Network Monitor

Unlike System Monitor, which is used to monitor anything from hardware to software, Network Monitor focuses exclusively on network activity. To understand the traffic and behavior of your network components, install and use Network Monitor.

Network Monitor Features

Network administrators use Microsoft Windows 2000 Network Monitor to view and detect problems on local area networks (LANs). For example, as a network administrator, you can use Network Monitor to diagnose hardware and software problems when two or more computers cannot communicate. You can also copy a log of network activity into a file and then send the file to a professional network analyst or support organization.

Network application developers can use Network Monitor to monitor and debug network applications as they are developed.

Network Monitor monitors the network data stream which consists of all information transferred over a network at any given time. Prior to transmission, this information is divided by the network software into smaller pieces, called frames ** or packets. Each frame contains:

  • The source address of the computer that sent the message.

  • The destination address of the computer that received the frame.

  • Headers from each protocol used to send the frame.

  • The data or a portion of the information being sent.

The process by which Network Monitor copies frames is referred to as capturing. You can use Network Monitor to capture all local network traffic or you can single out a subset of frames to be captured. You can also make a capture respond to events on your network. For example, you can make the network start an executable file when Network Monitor detects a particular set of conditions on the network.

After you have captured data, you can view it in the Network Monitor user interface. Network Monitor does much of the data analysis for you by translating the raw capture data into its logical frame structure.

For security reasons, Windows 2000 Network Monitor captures only those frames, including broadcast and multicast frames, sent to or from the local computer. Network Monitor also displays overall network segment statistics for broadcast frames, multicast frames, network utilization, total bytes received per second, and total frames received per second.

In addition, to help protect your network from unauthorized use of Network Monitor installations, Network Monitor can detect other installations of Network Monitor that are running on the local segment of your network. Network Monitor also detects all instances of the Network Monitor driver being used remotely (by either Network Monitor from Systems Management Server or the Network Segment object in System Monitor) to capture data on your network.

When Network Monitor detects other Network Monitor installations running on the network, it displays the following information:

  • The name of the computer

  • The name of the user logged on at the computer

  • The state of Network Monitor on the remote computer (running, capturing, or transmitting)

  • The adapter address of the remote computer

  • The version number of Network Monitor on the remote computer

In some instances, your network architecture might prevent one installation of Network Monitor from detecting another. For example, if an installation is separated from yours by a router that does not forward multicasts, your installation cannot detect that installation.

Network Monitor uses a network driver interface specification (NDIS) feature to copy all frames it detects to its capture buffer, a resizable storage area in memory. The default size is 1 MB; you can adjust the size manually as needed. The buffer is a memory-mapped file and occupies disk space.



Because Network Monitor uses the local only mode of NDIS instead of promiscuous mode (in which the network adapter passes on all frames sent on the network), you can use Network Monitor even if your network adapter does not support promiscuous mode. Networking performance is not affected when you use an NDIS driver to capture frames. (Putting the network adapter in promiscuous mode can add 30 percent or more to the load on the CPU.)

Installing Network Monitor

To set up Network Monitor, perform two steps:

  • Install the Network Monitor driver on any computer from which you want to capture data for analysis with Network Monitor.

  • Install the Network Monitor utilities on a computer running Windows 2000 Server on which data will be captured.

You can install the driver on a computer running either Windows 2000 Professional or Windows 2000 Server. Installing the driver also installs the Network Segment object for use in System Monitor.

Installing the driver does not install Network Monitor itself. Instead, install the Network Monitor Tools on a computer running Windows 2000 Server to install Network Monitor.

To install the Network Monitor driver

  1. Click Start , point to Settings , click Control Panel , and then double-click Network and Dial-up Connections .

  2. In Network and Dial-up Connections , right-click Local Area Connection , and then click Properties .

  3. In the Local Area Connection Properties dialog box, click Install .

  4. In the Select Network Component Type dialog box, click Protocol , and then click Add .

  5. In the Select Network Protocol dialog box, click Network Monitor Driver , and then click OK .

If prompted for additional files, insert your Windows 2000 CD, or type a path to the location of the files on a network.

To display and analyze captured data, use the following procedure to install Network Monitor Tools on a computer running Windows 2000 Server. Network Monitor Tools installs Network Monitor along with the Network Monitor driver. If you are running Windows 2000 Server and are installing Network Monitor Tools, you can bypass the preceding procedure; you do not need to install the Network Monitor driver separately.

To install Network Monitor Tools

  1. Click Start , point to Settings , click Control Panel , and then double-click Add/Remove Programs .

  2. In the Add/Remove Programs dialog box, double-click Add/Remove Windows Components .

  3. In the Windows Component Wizard dialog box, click Next .

  4. Under Components , click Management and Monitoring Tools , and then click the Details button.

  5. Under Subcomponents of Management and Monitoring Tools , select the Network Monitor Tools check box, and then click OK .

  6. Click Next to proceed with installation, and then click Finish and Close to exit.

To start Network Monitor on a computer running Windows   2000 Server

  1. Click Start , point to Programs , and point to Administrative Tools .

  2. Under Administrative Tools , click Network Monitor .

For information about how to work with the Network Monitor user interface, see Windows 2000 Server Help.

Capturing Frame Data

When you've installed the Network Monitor driver on the computer from which to capture data (hereafter called the source computer) and installed Network Monitor Tools on the computer that will perform the capture (hereafter called ** destination computer), you can begin to capture data.

To capture data

  1. Open Network Monitor.

  2. On the Capture menu, click Start .
    Or, click the Capture button on the toolbar.

As frames are captured from the network, statistics about the frames are displayed in the Network Monitor Capture window, as shown in Figure 9.2.


Figure 9.2 Network Monitor Capture Window

Network Monitor displays session statistics from the first 100 unique network sessions it detects. The Network Monitor Capture window includes the panes listed in Table 9.7.

Table 9.7 Description of Display Options for the Capture Pane




A graphical representation of the activity currently taking place on the network.

Session Stats

Statistics about individual sessions currently taking place on the network.

Station Stats

Statistics about the sessions participated in by the computer running Network Monitor.

Total Stats

Summary statistics about the network activity detected since the capture process began.

To reset statistics and see information on the next 100 network sessions detected, on the Capture menu, click Clear Statistics . To capture only those frames that originate with specific computers, determine the addresses of the computers on your network and associate the address with its DNS or NetBIOS name. After these associations are made, you can save the names to an address database (.adr) file that can be used to design capture filters and display filters. The capture filter allows you to specify criteria for inclusion in or exclusion from the capture. If the address is not available in the address database, try to capture all traffic and, after stopping and viewing the capture, use the Find All Names command on the Display menu to locate the address.



Capture filters can significantly increase the processor's workload because each packet must be processed through the filter and either saved or discarded. In some cases, using complex filters might result in missed frames.

An example of such a filter is an address pair, used to capture frames from specific computers on the network. An address pair consists of:

  • The addresses of the computers between which you want to monitor traffic. Note that you can capture to a computer or to a router; however, you cannot select multiple address pairs with the OR operation. You must run multiple instances of Network Monitor to capture to either a computer or a router simultaneously. (An address is a hexadecimal number that identifies a computer uniquely on the network.)

  • Arrows that specify the traffic direction you want to monitor.

  • The INCLUDE or EXCLUDE keyword, indicating how Network Monitor should respond to a frame that meets a filter's specifications.
    Regardless of the sequence in which statements appear in the Capture Filter dialog box, EXCLUDE statements are evaluated first. Therefore, if a frame meets the criteria specified in an EXCLUDE statement in a filter containing both an EXCLUDE and INCLUDE statement, that frame is discarded. Network Monitor does not test that frame by INCLUDE statements to see if it meets that criterion also.
    For example, to capture all the traffic from Joe's computer except the traffic from Joe to Anne, use the following capture filter in the address section:

include Joe <----> Any

exclude Joe <----> Anne

If there are no include lines, the default address your_computer_name – – – – Any is used by default.

Figure 9.3 shows the Capture Filter dialog box, accessed from the Capture menu or by pressing F8 in the Capture window.


Figure 9.3 Capture Filter Dialog Box

To design a capture filter, specify decision statements in the Capture Filter dialog box. For information about display filters, see "Displaying Captured Data" later in this chapter.

By specifying a pattern match in a capture filter, you can:

  • Limit a capture to only those frames containing a specific pattern of ASCII or hexadecimal data.

  • Specify how many bytes into the frame the pattern must occur. This number of bytes is known as an offset.
    When you filter based on a pattern match, you must specify where the pattern occurs in the frame (how many bytes from the beginning or end). If your network medium has a variable size in the media access control protocol, such as Ethernet or Token Ring, specify to count from the end of the topology header.

  • To capture frames sent using a specific protocol, specify the protocol on the capture filter SAP/ETYPE= line. Available protocols appear in the dialog box when you double-click the SAP/ETYPE= line. For example, to capture only IP frames, disable all protocols and then enable IP ETYPE 0x800 and IP SAP 0x6. By default, all of the protocols that Network Monitor supports are enabled.

  • Use a capture trigger to automate actions to follow the capture. A trigger is a set of conditions that, when met, initiate an action. For example, before using Network Monitor to capture data from the network, you can set a trigger to stop the capture or to run a program or command file. You can also specify the conditions under which these actions will occur. One example of a trigger is a pattern match. You can save a trigger to the local computer if you save a capture filter. The default file path for saving filters is the \System32\Netmon\Captures directory in the root directory.

Table 9.8 describes the trigger types you can use to specify the condition that starts the trigger.

Table 9.8 Trigger Types for Network Monitor Captures

Trigger type



No trigger is initiated. This is the default.

Pattern Match

Initiates the trigger when the specified pattern occurs in a captured frame.

Buffer Space

Initiates the trigger when a specified amount of the capture buffer is filled.

Pattern Match Then Buffer Space

Initiates the trigger when the pattern occurs and is followed by a specified percentage of the capture buffer being filled.

Buffer Space Then Pattern Match

Initiates the trigger when the specified percentage of the capture buffer fills and is followed by the occurrence of the pattern in a captured frame.

No Action

No action is taken when a trigger condition is met. This is the default. Even though you select No Action , the computer beeps when the trigger condition is met.

Stop Capture

Stops the capture process when the trigger condition is met.

Execute Command Line

Runs a program or batch file when a trigger condition is met. If you select this option, provide a command or the path to a program or batch file.

If your computer uses multiple network adapters, use Network Monitor to collect data from multiple network adapters, and then either switch between the two adapters or run multiple instances of Network Monitor.

To switch between adapters

  • On the Capture menu, click Networks , and then select a different adapter.

Modem adapters appear as ETHERNET with a dial-up connection flag set to TRUE.

After capturing data, you might want to save it. For example, it is useful to save captures before starting another capture (to prevent loss of the captured data) if you think you might need to analyze the data later, or if you need to document network use or problems. When you save captured data, the data in the capture buffer is written to a capture (.cap) file.

Displaying Captured Data

To simplify data analysis, Network Monitor interprets raw data collected during the capture and displays it in the Frame Viewer window.

To display captured information in the Frame Viewer window, from the Capture menu, click Stop and View while the capture is running. You can also display captures by opening a file with the .cap extension.

Figure 9.4 shows the key elements in the Frame Viewer window.


Figure 9.5 Display Filter Dialog Box

To design a display filter, specify decision statements in the Display Filter dialog box. Information in the Display Filter dialog box is in the form of a decision tree, which is a graphical representation of a filter's logic. When you modify display filter specifications, the decision tree reflects these modifications. Table 9.10 lists various types of filter items you can use.

Table 9.10 Filter Item Options

Filter item



Specifies the protocols or protocol properties.

Address Filter (default is ANY <– –> ANY)

Specifies the computer addresses on which you want to capture data.


Specifies property instances that match your display criterion.

You must click OK to save the specified decision statement and add it to the decision tree before adding another decision statement.

Although capture filters are limited to four address filter expressions, display filters are not. With display filters, you can also use AND , OR , and NOT logic.

When you display captured data, all available information about the captured frames appears in the Frame Viewer window. To display only those frames sent by a specific protocol, edit the Protocol line in the Display Filter dialog box.

Protocol properties are information that defines a protocol's purpose. Because the purpose of protocols varies, properties differ from one protocol to another.

Suppose, for example, that you have captured a large number of frames using the SMB protocol but want to examine only those frames in which the SMB protocol was used to create a directory on your computer. In this instance, you can single out frames where the SMB command property is equal to make directory .

When you display captured data, all addresses from which information was captured appear in the Frame Viewer window. To display only those frames originating from a specific computer, edit the ANY <– –> ANY line in the Display Filter dialog box.

Reviewing Captured Data

Perform the steps in the following list as part of your routine for reviewing and analyzing captured data:

  • Follow a session using source and destination IP address and port numbers.

  • If you find a Reset, focus on the sequence numbers and acknowledgments that precede it.

  • Try to understand the activity you are seeing:

    • Is the sender doing retries?

    If so, note the number of retries and the time elapsed. The default number of retries for TCP/IP is 5. This value might be different for other protocols.

    • Did the sender back up and resend the previous packet?

    • Is the receiver asking for a missed frame by acknowledging a previous sequence number?

    • Does the size of the data being sent and received correspond to the size of the maximum transmit unit (MTU) of the hardware? If not, you might have the wrong network settings

    • Is there a lengthy delay for receipt of acknowledgements or for transmission of subsequent packets? This could indicate that the destination computer has inadequate resources or that the application is performing inefficiently.

A reset can be caused by time-outs at the TCP layer or by time-outs of higher-layer protocols. Resets originating at the TCP layer should be easy to read from the trace. It might be more difficult to determine the cause of resets originating from higher-layer protocols such as the server message block (SMB).

For example, an SMB read might time out in 45 seconds and cause a reset of the session even though communications are slow but working at the TCP layer. The trace might only narrow down what component is at fault. From there you might need to use other troubleshooting methods to determine the cause.

To see TCP sequencing when higher-level protocols are present, start Network Monitor and edit the Expression dialog box, using the following steps. Figure 9.6 shows the Expression dialog box.


Figure 9.6 Expression Dialog Box

To see TCP sequencing

  1. Start Network Monitor.

  2. Display captured data.

  3. On the Display menu, click Options .

  4. Select Auto (based on protocols in display filter), and then click OK .

  5. Click Display , and then click Filter .

  6. Double-click Protocol=Any .

  7. Click the Protocol tab, and then click Disable All .

  8. In the Disabled Protocols list box, click TCP .

  9. Click Enabled , then click OK , and click OK again.

Network Monitor Performance Issues

Network Monitor creates a memory-mapped file for its capture buffer. For best results, make sure to create a capture buffer large enough to accommodate the traffic you need.

In addition, although you cannot adjust the frame size, you can store only part of the frame, thus reducing the amount of wasted capture buffer space. For example, if you are interested only in the data in the frame header, set the frame size (in bytes) to the size of the header frame. Network Monitor discards the frame data as it stores frames in the capture buffer, thereby using less capture buffer space.


Windows Event Viewer shows start, stop, and connection events for Network Monitor. To verify Network Monitor operation, or as a first step in tracking down Network Monitor problems, examine the event log.