Using Network Monitor

The key administration tasks which you can perform using Network Monitor are summarized below:

  • You can capture frames directly from the network which you are monitoring.

  • You can configure capture filters to specify the type of information which should be captured by Network Monitor.

  • You can view captured frames immediately once the capture is complete, or at some later stage.

  • You can filter captured frames by creating display filters. This allows you to find specific information in a capture.

  • You can create triggers if you want certain actions performed when the content of a packet(s) match a predefined condition.

  • You can edit captured frames and pass them on.

  • You can capture frames from a remote computer.

  • Resolve device names to MAC addresses.

  • You can also determine the following information:

    • The user who is consuming the most bandwidth

    • The protocol that is consuming the most bandwidth

    • The devices which are routersUsing SMS Network Management Components

With the full version of Network Monitor included with SMS 2.0, you can monitor network activity and capture frames on all devices on the network segment.

Network Monitor in SMS 2.0 includes experts and monitors. Network Monitor experts are analysis tools that assist with analyzing the captured network data. Network Monitor monitors are monitor tools used to capture frames for monitoring specific network traffic patterns

The different Network Monitor experts are

  • Average Server Response Time; this expert determines the average time taken by each server to reply to a request.

  • Property Distribution; calculates the protocol statistics for a protocol property in a capture session.

  • Protocol Coalesce Tool; for a transaction that was fragmented, this expert combines the frames to form a new capture file.

  • Protocol Distribution; determines which protocols created the majority of the traffic in a capture.

  • TCP Retransmit; indicates those TCP frames which were transmitted multiple times during a capture session.

  • Top Users; determines which senders and receivers created the majority of the traffic in a capture.

The different Network Monitor monitors are

  • ICMP Redirect Monitor; this monitor creates events whenever Internet Control Message Protocol (ICMP) frames are redirected by:

    • A router not authorized to redirect the frames.

    • A router incorrectly configured.

  • IP Range Monitor; creates an event when a frame's IP address is not within a valid address range. The IP address is basically unauthorized.

  • IP Router Monitor; creates an event when a particular IP router fails.

  • IPX Router Monitor; creates an event when a particular IPX router fails.

  • Rogue Monitor; creates an event when an unauthorized DHCP server or WINS server is detected on the network.

  • Security Monitor; creates an event when there are unauthorized users capturing frames through Network Monitor.

  • SyncAttack Monitor; monitors the network for all suspicious connections made to servers on the network.

With Network Monitor, you can create:

  • Display filters to find specific information in a capture

  • Capture filters to specify the type of data that should be captured

  • Capture triggers to set certain actions to be performed when conditions are met

How to capture data using Network Monitor

  1. To access Network Monitor,

    • Open the SMS Administrator console

    • Expand the Tools now

    • Right-click Network Monitor and select All Tasks and then Start Network Monitor from the shortcut menu.

  2. The Network Monitor Capture window opens.

  3. To start a capturing data, click the Capture menu and then click Start.

  4. Click Stop on the Capture menu when the data you wanted has been data captured.

  5. You can also select the Stop And View item from the Capture menu to end the capture session and view individual frames which were captured during the capture session.

How to view captured data

When you stop a capture session, you can view capture statistics in the Network Monitor Capture window. The Capture window of Network Monitor displays information on the statistics of frames. This Network Monitor Capture window has the following panes:

  • The Graph pane is located in the upper left corner, and updates only when a capture is taking place. The pane displays the total capture statistics of current network activity in a bar graph format. Statistics displayed include the available network resources being used by the current capture, and the number of frames, bytes, broadcasts, and multicasts captured per second.

  • The Session Statistics pane is located in the middle left window of the Capture window, and displays statistics for the current individual sessions. The information displayed includes the source network address, the destination network address, and the number of frames sent between the two addresses.

  • The Station Statistics pane is located at the bottom of the window, and displays information on the activities taking place to and from the machine running Network Monitor. It shows the number of frames and bytes transmitted from and received by the network address, multicasts, and the broadcasts transmitted from the network address to other network computers

  • The Total Statistics pane is located at the right of the window and displays statistical information on all the network activity from the time that the capture started. Network Statistics indicates all network traffic that took place since the Network Monitor capture began, and include information on total frames, bytes, broadcasts, and multicasts transmitted to the network. The number of frames that were dropped is also displayed. Capture Statistics shows information on the current capture occurring, and include statistics on the number of frames/bytes captured, the number of frames/bytes in the temporary capture file, the number of frames dropped, and the buffer space being used by the capture. Per Second Statistics shows information on the current per second activity, and include information on the average percentage of network utilization. It also shows the average frames, bytes, and broadcast and multicasts frames messages identified per second. Network Card (MAC) shows average activity detected by the network adapter, while Network Card (MAC) Error Statistics shows the network adapter card errors as from when the capture was initiated.

How to specify the amount of information to print for each captured frame

  1. Open the SMS Administrator console.

  2. Expand the Tools node.

  3. Right-click Network Monitor and select All Tasks and then Start Network Monitor from the shortcut menu.

  4. You use the Frame Viewer window to configure the amount of information that should be printed.

  5. Select Print from the File menu.

  6. You can select between the following options: Print Frame Summary Lines, Print Protocol Details and Print Hex Data.

How to create a capture filter

Creating a capture filter involves defining those capture conditions which should be used to capture frames. You can define the capture conditions which should be used by specifying:

  • Capture filter protocols

  • Address pairs

  • Data pattern matches

    To create a capture filter,

    1. Open the SMS Administrator console.

    2. Expand the Tools node.

    3. Right-click Network Monitor and select All Tasks and then Start Network Monitor from the shortcut menu.

    4. Select Filter from the Capture menu.

    5. The Capture Filter dialog box opens.

    6. All capture filters are illustrated in a decision tree.

    7. To create a capture filter, double-click the default filter

    How to create a display filter

    1. Open Network Monitor

    2. Select Filter from the Display menu.

    3. The Display Filter dialog box appears.

    4. Proceed to configure the required display filter.

    How to create a capture trigger

    You can configure a capture trigger in Network Monitor to specify that specific actions should be initiated when certain conditions are met. If a trigger is configured when data is being captured, Network Monitor examines the contents of the frame and triggers the particular action when a condition is met. The actions that can be configured are:

    1. The computer beeps

    2. The capturing of frames is stopped

    3. A command-line program is executed.

    To configure a capture trigger:

    1. Open Network Monitor

    2. Select Trigger from the Capture menu.

    3. The Capture Trigger dialog box appears.

    4. The options available in the Trigger On section are Pattern match, Buffer size, Pattern match then buffer space, and Buffer space then pattern match.

    5. The options available in the Trigger Action area are Audible Signal Only, Stop Capture, and Execute Command Line.

    6. Click OK.

    How to set the size of the capture buffer

    When data is captured, a buffer is being filled as the frames turn up. The size of the capture buffer determines the quantity of data that can be viewed in Network Monitor. The buffer setting that you configure should not surpass your actual available physical memory.

    To set the size of the capture buffer,

    1. Open Network Monitor

    2. Select Buffer Settings from the Capture menu

    3. The Capture Buffer Settings dialog box appears

    4. Change the Buffer Size (MB) setting and Frame Size (Bytes) setting to meet your requirements

    How to enable the Network Monitor experts

    1. Open Network Monitor.

    2. Open the capture file that you want to work with.

    3. Click the File menu and then click Experts.

    4. The Network Monitor Experts dialog box opens.

    5. Select the expert that you want to enable and then click Configure Expert.

    6. Configure the necessary options and click OK.

    7. In the Network Monitor Experts dialog box, click Add To Run List.

    8. Click Run Experts to run the expert.

    9. A Network Monitor Event Viewer window is displayed once the expert has completed.

    How to use the Network Monitor Control Tool

    1. Open the SMS Administrator console.

    2. Expand the Tools folder.

    3. Right-click Network Monitor, and click All Tasks and then Start Network Monitor Control Tool from the shortcut menu.

    4. The Monitor Control Tool window opens.

    5. To monitor a remote computer, click the File menu and then click Remote Computer.

    6. The Remote Computer dialog box opens.

    7. Specify the IP address of the remote computer and then click OK.

    8. In the Installed Monitors list, choose the monitor that you want to enable and then click the Enable button.

    9. Click Yes to configure the monitor immediately or Click No to configure the monitor later.

    10. For each monitor, the configuration screen differs.

    11. After configuring the necessary settings, click the Set Monitor Configuration button.

    12. The Monitor Control Tool window will be displayed.

    13. Select each monitor in the Enabled Monitors list, and then click the Start button to start the monitor.

    Using HealthMon

    HealthMon is another optional component in SMS that you can use to obtain a view of the status a Windows based computer. The HealthMon utility utilizes the objects and counters of Performance Monitor to determine status threshold levels and to collect gather data. With HealthMon, the threshold levels are called monitoring policies.

    The different HealthMon objects and the counters related to these objects are listed here:

    1. Exchange Server object; contains the following counters:

      • MSEXCHANGEDS Service Started

      • MSEXCHANGEIS Service Started

      • MSEXCHANGEMTA Service Started

      • MSEXCHANGESA Service Started

    2. Fault object; contains the following counters:

      • Pool Non-Paged Failures

      • Pool Paged Failures

      • Sessions Errored Out

    3. IIS Server object; contains the IIS Service Started counter.

    4. Logical Disk object; contains the Percent Free Disk Space counter.

    5. Memory object; contains the following counters:

      • Available Memory Bytes

      • Pages Per Second

      • Page Reads Per Second

      • Percent Committed Bytes to Limit

      • Pool Non-Paged Bytes

    6. Network Interface object; contains the Excessive Network Traffic Bytes Total/Sec counter.

    7. Paging File object; contains the following counters:

      • Percent Peak Usage

      • Percent Usage

    8. Physical Disk object; contains the following counters:

      • Disk Queue Length

      • Diskperf Driver Started

      • Percent Disk Time

    9. Process object; contains the following counters:

      • Interrupts Per Second

      • Percent Total System Time

    10. Security object; contains the following counters:

      • Errors Access Permission

      • Errors Logon

    11. Server Work Queues object; contains the following counters:

      • Context Blocks Queued/Sec

      • Processor Queue Length

    12. SMS object; contains the following counters:

      • SMS_Executive Service Started

      • SMS_Site_Component_Manager Service Started

      • SMS_SQL_Monitor Service Started

    13. SNA Server object; contains the following counters:

      • Host Connection Status

      • SNABASE Service Started

    14. SQL Server object; contains the following counters:

      • MSDTC Service Started

      • MSSQL Server Service Started

    The HealthMon utility is not installed when you run the SMS 2.0 Setup program. You have to manually install the utility. The HealthMon utility is made up of the following components:

    1. HealthMon Agent

    2. HealthMon Console

    The HealthMon Agent must be installed on each computer system that you want to monitor.

    How to install the HealthMon utility

    1. Using the SMS 2.0 CD, open the Healthmon folder.

    2. Expand the folder to the proper platform folder.

    3. Expand the platform folder to access the Agent folder.

    4. Double-click Setup.exe.

    5. The SMS HealthMon Agent Installation Wizard launches.

    6. Follow the various prompts of the HealthMon Agent Installation Wizard to install the HealthMon Agent.

    7. Click Finish when the final HealthMon Agent Installation Wizard screen is displayed.

    8. To install the HealthMon console, expand the platform folder once more to access the Console folder.

    9. Double-click Setup.exe.

    10. The SMS HealthMon Console Installation Wizard launches.

    11. Follow the various prompts of the HealthMon ConsoleInstallation Wizard to install the HealthMon console.

    12. Click Finish when the final HealthMon Console Installation Wizard screen is displayed.

    13. The HealthMon console can be accessed from within the Systems Management Server program group.

    How to add the systems to monitor in the HealthMon console

    1. Open the HealthMon console. If this is the first time that you are going to use HealthMon to monitor systems, then no monitored systems will appear in the HealthMon console.

    2. In the console tree, right-click Monitored Systems and select New and then System from the shortcut menu.

    3. The New Monitored System dialog box opens.

    4. In the textbox, provide the name of the particular system which you want to monitor.

    5. Click OK.

    6. In the console tree of the HealthMon console, expand the mew monitored system entry that you created to display the components status and events status of the system.

    How to configure HealthMon (components to monitor)

    1. Open the HealthMon console.

    2. Right-click the monitored system that you want to configure and then select Properties from the shortcut menu.

    3. The System Properties dialog box opens.

    4. On the General tab, select the components which you want to monitor by selecting the checkbox alongside each component which should be enabled.

    5. Click OK.

    How to configure HealthMon (components properties)

    1. Open the HealthMon console.

    2. Expand the appropriate monitored system folder in the console tree.

    3. Select the Components folder.

    4. To enable a component, right-click the component you want to enable and then select Enable from the shortcut menu.

    5. To configure the component's properties, right-click the component and then select Properties from the shortcut menu.

    6. The Properties dialog box for the component opens.

    7. Configure the desired properties settings for the component.

    8. Click OK.

    Using Network Trace

    The Network Trace utility can be used to monitor your site system structure. The Network Trace utility provides a map of SMS site systems which you can use to check the status of the computers that supply services to a SMS site.

    Network Trace provides a number of features

    1. Information on the physical connection status to the site systems.

    2. Information on the roles performed by a site system.

    3. Information on the process and thread status of the SMS components on the site system.

    4. A map detailing the network between the site system and the site server computer.

    The Network Trace utility provides the following two views:

    1. Trace view; displays the specific site system and the site system roles performed by the site system, as well IP subnet or IPX network number information.

    2. Site view; displays all site servers is the SMS site and not only the specific site server identified in the SMS Administrator console.

    How to access the Network Trace utility

    1. Open the SMS Administrator console.

    2. Select a site system.

    3. Click the Action menu.

    4. Select the Start Network Trace command.

    How to verify physical connectivity to site systems using the Network Trace utility

    1. Open the SMS Administrator console.

    2. Select a site system.

    3. Click the Action menu.

    4. Select the Start Network Trace command.

    5. Click the Tools menu.

    6. Select one of the following options:

      • Ping All Servers and Routers

      • Ping Selected Server(s) and Router(s)

    Internet Control Message Protocol (ICMP) echo requests are sent to verify physical connectivity, and then displays connection status information as follows:

    1. Good connections

    2. Broken connections

    3. Network routes not found

    How to verify the process and thread status of the SMS components on the site system

    1. Open the SMS Administrator console.

    2. Select a site system.

    3. Click the Action menu.

    4. Select the Start Network Trace command.

    5. Select the specific site system from the Network Trace window.

    6. Click the Tools menu.

    7. Select the Poll Components of Selected Servers command.

    8. The Component Poller dialog box opens.

    9. Each SMS component on the site system is displayed.

    10. To check the status of all SMS components select the Poll All button.

    11. To check the status of a specific SMS component, select the SMS component and then select the Poll Selected button.

    Simple Network Management Protocol (SNMP) and SMS Event to Trap Translator Overview

    The Simple Network Management Protocol (SNMP) is the network management protocol used to enable communication between a network management console and a device on the network. The SNMP protocol is a component of the TCP/IP suite. SNMP enables control information to be shared with the network management console. To enable network management information to be shared, SNMP utilizes a system/agent framework.

    With SNMP, the SNMP Agent in each managed device communicates status information and configuration information to the Network Management Station (NMS). The SNMP Agent records status information and configuration information in the Management Information Base (MIB) database.

    A managed device can be either of these hardware components:

    1. Microcomputer

    2. Minicomputer

    3. Mainframe computers

    4. Terminal servers

    5. Routers

    6. Gateways

    7. Bridges

    8. Repeaters

    9. Wiring hubs

    10. Network printers

    The SNMP service enables the Network Management Station (NMS) to monitor the following Windows operating systems and services:

    1. Windows NT Workstation and Windows NT Server version 3.51 – 4.0

    2. Windows 2000 operating systems

    3. Windows Server 2003 operating systems

    4. Internet Information Server service.

    5. DHCP service

    6. WINS service

    The Network Management Station (NMS) uses the following commands to gather status and configuration information through the SNMP agents from the managed devices:

    1. GET; used to collect hardware and software information from the Management Information Base (MIB) gathered by the SNMP agent of the managed device.

    2. GET-NEXT; used to obtain the next value in the Management Information Base (MIB).

    3. SET; used to enable the Network Management Station to reset the information stored in the MIB of the managed device.

    After the SNMP service is installed, the following Performance Monitor objects are provided

    1. Network Interface object; provides statistical information on network interfaces bound to the TCP/IP protocol suite.

    2. IP object; provides statistical information on the IP transport protocol of the TCP/IP protocol suite.

    3. TCP object; provides statistical information on the TCP protocol of the TCP/IP protocol suite.

    4. UDP object; provides statistical information on the UDP protocol of the TCP/IP protocol suite.

    5. ICMP object; provides statistical information on the ICMP protocol of the TCP/IP protocol suite.

    6. DHCP object; provides statistical information on the DHCP Server service.

    7. WINS object; provides statistical information on the WINS Server service.

    8. IIS object; provides statistical information on the IIS service.
      FTP object; provides statistical information on the FTP Server service.

    The SMS Event to Trap Translator translates selected Windows Server events into SNMP traps. These SNMP traps are then sent to the Network Management Stations (NMSs). The events which are passed to the Event to Trap Translator are transmitted as strings of data. It is the SMS Event to Trap Translator that traps events which are too long to be trimmed. This ensures that when the events are sent, they are not dropped by routers.

    SNMP event to trap translation is supported on each client computer in the SMS site. Before you can enable the Event to Trap Translator Client Agent on the client computers, the following requirements have to be met:

    1. The TCP/IP protocol has to be installed and enabled on the computers which will be used in SNMP event to trap translation.

    2. The SNMP service must be installed and correctly configured on the client computers.

    The SNMP Event to Trap Translator Client Agent is enabled in the SMS Administrator console, from the Client Agents node.

    How to install the SNMP service

    1. Open Control Panel.

    2. Double-click Network.

    3. The Network dialog box opens.

    4. Click the Protocols tab.

    5. Ensure that the TCP/IP Protocol is listed as an installed protocol.

    6. Install the TCP/IP Protocol if it is not installed.

    7. In the Network dialog box, click the Services tab.

    8. Click the Add button.

    9. In the Network Service list, select the SNMP service and click OK.

    10. Provide the installation path and click Continue.

    11. The SNMP Properties dialog box opens.

    How to enable the SNMP Event to Trap Translator Client Agent

    1. Open the SMS Administrator console.

    2. Expand the Site Settings node.

    3. Select the Client Agents node.

    4. Select the Event to Trap Translator Client Agent, click the Action menu and then select Properties from the shortcut menu.

    5. The Event to Trap Translator Client Agent Properties dialog box opens.

    6. Check the Enable event to trap translation on clients checkbox.

    7. Click OK.

    8. The Event to Trap Translator Client Agent is installed on all Windows client computers in the SMS site.

    How to configure the Event to Trap Translator

    By default, events are not translated. This basically means that the Event to Trap Translator window contains no events that are translated to SNMP traps. You have to manually add events which should be translated.

    After adding the events to be translated, you can configure trap translation from the Event to Trap Translator window.

    The following configuration settings can be defined:

    The Properties dialog box is used to configure translation threshold levels. The translation threshold uses count, or count and time.

    The Settings dialog box is used to define the following configuration settings:

    1. Trim the byte length of a trap to a length which will not be dropped by the routing devices.

    2. Configure SNMP trap throttling.

    The Export dialog box is used to Export the translated events to a file which can be processed at the Network Management Stations (NMSs).

    To configure the Event to Trap Translator,

    1. Open the SMS Administrator console.

    2. Select the collection which you want to work with.

    3. Right-click the computer name for which you want to configure the Event to Trap Translator, and select All Tasks and then select Start Event to Trap Translator from the shortcut menu.

    4. The Event To Trap Translator dialog box opens.

    5. The Event Sources area of the Event To Trap Translator dialog box contains the following three folders:

      • Application folder

      • Security fodder

      • System folder

    6. Using these folders, select the events from the Events list and then click the Add button.

    7. The Properties dialog box of the event is displayed.

    8. You can configure a threshold before the event is translated.

    9. In the If Event Count Reaches textbox, specify the number of times the specific type of event has to occur before a trap is generated.

    10. Select the Within Time Interval checkbox, and then specify the number of seconds within which the specified number of events has to take place prior to the event translating into a trap.

    11. Click OK.

    12. When the Event To Trap Translator dialog box is displayed, click the Settings button.

    13. The Settings dialog box is displayed.

    14. Enable the Limit trap length checkbox if you want to change the default string length limit of 4096 bytes.

    15. You can also enable the following options:

      • Trim insertion strings first.

      • Trim formatted message first.

    16. In the Trap Throttle area of the Settings dialog box, you can specify the number of traps which are sent.

    17. Click OK.

    18. When the Event To Trap Translator dialog box is displayed, click the Export button.

    19. The Export Events dialog box is displayed.

    20. Here, you can configure that the translated events be exported to a text file or to a Config Tool (.CNF) format file.

    21. Click Save.

    22. Click OK in the Event To Trap Translator dialog box.