After you have selected a network, you will see the Network Monitor Capture window that is shown in Figure 8.10. There are four panes in the Capture window: ■ Graph pane is in the upper left corner and displays a graphical representation of the cur- rent total capture statistics from the collected capture data. See the Network Monitor help file for an explanation of each counter in this pane. 296 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.8 Select a Network Figure 8.9 Select a Network with Multiple Adapters Figure 8.10 Network Monitor Console 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 296 ■ Session Statistic pane is located in the left center of the console and displays the current session statistics that constitute data sent to or from your computer. It displays the session’s participants and the amount of data exchanged in either direction. See the Network Monitor help file for an explanation of each counter in this pane. ■ Station Statistics pane is the bottom-most pane that shows your computer’s network activity. See the Network Monitor help file for an explanation of each counter in this pane. ■ Total Statistics pane is located in the upper right corner of the console.The Total Statistics pane shows the network traffic summaries for the inbound and outbound traffic on your computer. Begin your first capture by selecting Capture | Start or clicking Play on the tool bar.You will begin to see data transmissions immediately, as shown in Figure 8.11. Click the Stop and View Capture icon (with the glasses and the square) shown in Figure 8.11, or Capture | Stop and View or Shift+F11 to view the captured frames. Monitoring and Troubleshooting Network Activity • Chapter 8 297 Figure 8.11 Network Monitor Console Capturing Data Figure 8.12 Network Monitor Frame Viewer Window Summary Data 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 297 The window shown in Figure 8.12 is called the Frame Viewer window. Currently it is dis- playing a full window that contains the Summary Pane, which contains frames and their statistics to analyze.Three panes are part of the Frame Viewer window (see Figure 8.13): ■ Summary Pane shows the list of captured frames.You can filter this list to isolate the frames that you want to analyze. If you double-click an item in the list, the other two panes are visible. ■ Detail Pane shows the detail of the frame that is currently selected in the Summary Pane, which now occupies only a third of the Frame Viewer window.This hierarchical represen- tation is very informative, and can provide a valuable insight as to how you approach design and implementation for your network. ■ Hexadecimal Pane is broken down into two views.The first view is the actual data in hexadecimal form that makes up the frame, and the second section is the alphanumeric ASCII representation of that frame. Basic Configuration As discussed previously, there are certain settings that are required to monitor your network. For example, you must select a local network. If you don’t set one, then Network Monitor will select your default adapter, which is the first in the network binding order.This may suit your current needs, but you might need to install additional adapters later to monitor multiple networks at the same time. If you want to monitor more than one network, then you must have the additional adapter installed and configured prior to launching Network Monitor. If you install an adapter while Network Monitor is running, then you will need to restart Network Monitor after you install the adapter in order to select that network. Note, however, that if you want to monitor a specific pro- tocol on the network, it is possible to capture that traffic without installing that protocol. Network Monitor captures data by frames, which means that each packet contains the source and destination address, the header information, and the data itself.All the frames transmitted on the segment are processed by all the machines on that network. If the destination is not addressed to 298 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.13 Network Monitor Frame Viewer Window with All Panes Visible 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 298 that adapter, then the frame is dropped. Broadcast frames are captured as well since technically they are destined for the local computer as part of the segment. If the adapter has initiated multicast traffic, then it will also be shown. Network Monitor Default Settings There are several settings that are accessible from the Capture menu.Two of the most important are: ■ The Capture | Addresses menu item, which allows you to define addresses and the metadata about the addresses and stores them in a database. By default, the information about your local adapters is part of this database. ■ The Capture | Buffer settings item, which allows you to set the Buffer Size in megabytes (MB), and Frame size in bytes.The buffer size determines how much data you can capture at one time before ceasing to gather data.The default setting for buffer size is 1MB.The max- imum value for buffer size is 1024 MB. Frame size is the setting that allows you to configure the number of bytes to capture from each frame.This is useful when on token ring networks that are particular about frame size.The default frame size is set to Full, which is the max- imum size or 65,535 bytes.The list of frame sizes is a list of numbers that are incremented 64 bytes at a time, and the highest number listed is 65472, even though 65535 (Full) is the largest frame size.You have the option to type your own custom value in the range of 32 bytes to the maximum value, or you can select the values provided in the list. The other menu items on the Capture menu are Filter, Networks, and Trigger. Networks has been discussed earlier in the chapter; Filter and Trigger will be discussed in later sections. By default there are no filters or triggers, and the network is the primary adapter on your machine. Configuring Monitoring Filters Capture filters allow you to isolate different types of data transmitted to and from your machine on the specified network.You can use an address database to add addresses to your filter and restrict data to capture to those addresses.You can save the filter to a file so that you can use it again, and create standard address filters for your network. Using filters will reduce the buffer usage and save time fishing through an excessive number of frames captured.You can further restrict frames of data by designing a capture filter. When you select Capture | Filters you will be presented with a Capture Filter dialog box (see Figure 8.14).You can use this dialog to create a logic base filter using a graphical representation of the Boolean logic you are using to define the filter. Monitoring and Troubleshooting Network Activity • Chapter 8 299 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 299 You can filter on a specific protocol by clicking the SAP/ETYPE= line of the Capture Filter dialog and clicking Edit. For example, if you want to capture only IPv6 frames on your network, open the Capture Filter dialog and edit the SAP/ETYPE line, then select and disable all proto- cols except IP ETYPE 0x86DD. You can add additional filters on addresses for up to four address pairs at the same time.This will capture packets only from that computer in Network Monitor, or you can define the filter to exclude that computer and its frames from the capture. You can also specify a pattern to match in the frames you capture. It is possible to use pattern filters to limit the frames to only the ones that contain ASCII or hexadecimal data that you define in the pattern filter. If you have an idea where the data is located in the frame, you can improve the filter performance by defining bytes offsets from the Start of the Frame.The filter will ignore the offset number of hex bytes and then start searching for the filter criteria from that point in the frame.You can also specify From End of Topology Header.Topology Header is the definition of the network medium, such as Ethernet or Token Ring. If you are using Ethernet or Token Ring, you should specify the From End of Topology Header option, since Ethernet and token ring have variable size frames in the media access control (MAC) protocol. Pattern filters require the offset to be defined, and it defaults to 0 bytes from the start of the frame. Configuring Display Filters Once you have captured data, you can filter the data further by using a display filter. Display filters allow you to focus on the types of frames that you really care about. Display filters apply only to data that you have already captured and have no effect on the actual traffic.You can filter data that you want to analyze in the Frame Viewer window, or if you need only a subset of the information for later, you can apply a filter to restrict the data as you save it to a capture file. Display filters can include criteria based on source or destination address, and protocol informa- tion in the frame. It is possible to use the properties of the protocol and the values the protocol contains in the header to filter data. Protocol properties are the definition of the protocol and its function. If you are inundated with unwanted traffic that is specific to a protocol or a machine address you can simply add a filter to exclude it by modifying the Protocol== line in the Display 300 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.14 Capture Filter Dialog 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 300 Filter dialog. By applying display filters, you reduce the data in the Capture window to a more man- ageable size. So if you want to limit the amount of frames that you want to allow Network Monitor to capture, use a capture filter to drop the frames you don’t care about instead of adding the frames to the trace. After you have captured the data, use a display filter to hide the unwanted frames that are already captured. Interpreting a Trace Network Monitor can be used to capture frames of data transmitted to and from you machine.The captured frames are referred to a network trace. As previously discussed, you can identify capture filters that can be used to focus the trace on the types of frames that contain the information you need. For example, you can define capture filters that would enable you to trace IPSec traffic to your machine from a specific client, and view the data to ensure that it is encrypted. Use the fol- lowing steps to perform a network trace. Perform a Network Trace In this example, you will begin a trace, identify a specific type of frame, and look at its contents. (Before you begin, you must have installed Network Monitor. 1. Open Network Monitor. Click Start | Administrative Tools | Network Monitor. 2. Click Capture | Start Capture or press F10 to begin capturing frames. 3. From another computer, ping the interface that Network Monitor is capturing frames on for one series. 4. Once the ping is complete, click Capture | Stop or press F11 to stop capturing frames. 5. Examine each of the panes in the Capture window and note the various values. 6. When you are satisfied that you did capture frames on that interface, click Capture | Display Captured Data or press F12.The Capture Summary (see Figure 8.15) appears. 7. Use Display | Filter to open the filter dialog (see Figure 8.16). Monitoring and Troubleshooting Network Activity • Chapter 8 301 Figure 8.15 Capture Summary 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 301 8. Click Protocol ==ANY and then click Edit Expression. 9. The Expression dialog is displayed. Make sure you are on the Protocol tab, and click Disable All. 10. Locate ICMP in the Disabled protocols list and click Enable or double-click ICMP.The expression dialog should look like Figure 8.17. 11. Click OK. 12. From the Display filter dialog, you will see that Protocol==ANY is now Protocol==ICMP. Click OK. 13. You should see only eight lines in the Capture Summary window as shown in Figure 8.18. Each of the lines represents either an inbound frame or an outbound frame for the ping we conducted. One ping cycle is four round trips. 302 Chapter 8 • Monitoring and Troubleshooting Network Activity Figure 8.16 Filter Dialog Figure 8.17 Expression Dialog with ICMP Enabled 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 302 14. Double-click one of the entries where the description begins “Echo: From…”.You should see the Capture Detail (middle) pane in Figure 8.19. 15. Expand the ICMP tree in the Detail pane and click the last item that begins ICMP: Data: …. 16. Look in the Hexadecimal (bottom) pane at the highlighted text. Note the contents. 17. In the Capture Summary pane (top), click the next frame in the list.The Description should begin “Echo Reply:To…”. 18. Expand the ICMP tree in the Detail pane and click the last item that begins ICMP: Data: …. 19. Look at the highlighted text in the bottom pane. Note the contents.They should be iden- tical to the Data contents in the ICMP Echo.This is how ping is validated. Monitoring and Troubleshooting Network Activity • Chapter 8 303 Figure 8.18 Capture Summary with ICMP Display Filter Enabled Figure 8.19 Capture Detail of ICMP Ping Traffic 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 303 Now that you have analyzed a basic capture, locate a good TCP/IP reference and monitor traffic on your network for short periods of time and practice identifying details about the frames of data on your network. Don’t forget to use capture and display filters to minimize the data gathered and then impact on network traffic. Monitoring and Troubleshooting Internet Connectivity Accessing the Internet has become commonplace over the last few years.The accessibility of infor- mation resources on the Internet alone makes it a necessity for day-to-day access.The ability to conduct business transactions using e-commerce applications has developed an online marketplace for business-to-business and business-to-consumer sales. It is also possible to provide remote tech- nical support, connectivity between different company locations and voice communication over the Internet, and reduce the cost of travel and support. With the onset of these new possibilities, you are now tasked with ensuring the high availability of Internet access. In addition to reliable access, you must ensure that the data transmitted over the Internet is protected from prying eyes, and that your network is not blatantly exposed to security threats from inside and outside your network.This section covers some of the various issues associ- ated with Internet access and some of the tools used to monitor and troubleshoot Internet access. NAT Logging If you have a small, nonrouted network, you may have implemented the Network Address Translation protocol (NAT) to allow your private network users to access the Internet.There will be a need to monitor and possibly identify problems with applications that use the Internet over the interface that uses the NAT protocol. NAT requires Routing and Remote Access Services (RRAS) on a multi- homed computer. One of the network interfaces must be configured with a public IP address or you may configure it to use demand dial routing, and obtain the public address from your Internet Service Provider (ISP).Take a look at this excellent overview at www.microsoft.com/WINDOWSXP/ pro/techinfo/planning/networking/nattraversal.asp for more details on how NAT works. The first step in troubleshooting NAT is to verify your configuration.There are a few basic set- tings to verify. Let’s look at the RRAS server settings and identify some of the key details. Both the public interface to the Internet and the private LAN interfaces must be added to the NAT routing protocol and configured to use the correct settings. Figure 8.20 shows the NAT/Basic Firewall tab of the private interface. It must have the Private interface connected to private network option selected. Another common area for trouble is the Static packet filters options shown in the bottom of the dialog in Figure 8.21.The Static Packet Filters dialog is accessed by clicking the Inbound Filters button shown on the dialog in Figure 8.20.You can configure filters on the traffic Inbound (destined for the private network in this case) and Outbound (destined for the Internet in this case). 304 Chapter 8 • Monitoring and Troubleshooting Network Activity 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 304 Filters are defined by two criteria.The first criterion is the action.The two actions are: ■ Receive all packets except those that meet the criteria defined in the Filters list. ■ Drop all except those that meet the criteria defined in the Filters list. The second criterion is the filters that are listed in the Filters list.The filters contain settings for the following: ■ The Source network IP address and subnet mask define where the packet is coming from. ■ The Destination network IP address and subnet mask define where the packet is going. ■ Protocol to filter defines the protocol such as TCP, UDP, ICMP, and so on, and the source and destination ports used by the filter.You may also use Any, which includes all possible ports and protocols. If you have defined filters that permit only specified traffic or deny all traffic except that which is defined in the filter list, you may use NAT logging to identify blocked traffic. We will discuss log- ging a little later in the chapter. Now you should examine the external interface. Monitoring and Troubleshooting Network Activity • Chapter 8 305 Figure 8.20 NAT/Basic Firewall Tab of the Private Interface Figure 8.21 Inbound Static Packet Filters Dialog 301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 305 . (Full) is the largest frame size.You have the option to type your own custom value in the range of 32 bytes to the maximum value, or you can select the values provided in the list. The other menu. informa- tion in the frame. It is possible to use the properties of the protocol and the values the protocol contains in the header to filter data. Protocol properties are the definition of the protocol. Expand the ICMP tree in the Detail pane and click the last item that begins ICMP: Data: …. 19. Look at the highlighted text in the bottom pane. Note the contents.They should be iden- tical to the