Watching the Network Traffic Flow
In Part 2 of our two-part series on monitoring network traffic, we continue our look at some of the tools that are built in to Windows Server 2003. We also touch on some third-party tools that you may want to consider.
In Part 2 of our two-part series on monitoring network traffic, we continue our look at some of the tools that are built in to Windows Server 2003. We also touch on some third-party tools that you may want to consider. (If you missed Part 1, check it out here.)
Let's pick up our discussion of Windows Server 2003's networking monitoring tools where we left off: the Performance Console. In addition to displaying information in the standard graph view, the Performance Console makes it possible to log information to a file. It also allows you to configure thresholds, so that you can be alerted in the event of a network problem. Both of these functions are features of the Performance Logs and Alerts element of the Performance Console.
Covering the Baselines
Logging also allows you to perform one of network management's most important tasks taking baselines. As you are probably aware, a baseline is a measure of a server's performance under various conditions, recorded for future comparison purposes. Without baselines, there is no way to know if that all-too-common user complaint "the network is running slow," is correct or not.
With a baseline in hand, however, you can compare the information gained when the networking is running normally with the state of the network as it is now. Subtracting one set of statistics from the other will give you a real idea of whether or not the network really is running slowly.
Using the Performance Log feature of the Performance Console is simple. The utility uses the same set of counters that are used by System Monitor. You need only specify what counters are to be monitored and at what intervals. Information can be logged to a variety of file formats including binary, text (comma or tab-delimited) and SQL. You can also configure logging to start and stop at preset times. Very handy for those hard-to-track issues that surface every morning at 3 a.m.
There are actually two types of logs available in the Performance Logs and Alerts utility: Counter logs and Trace logs. It is the Counter logs that you will be specifically interested in when monitoring network traffic. (The Trace logs are used to record a preset selection of system events such as process creation or deletion and page faults. It is not used for recording network traffic statistics.)
How you view information after it has been recorded into a Counter log will depend on what file format you used to create the log. Binary files can be opened in the Performance Console and viewed in the graph format, just as if the information were live. For those with SQL or another compatible database, the option to store information in a SQL format will be most attractive.
One word of caution when using the Performance Console: You should avoid enabling too much logging. Doing so will create additional load on the system, which in addition to slowing other aspects of the server down, can cause the statistics provided by Performance Console to be skewed. Enabling too many counters, or setting the sample rate too short, can ultimately be self-defeating. For this reason, consider carefully what statistics you are interested in, and make sure you are recording information only as frequently as you really need to. Conversely, it is also important not to have information recorded too seldom. If you do, as mentioned in Part 1, you might actually miss important spikes in network traffic as they occur in between sampling points.