Network Monitor is a crucial tool
that system administrators should have in their arsenal. Network
Monitor, now in its third version, was overhauled to support the new
networking changes that were introduced in Windows 2008 R2. Network
Monitor 3.4 includes several enhancements for capturing network traffic
and parsing the captured data for use in troubleshooting, capacity
analysis, and performance tuning. The next few sections cover using
Network Monitor to capture network traffic between two computers, on a
wireless connection, over remote-access
connections; how to analyze captured data; and how to parse captured
data for analysis. You can download Network Monitor 3.4, shown in Figure 1, from Microsoft Download Center at www.microsoft.com/download/en/details.aspx?id=4865.
Figure 1. The Network Monitor 3.4 interface.
Note
Network Monitor 3.4 is available in IA64,
x64, and x86 versions and can run on Windows Server 2012, Windows
Server 2008 R2, Windows Server 2008, Windows Server 2003 SP 2, Windows
8, Windows 7, Windows Vista SP1, and Windows XP SP3 systems.
1. What’s in Network Monitor 3.4
Network Monitor 3.4 expands on the
capabilities of the earlier versions of Network Monitor by including
several more features and fixes for issues that were discovered in the
3.x versions. Network Monitor 3.4 is very flexible and can even stop a
capture based on an event log entry in Event Viewer.
The features in Network Monitor 3.4 include the following:
• Support for Windows Server 2012, Hyper-V, Windows 8 and Windows 7
• The ability to capture WWAN and tunnel traffic on Window 7 and Windows 8 computers
• Support for both IPv4 and IPv6
2. Using Network Monitor 3.4
Before you can start using the advanced
features of Network Monitor, analyzing captured data, and identifying
potential issues and bottlenecks, a basic understanding of Network
Monitor and how it works is necessary.
To capture network traffic, install Network Monitor 3.4 and follow these steps:
1. Run Network Monitor (Start, Microsoft Network Monitor 3.4).
2. Click the New Capture Tab link in the left pane.
3. Click the Start button or press F5 to start capturing traffic.
To apply filters to a captured stream of information, follow these steps:
• To create a capture filter—With
the Capture tab selected, click the Capture Settings button or press
F4. Click Load Filter, Standard Filters to select a preconfigured
filter that will capture traffic relative to a specific item such as
DNS, as shown in Figure 2.
Figure 2. Configuring Capture Filters in Network Monitor.
• To create a display filter—From
the Filter menu, click Display Filter, Load Filter, Standard Filters to
select a preconfigured filter that will only display information
relative to a specific item such as DNS from captured data.
• To create a color filter—From
the Frames menu, select Color Rules. Click New to create a new rule,
select Load Filter, Standard Filters to apply a color effect to
specific items such as DNS.
After a capture or display filter has been added, it must be applied, as shown in Figure 3. Apply the filters:
• To apply a capture filter, open the capture settings and click the Apply button.
• To apply a display filter, select the Display Filter pane and click Apply Filter.
Figure 3. Choosing to add a value to display filter.
A color rule or display filter can be
fine-tuned based on captured data. Hover the mouse over the desired
value, right-click, and select Add Property to Color Rule or Display
Filter. This action adds a filter condition for the property to equal
the value of the selected frame, as shown in Figure 4.
Figure 4. Sample capture with red highlighted data.
To remove a filter, follow these steps:
• To remove a capture filter, open the capture settings and click the Remove button.
• To remove a display filter, select the Display Filter pane and click Remote.
• To remove a color rule, delete the rule from the Color Rules tab of the Options dialog.
Note
Removing a filter does not remove it from the filter list. It just removes it from being applied.
