read in a Network Monitor trace.
Q9. What Is The Difference Between A Media Access Control Address And An Ip Address? How Can I Distinguish One From Another?
- A media access control (MAC) address is a unique, 12-digit (48-bit), hexadecimal number that the network interface card (NIC) manufacturer “burns into” a computer’s network interface card. On some cards, software can override this number, but the number remains burned into the card. MAC addresses are also referred to as “Hardware Addresses” and “Universally Administered Addresses” (UAAs). When they are overridden, MAC addresses are called “Locally Administered Addresses” (LAAs).
- The media access control is the lowest layer of the network model that contains address information. All frames on a local area network contain a MAC address, regardless of the network protocol in the frame. The same cannot be said about Internet Protocol (IP) addresses, which reside at a higher level of the network model. Non-IP traffic, such as traffic that uses the Novell IPX/SPX protocol, have a MAC address but not an IP address.
- An IP address is a 32-bit address that should be unique across a Trmission Control Protocol/Internet Protocol (TCP/IP) network. IP addresses are usually represented in dotted-decimal notation, which depicts each octet (eight bits) of an IP address as its decimal value and separates each octet with a period.
Q10. How Does A Disconnect Appear In A Netmon Trace?
A TCP connection can be ended in one of two ways. A “graceful” close uses the TCP FIN flag to show that the sender has no more data to send. The TCP RST flag is used for an ended (“abortive”) session disconnection.
Q11. What Is A Three-way Handshake?
Before any data can be trmitted through the TCP protocol, a reliable connection must be established. A “three-way handshake” is the process that TCP uses to establish this connection.
This process cannot be thoroughly described within the context of this article. Briefly, three frames identify a three-way handshake. In the first frame, Computer1 sends a frame to Computer2 with the TCP SYN flag set. In the second frame, Computer2 sends a frame back to Computer1 with both the SYN and ACK flags set. In the third frame, Computer1 sends a frame to Computer2 with the ACK flag set. Any two computers exchange these three packets every time they set up a TCP connection.
Q12. How Does Network Monitor Interpret The Protocols In A Trace That Has Been Captured?
Network Monitor includes protocol parsers that look at and interpret key items within the raw data to interpret some of the most common protocols. As new standards and implementations evolve, there will be certain protocols for which NetMon does not contain parsers. Individuals can write parsers for these protocols, or other companies may write some of these parsers (which can be found on the Internet). Some additional parsers are included in the Microsoft Resource kits.
Q13. What Is The Difference Between A Capture Filter And A Display Filter?
Before you run the Capture, you can set up a Capture filter to determine which frames are stored in the buffer. After the data is stored, you can set up a Display filter to further focus attention on a particular set of frames.