|
By J. Scott Haugdahl
Microsoft Corp. probably won't tell you about its fullblown protocol analyzer. Bloodhound, a.k.a. Network Monitor, or NetMon (NETMON.EXE) has been available since Windows NT 3.5 as part of Systems Management Server (SMS).
But Microsoft, which originally provided NetMon so that customers could capture and send traces to Microsoft technical support for analysis of problems, doesn't promote it much. Now that NetMon is part of the administration tools included with every shipping copy of NT Server 4.0, the secret is out.
Beware, however, that the version that ships with NT Server 4.0, referred to as the Simple Version
, does not have all the same capabilities as the Full Version that ships with SMS. Microsoft documents some of these differences and we've added a few of our own after using both versions (see "Simple vs. Full Network Monitor Capabilities," below).
NetMon helped us to diagnose a problem related to browsing--not the Internet variety but the Microsoft Browse protocols that find those resources listed in your Network Neighborhood.
Network Monitor in a Nutshell
As NT's popularity has rocketed over the past couple of years, we've used NetMon on a regular basis and found that no other protocol analyzer on the market can beat its SMB (Server Message Block), Microsoft Browse and MS RPC (Microsoft Remote Procedure Call) decodes.
NetMon has many of the bells and whistles of full-blown protocol analyzers, such as capture filters and triggers, real-time monitoring statistics and extensive display filters, including filtering by protocol properties. There's even a very flexible built-in traffic generator
that lets you edit and replay captured packets.
The packet capture buffer can be huge because NetMon can use virtual memory that is limited only by your hard disk. For performance reasons, however, it's best to set the capture buffer within the limits of your physical RAM and not operate other applications during capture.
NetMon works on any version of NT and Windows95. You also must install the Network Monitor Agent, which in turn, installs the Network Monitor Driver. You can install the agent by itself on any NT or Windows95 workstation, turning that workstation into a remote packet-capturing device. One caveat: The remote agent doesn't have any access restrictions when installed on Windows95.
The Problem Network
Briefly stated, the topology of our problem network consisted of approximately 100 token rings interconnected by workgroup switches and backbone routers. Users were being migrated from older versions of Windows to NT, with more than 2,000 NT workstations converted or recently deplo
yed and more on the way. During this migration, users began experiencing intermittent problems, such as dropped printer connections.
Using two Network Associates Sniffers, we simultaneously captured packets on both the printer server and user rings and discovered that packets were being dropped by the workgroup switches. Although the higher layer protocols attempted to recover, successively dropped packets for every recovery attempt led to print time-outs and disconnects. But was the switch to blame?
During this time, we also noticed something very peculiar: Hundreds of NetBIOS Name Recognized packets campuswide were sent via Source Route Bridging back to a given workstation. These packet storms were not broadcast storms and did not originate from one source, making the problem somewhat difficult to diagnose. On top of that, our Sniffer didn't completely decode some of the SMB packets.
|
REPORTS
ANALYTICS
Follow 
