Viewing Network Traffic

This is useful when you need to troubleshoot or debug application problems or system communications failures. Particularly when you are having problems with a particular protocol, such as LDAP or DNS, looking at the associated network traffic can be helpful to see what is being transmitted and received.

 

  1.  

    Open the Network Monitor tool (netmon.exe). Network Monitor is not installed by default. To install it:

     

    1. Go to the Control Panel and open the Add or Remove Programs applet.
    2. Click on Add/Remove Windows Components.
    3. Double-click on Management and Monitoring Tools.
    4. Check the box beside Network Monitor Tools and click OK.
    5. Click Next.
    6. Click Finish.
    1.  

      The first time you start Network Monitor, you will be asked from which network interface you want to capture data. On Windows Server 2003, Microsoft finally made the list of interfaces to choose easy to distinguish because they labeled each one by its connection name (e.g., Local Area Connection). With Windows 2000, it doesn’t include that information in the label, so choosing an interface is almost a guessing game unless you know the MAC address prefix of your NIC card vendor. A trick you can use to narrow the list of interfaces is to disregard any that have a Dial-up connection setting marked as TRUE. After you’ve selected an interface, click OK.

    2.  

      From the menu, select Capture > Start. If you don’t see the Network Utilization and Frames Per Second indicators fluctuating (a sign traffic is being captured), you likely picked the wrong interface in Step 2. If so, stop the capture by selecting Capture > Stop from the menu. Then select Capture > Networks. You’ll be presented with the same screen as in Step 2 that allows you to select the target interface.

    3.  

      When you want to stop the capture, select Capture > Stop from the menu. Or if you want to immediately view the traffic, select Capture > Stop and View.

    4.  

      If the captured data is too much to look at, you can filter it by selecting Display > Filter from the menu. From there you can enter Boolean expressions to limit what is displayed.

    Using a command-line interface

    The Windows Server 2003 Support Tools contains a new tool called netcap.exe that can capture packets to a file for viewing later in Network Monitor. Here is an example command line:

    > netcap /C:d:\netcap.cap /N:1

    This command captures packets on interface #1 and stores the output in d:\netcap.cap. To make sure you are capturing on the correct interface, view the netcap help information:

    > netcap /?

    At the very end, it displays the list of interfaces on the system and their associated numbers. To view the contents of the capture file, double-click it. This will launch the Network Monitor.

    Network Monitor (NetMon) is not the most user-friendly tool, but it offers powerful features for collecting, filtering, and analyzing a network capture. For more on how to use some of the features of NetMon, see the MS KB articles listed in the See Also section.

    One thing that is worth noting about NetMon is that it has a default buffer limit of 1 MB. After the data it captures exceeds 1 MB, it begins to overwrite the oldest packets using FIFO (first in, first out). You can increase the size of the buffer to a max of 1 GB. To increase the buffer, select Buffer Settings from the Capture menu. Enter the maximum number of megabytes and click OK.

    If you are interested in an alternative to NetMon, Ethereal is one of the most popular network traffic analyzers and it is available free from the following site: http://www.ethereal.com/.