196 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 Log File Format In the “Log file type:” drop-down list box, you can choose what format you want the log file to be saved in. The main choices are binary format and delimited text formats. If you save the logs in delimited text formats, you can import the data into an Excel or Access database. Regardless of the format you choose, you can still bring the information back to the System Monitor Console for later analysis in the same way you were able to open log files for later viewing using the Windows NT 4.0 Performance Monitor. Alerts To create an alert, you click the Alerts object in the left pane and then right-click in the right pane and select New Alert Settings from the con- text menu. Enter the name of the alert and click O K. You will see what appears in Figure 5.8. Figure 5.8 The General tab in the Alert dialog box. You add counters for which you want to be alerted by clicking ADD; in this example, we have selected the Pages/sec counter in the Memory object. After selecting the counter, you need to set parameters that will trigger the alert. In this case, we want to be alerted if the number of pages/sec exceeds 20 per second. The sample interval is every 5 sec- onds by default. Click the Action tab and you will see what appears in Figure 5.9. 91_tcpip_05.qx 2/25/00 12:49 PM Page 196 Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 197 You set what actions should take place after an alert is triggered. In this case, we have configured the alert to be sent to the Application log and a network message to be sent to the administrator’s workstation. This is a NetBIOS name, and NetBIOS must be enabled on both the machine generating the alert and the machine receiving an alert as a net- work message in order for this to work. This is something to keep in mind when you feel that your network has reached a point where you can com- pletely disable NetBIOS. If you do reach that point, you must reenable NetBIOS on the source and destination machines, at least temporarily, in order for alerts to be sent via network messages. You also have the choice of starting a log that you have already created after an alert condition has been met. We might want to create a log that tracks other memory-related parameters if the number of pages/sec exceeds 20. In that case, we would choose to “Start performance data log” and select the name of the log from the drop-down list. You could also choose to start a program after the alert condition parameters have been met. Click the Schedule tab and you will see what appears in Figure 5.10. Here you can schedule when you want to the system to look for alert conditions. In this instance, we have selected the date and time when the system should start looking for the alert condition, and set that the sys- tem should stop looking after one day. You can see from the dialog box the other options you have when scheduling alerts. Figure 5.9 The Action tab in the Alert dialog box. 91_tcpip_05.qx 2/25/00 12:49 PM Page 197 198 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 Network Monitor The Microsoft Network Monitor is a software protocol analyzer that allows you to capture and analyze traffic on your network. The version of Network Monitor that comes with the Windows 2000 server family is lim- ited in its scope because it does not allow you to place the network adapter in what is known as “promiscuous mode.” When an adapter is placed in promiscuous mode, it is able to listen to all the traffic on the segment, even if that traffic is not destined for the machine running the Network Monitor software. However, one of the disadvantages of this state of affairs is that promiscuous mode capturing can potentially overtax your computer’s processor. Even with these limitations, the Network Monitor is a very useful tool for assessing the activity on the network. You can use the tool to collect network data and analyze it on the spot, or save your recording activities for a later time. Network Monitor allows you to monitor network activity and set triggers for when certain events or data cross the wire. This could be useful, for instance, if you are looking for certain “key words” in e-mail communications moving through the network (we’ll look at an example of how to do this later in this section). Figure 5.10 The Schedule tab in the Alert dialog box. 91_tcpip_05.qx 2/25/00 12:49 PM Page 198 Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 199 A more full-featured version of Network Monitor that allows for promiscuous mode is included with Microsoft System Management Server (SMS). Filtering The Network Monitor program allows you to capture only those frames that you are interested in, based on protocol or source or destination computer. You can apply even more detailed and exacting filters to data that you have finished collecting, which allows you to pinpoint the precise elements you might be looking for in the captured data. We’ll discuss how to filter what data you want to capture, and how to fine-tune the cap- tured data after you’ve collected it. Security Issues The Network Monitor program is a network sniffer. Any person with administrative privileges can install it on a Windows 2000 server family computer and start “listening” to activity on the wire. If you feel this is a cause for concern, you are correct. This easy availability of such a power- ful tool should lead to even further consideration of the security implica- tions when you give someone administrative rights. Fortunately, the Network Monitor is able to detect when someone else on the segment is using Network Monitor, and provide you with his or her location. However, don’t stake your career on this working correctly, because we have had very rare success at it actually identifying all computers run- ning Network Monitor on the same segment. Installation Network Monitor is not installed by default. If it isn’t installed on your computer, you can install it via the Add/Remove Programs applet in the Control Panel. Using the Program After you have installed the program, go to the Administrative Tools menu and click Network Monitor; you will see what appears in Figure 5.11. This Capture Window is the starting point on your adventure of net- work monitoring. Note that there are four panes to this window. NOTE 91_tcpip_05.qx 2/25/00 12:49 PM Page 199 200 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 Capture Window Panes The top left pane is in the “gas gauge” type format, which provides infor- mation on percent network utilization, broadcasts per second, and other parameters in real time. Just under that is a pane that provides information about individual sessions as they are established, showing who established a session with whom, and how much data was transferred between the two. The right pane is the local machine’s session statistics pane, and pro- vides detailed summary (is that an oxymoron?) information about the cur- rent capturing session. The bottom pane provides information about each detected host on the segment, and statistics gathered on the host’s behavior. Extra Tools Before we get into the details of a capture, let’s look at some of the extra tools available with Network Monitor. Figure 5.11 The Network Monitor Capture Window. 91_tcpip_05.qx 2/25/00 12:49 PM Page 200 Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 201 First, select the Tools menu, and then click Identify Network Monitor Users. You will see the Identify Network Monitor Users dialog box as it appears in Figure 5.12. Figure 5.12 The Identify Network Monitor Users dialog box. This dialog box provides you with the username and NetBIOS name of the machine or machines currently running Network Monitor. As mentioned earlier, you might not always get accurate readings right away when running this utility. The Microsoft documentation regarding how it finds other Network Monitor users is not clear on how the identifi- cation process takes place. Machines running either the Network Monitor Application or Agent are supposed to register NetBIOS names with the service identifier of [BFh] and [BEh], respectively, but if you look at the following, you will be led to think otherwise: Local Area Connection: Node IpAddress: [192.168.1.186] Scope Id: [] NetBIOS Local Name Table Name Type Status - - - - - - - - - - - - EXETER <00> UNIQUE Registered NOTE 91_tcpip_05.qx 2/25/00 12:49 PM Page 201 202 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 TACTEAM <00> GROUP Registered EXETER <03> UNIQUE Registered EXETER <20> UNIQUE Registered TACTEAM <1E> GROUP Registered INet~Services <1C> GROUP Registered IS~EXETER <00> UNIQUE Registered ADMINISTRATOR <03> UNIQUE Registered Local Area Connection: Node IpAddress: [192.168.1.3] Scope Id: [] NetBIOS Local Name Table Name Type Status - - - - - - - - - - - - DAEDALUS <00> UNIQUE Registered TACTEAM <00> GROUP Registered DAEDALUS <03> UNIQUE Registered DAEDALUS <20> UNIQUE Registered TACTEAM <1E> GROUP Registered TSHINDER <03> UNIQUE Registered INet~Services <1C> GROUP Registered IS~DAEDALUS <00> UNIQUE Registered DAEDALUS <01> UNIQUE Registered These are the printouts of the nbtstat –n commands run on two of the Windows 2000 computers identified by Network Monitor as running Network Monitor. Neither of them has registered NetBIOS names indicat- ing that they are running either the Network Monitor Agent or Application. The WINS database on this network also contains no entries to this effect. The moral of this story? Take advantage of this application, but take a couple of precautions: 1) Let it run for an hour or so before concluding that no other Network Monitor users are on the network, and 2) Don’t bet your job on it! Buffers Now click the Capture command and click Buffer Settings. You’ll see what appears in Figure 5.13. The buffer size, in megabytes, determines the amount of data you can capture in a single recording session. 91_tcpip_05.qx 2/25/00 12:49 PM Page 202 Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 203 The default value is 1MB, but you can choose up to 1024MB (1GB). However, since this data is stored in memory during the recording phase, your practical limit is the amount of available RAM. Even if you are running Network Monitor on a machine with a giga- byte of RAM, you still need to be careful because it needs to write this information to disk. You need the equivalent amount of free disk space as well. You can also choose how much of each frame you want to capture. Typically, you’ll choose Full to maximize your ability to find the things you’re looking for. Select the Options menu, and then click the Change Temporary Capture Directory command. You’ll see a scary message like the one in Figure 5.14. Figure 5.13 The Capture Buffer Settings dialog box. TIP Figure 5.14 A scary message about changing the Temporary Capture Directory. The whole program is for advanced users only! We’re still trying to figure out what the danger is that they want to communicate regarding changing the 91_tcpip_05.qx 2/25/00 12:49 PM Page 203 204 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 location of the temporary folder, which is the temporary folder location defined in the system environment variable. Click O K and you can then choose another folder to contain the tem- porary capture files. You might want to do this if you’ve chosen a buffer size that is larger than the amount of disk space you have available on the partition that contains your temp directory. Collecting Data Now that we’re finished with the preliminaries, let’s get to the job of col- lecting some data. The first thing you should try out is to start a capture without filters, just to get a feel for how the capture process works. There are a couple of ways to get the capture started: You can select the Capture menu, and then click Start, or you can click the little right-pointing arrow in the toolbar. Either one will begin the capture. When it is running, you’ll see the gas gauges moving, and the statistics being collected on the recording session. After letting the capture run for a little bit, or after the % Buffer Used value is 100, click the button that has the eyeglasses next to a square (the stop and view button). This stops the capturing process and allows you to see the frames that have been captured. You’ll see the Capture Summary window as seen in Figure 5.15. This window provides a list of all the frames that were captured dur- ing the session. If you scroll to the bottom of the list, you’ll note that there is a summary frame that contains statistics about the current cap- ture. Take note of the column headers, which all should be self-explana- tory. Notice something unusual about the data in Figure 5.15? How about the information that appears in the “Src MAC Addr” and “Dst MAC Addr” fields? Those don’t look like MAC addresses to me. If you did notice this seeming anomaly, congratulations! MAC address- es aren’t much fun to look at, so we took advantage of another utility that translates the MAC addresses to Machine Names. Select the Display menu, and then click the Find All Names command. It will search for names and then inform you of its results, and transform the fields con- taining MAC addresses to NetBIOS names if it can find this information. Now, double-click one of the frames, and you will see the display transform into a tripane view as seen in Figure 5.16. NOTE 91_tcpip_05.qx 2/25/00 12:49 PM Page 204 Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 205 The top pane is just like the one you just saw. The middle pane con- tains translated information from the captured frame that provides details of the frame headers and protocol information. The bottom pane shows the raw Hex and translations of the collected frame data. At the very bot- tom of the windows, in the status bar area, there is a description of the frame selected in the top pane (which in this case is Ethernet/802.3 MAC Layer), the frame number out of the total number of frames, and an “off- set” value for the selected character in the bottom pane. In the preceding example, we selected frame number 244, which is an ARP broadcast frame. Notice in the middle pane some of the details. It indicates the hardware type and speed, and the source and destination IP and hardware address. Note that the destination hardware address is the Ethernet broadcast address [FFFFFFFFFFFF] because the whole purpose of the ARP broadcast is to resolve the IP address to a hardware address. The capture was taken from EXETER. The ARP broadcast was issued by CONSTELLATION for DAEDALUS, which is the machine with the IP address of 192.168.1.3. Do you think we would find the ARP reply later in the capture? The answer is no. That is because the reply will not be sent Figure 5.15 The Capture Summary window. 91_tcpip_05.qx 2/25/00 12:49 PM Page 205 [...]... Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 221 209 .44 .40 .70 -> 209 .44 .40 .9 -> 209 .44 .40 .10 Reply from 2 04. 215.60.153: bytes=32 time=100ms TTL=252 Route: 209 .44 .40 . 54 -> 209 .44 .40 .69 -> 2 04. 215.60.1 -> 2 04. 215.60.153 -> 209 .44 .40 .70 -> 209 .44 .40 .9 -> 209 .44 .40 .10 Reply from 2 04. 215.60.153: bytes=32 time=150ms TTL=252 Route: 209 .44 .40 .10 -> 209 .44 .40 .69 -> 2 04. 215.60.1 -> 2 04. 215.60.153... tenth attempt -r Switch The –r command shows you the routes taken with each ping attempt For example, if we type: ping shinder.net -n 3 -r 9 we get the following output: Pinging shinder.net [2 04. 215.60.153] with 32 bytes of data: Reply from 2 04. 215.60.153: bytes=32 time=100ms TTL=252 Route: 209 .44 .40 .10 -> 209 .44 .40 .69 -> 2 04. 215.60.1 -> 2 04. 215.60.153 -> 91_tcpip_05.qx 2/25/00 12 :49 PM Page 221 Using... [209 .44 .40 .10] 3 grf-dal-ge002.dallas.net [209 .44 .40 .9] 4 dal-net70.dallas.net [209 .44 .40 .70] 5 aux153.plano.net [2 04. 215.60.153] Computing statistics for 125 seconds Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address 91_tcpip_05.qx 2/25/00 12 :49 PM Page 2 24 2 24 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 0 1 0ms 0/ 100 = 0 0/ 100 = 0% 2 79ms... a particular problem PING The PING (Packet INternet Groper) command uses ICMP echo messages to communicate with destination computers The PING command is used most often to test basic TCP/IP connectivity You can ping a computer by IP address or by host name The PING command has the following switches: -t Ping the specified host until stopped To see statistics and continue - type Control-Break 91_tcpip_05.qx... select the Display menu, and click Filter You should see what appears in Figure 5. 24 Figure 5. 24 The Display Filter dialog box What we want to do is filter out everything except the protocol of interest, and then identify a key phrase contained within the protocol of 91_tcpip_05.qx 2/25/00 12 :49 PM Page 2 14 2 14 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 interest... ARP utility is helpful when troubleshooting problems that are related to duplicate IP addresses or duplicate MAC addresses on a segment Using ARP For example, suppose that Computer A and Computer B have inadvertently been given the same IP address 192.168.1.10 Computer A is supposed to be 192.168.1.10, and Computer B is supposed to be 192.168.1.11 When machines on the same segment as these two computers... to Windows 2000, as it appears in Figure 5.28 91_tcpip_05.qx 2/25/00 12 :49 PM Page 216 216 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 Figure 5.28 The result of the display filter Apparently, our rollout of Windows 2000 on the network is being well received! Event Viewer The Event Viewer can be used to check on the status of a number of network services Windows 2000. .. protocol Double-click the protocol to see all the SMB frame properties Then scroll down the list of SMB frame properties until you find the Data property You should see what appears in Figure 5.27 91_tcpip_05.qx 2/25/00 12 :49 PM Page 215 Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 215 Figure 5.26 The SMB protocol is now the only enabled protocol In Figure 5.27, we... s s s s PING NSLOOKUP TRACERT ARP IPCONFIG NBTSTAT NETSTAT These basic TCP/IP command-line tools have either the same or enhanced functionality compared to what they could do in Windows NT 4. 0 In addition to these tools, Windows 2000 offers some new commandline TCP/IP tools, including PATHPING and NETDIAG We will see what each of these tools can do, and then look at some examples of how to apply their... Chapter 7, “Troubleshooting Windows 2000 DNS Problems.” PATHPING Think of the PATHPING utility as the PING utility on steroids The PATHPING utility sends ICMP echo request messages to each router along the path to the destination host and calculates how long it takes the roundtrip from request to reply The default number of hops is 30, period 250 milliseconds, and queries to each router 100 NOTE The PATHPING . 5.22. TIP Figure 5.22 The completed Capture Filter. 91_tcpip_05.qx 2/25/00 12 :49 PM Page 211 212 Chapter 5 • Using Network Monitoring and Troubleshooting Tools in Windows 2000 With this capture. the display transform into a tripane view as seen in Figure 5.16. NOTE 91_tcpip_05.qx 2/25/00 12 :49 PM Page 2 04 Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5. view in the Capture Summary window. 91_tcpip_05.qx 2/25/00 12 :49 PM Page 206 Using Network Monitoring and Troubleshooting Tools in Windows 2000 • Chapter 5 207 Filtered Captures The capture we did