How to use Network Monitor to capture network traffic

This article discusses several best practices to use when you use Microsoft Network Monitor (Netmon.exe) to capture network traffic.

A network trace that has any of the following characteristics may prevent the successful analysis of captured network traffic:

• The network trace does not contain all the necessary network traffic.
• It contains too much unnecessary network traffic.
• It is not accompanied by computer name and address information of the affected computers.

Definitions

The following definitions are used in this article:

• Capture (or Trace): The network traffic collected and saved by using Microsoft Network Monitor (Netmon.exe).
• Monitor computer: The computer that runs Network Monitor.
• Target computer: A computer whose network traffic Netmon.exe captures.
• Target address: The specific protocol address of the target computer.

Making the Target Computer Traffic Available to the Monitor Computer

If you are not running Network Monitor on the target computer, make sure that all the network traffic from the target computer is available to the network adapter of the monitor computer. To do so in the Ethernet environment, connect both the monitor computer and the target computer to a network hub. If the monitor and target computers are on a switched network (for example, they are connected to an Ethernet switch), all the network traffic to and from the target computer may not be available to the monitor computer.

Note Typically, a hub presents all the network packets to all the network interfaces (or ports), and a switch presents all the packets to the intended port. More complex switches may permit options for multicast packet filtering and advanced port-to-port bridging for network captures and monitoring.

Address Databases

To find and save the target computer addresses:

Post-Capture Address Collection

1. If the network capture is not visible (for example, if you click Stop on the Capture menu instead of Stop and View, or if a capture trigger was in force), click Display Captured Data on the Capture menu or press the F12 key to display captured data.
2. On the Display menu, click Find All Names.
3. On the message stating that a certain number of names were found in the captured data, click OK.
4. Save the address database as described in the Saving an Address Database section of this article.

Saving an Address Database

Address database files may become inaccurate if the target computer address changes. This may occur if the Dynamic Host Configuration Protocol (DHCP) lease expires or you replace the network adapter. Therefore, Microsoft recommends that you save address databases specific to Network Monitor captures.

To save the Network Monitor in-memory address database to an .adr file:

1. In Network Monitor, click Addresses on the Capture menu.
   
   Note If the Capture: n (Summary) dialog box is open, the Capture menu does not appear.
2. Click Save, type a descriptive name in the File name box, and then click Save.

Pre-Capture Address Collection: Target Computer Is on the Network

1. In Network Monitor, click Resolve Addresses from Name on the Tools menu.
   
   Note This command is only available in the version of Network Monitor provided with Microsoft Systems Management Server (SMS).
2. Enter the name of the target computer in the Name list, and then click Resolve.
   
   Depending on the network and target computer configuration and the available name resolution options, Network Monitor may list typical addresses such as Ethernet, Tokenring, IP, and IPX/XNS that are associated with the target computer.
   • If the name is resolved, click Save Address to add the addresses to the Network Monitor in-memory address database.
   • If the name is not resolved, and you receive an "Address not Found" message, try to save the target computer off the network as described in the Pre-Capture Address Collection: Target Computer is off the Network section of this article.
3. Click Close, and then save the address database.

Pre-Capture Address Collection: Target Computer Is off the Network

To use the following procedure, you must know the target address. Microsoft recommends that you use the media access control (MAC) address of the target computer. Capture filters set for specific protocols, such as IP, may cause Network Monitor to ignore other protocol traffic such as IPX/XNS.

1. On the Capture menu, click Addresses, and then click Add.
2. In the Name box, type the name of the target computer.
3. Type the address of the target computer in the Address box, For example, type the IP address of 192.247.26.40.
4. In the Type list, click the type of address that you used in the Address box. For example, click IP.
5. Click OK to add the address to the Network Monitor in-memory address database.
6. Save the address database.

Capture Filters

The following examples illustrate how to configure several common capture filters. Microsoft recommends that you set the filter for the MAC address of the target computer (such as the ETHERNET address), if possible. Capture filters set for specific protocols, such as IP, will cause Network Monitor to ignore other protocol traffic, such as IPX/XNS.

Capture all Traffic to and from a Target Computer

1. On the Capture menu, click Filter.
2. Double-click the AND (Address Pairs) node.
3. In the Name list under Station 1, click the name of the target computer whose data you want to collect.
4. Under Direction, click <-->, and then click OK.

Capture all Traffic Between Two Target Computers

1. On the Capture menu, click Filter.
2. Double-click the AND (Address Pairs) node.
3. In the Name list under Station 1, click the name of the target computer whose data you want to collect.
4. Under Direction, click <-->.
5. In the Name list under Station 2, click the name of the other target computer whose data you want to collect.
6. Click OK, and then click OK.

Saving a Capture Filter

To save a Network Monitor capture filter to a .cf file:

1. On the Capture menu, click Filter.
2. Click Save, type a descriptive name in the File name box, and then click Save.

Capture Buffers

By default, Network Monitor can save captures of up to 1 gigabyte (GB). To change the default setting of 1MB, click Buffer Settings on the Network Monitor Capture menu.

• Verify that the buffer size is sufficient to capture sufficient network traffic. To determine a typical baseline, set an appropriate capture filter against a working client, and then perform a test capture. If the saved capture is the same size as the buffer setting, you must make the buffer larger. A general rule is to increase the buffer by a factor of two.
• Verify that the virtual memory (paging file) settings of the monitor computer can handle the maximum size that you want to save.

Capture Triggers

Capture triggers are typically set for situations where it is difficult to keep from overrunning the capture buffer. This frequently occurs if any of the following conditions are true:

• You cannot reliably reproduce the problem you are investigating by using a specific procedure.
• You cannot effectively coordinate actions at the monitor and target computers.
• You must capture all the traffic to and from a heavily loaded server. For example, you must do this to diagnose file lock violations.

To design a capture trigger, you typically have to derive a byte pattern for a particular offset from a sample packet. For example, the offset for the SMB 'Status Code System Error' is different for NBT (NetBIOS Transport over IP) and Direct-hosted SMB (TCP/UPD port 445). The following example shows how to set a capture trigger that stops the capture when you try to connect to a non-existent share on an existing server. The example does not contain any capture filter details.

The example error message is the WIN32 error code 0xC00000CC. The error code appears in a capture in the SMB 'Status Code System Error' field as 'STATUS_BAD_NETWORK_NAME'. This error is defined in 'ntstatus.h'. The Microsoft Software Development Kit (SDK) includes this definition. For additional information, visit the following Microsoft Web site: For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

1. On the monitor computer:
   1. Start Network Monitor.
   2. On the Capture menu, click Trigger.
   3. Under Trigger on, click Pattern match.
   4. Under Pattern, click From Start of Frame, and then click Hex.
   5. In the Offset (Hex) box, type 3f.
   6. In the Pattern box, type cc0000c0
      
      Note: The little-endian byte pattern is equivalent to the error DWORD 0xC00000CC.
   7. Under Trigger Action, click Stop Capture, and then click OK.
   8. On the Capture menu, click Start.
2. On the target computer:
   1. Click Start, and then click Run.
   2. In the Open box, type \\servername\invalid-sharename, where servername is a valid server name and where invalid-sharename is the name of a non-existent share.
   3. Click OK. On the message that states that the network name cannot be found, click OK
3. On the monitor computer:
   1. The capture automatically stops. On the File menu, click Save As.
   2. Type a descriptive name for the capture in the File name box, and then click Save.

Troubleshoot

• Use descriptive names when you save captured network traffic..
  
  When you save a network monitor capture, it is useful to use a descriptive file name. For example:
  Computer1_connect_failure_05_dec_2002.adr
  Although a capture file contains the time of day, the date may not be obvious or verifiable, particularly if the file is modified. You may have to modify the capture files during analysis. For example, the pairing of Server Message Block (SMB) client or server packets depends on the MAC address. A router between a client and a server computer may obscure the MAC address. Network Monitor may not fully parse some responses in this situation, for example Distributed file system (DFS) referral responses. Some versions of Network Monitor permit you to edit the capture. As a result, you can replace the router MAC address with that of the target server. This permits the SMB parser to break the indicated packet into a more readable form.
• Make sure that the clocks are synchronized between computers..
  
  For many diagnostic procedures, you must have an event or component debugging and Network Monitor traces of the problem. To successfully cross reference other log files with Network Monitor traces, you must have the clocks synchronized between computers.
• Save the IP address information..
  
  Because DHCP lease expiration may cause IP address changes on the client computers, you must record or save relevant IP address information during the Network Monitor captures.
• Try to start the capture before the problem occurs..
  
  Capture traffic that is necessary and sufficient to document a problem. To do so, you must start a capture before you make the first connection between two target computers, and then stop it after the problem behavior occurs. For example, with the SMB protocol, file operations operate against handles. To know the file name, you must capture the file open (or create) operation.
• Try to capture both "success" and "failure" traces..
  
  If you can, capture traces where the problem occurs and where it does not occur. It is best to capture these traces against the same target computer. If you cannot do so, try to capture it from the closest possible configuration and network environment that you can create. For example, both target computers should communicate with the same server, or the same client computer should communicate with similarly configured servers.
• Document actions that generate the significant network traffic..
  
  Document the actions that you perform on the target computers to generate the significant network traffic. For example, in an IP environment you can simplify the cross referencing of the capture to user activity, program activity, or batch file activity. To do so, perform one-time ping commands to a unique IP address just before the activities, and then after the activities.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: For additional information about the Network Monitor Capture utility included with Windows XP, click the following article number to view the article in the Microsoft Knowledge Base: