Watching the Network Traffic Flow

By Drew Bird | Apr 5, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3335751/Watching-the-Network-Traffic-Flow.htm

In Part 2 of our two-part series on monitoring network traffic, we continue our look at some of the tools that are built in to Windows Server 2003. We also touch on some third-party tools that you may want to consider. (If you missed Part 1, check it out here.)

Let's pick up our discussion of Windows Server 2003's networking monitoring tools where we left off: the Performance Console. In addition to displaying information in the standard graph view, the Performance Console makes it possible to log information to a file. It also allows you to configure thresholds, so that you can be alerted in the event of a network problem. Both of these functions are features of the Performance Logs and Alerts element of the Performance Console.

The capability to log information to a file is a key consideration when measuring network performance, as it provides a more consistent picture of the servers network activity over an extended period of time than you get with the default graph view. It also allows you to see trends develop — a key ingredient in long-term planning for network upgrades.

Covering the Baselines
Logging also allows you to perform one of network management's most important tasks — taking baselines. As you are probably aware, a baseline is a measure of a server's performance under various conditions, recorded for future comparison purposes. Without baselines, there is no way to know if that all-too-common user complaint "the network is running slow," is correct or not.

With a baseline in hand, however, you can compare the information gained when the networking is running normally with the state of the network as it is now. Subtracting one set of statistics from the other will give you a real idea of whether or not the network really is running slowly.

Using the Performance Log feature of the Performance Console is simple. The utility uses the same set of counters that are used by System Monitor. You need only specify what counters are to be monitored and at what intervals. Information can be logged to a variety of file formats including binary, text (comma or tab-delimited) and SQL. You can also configure logging to start and stop at preset times. Very handy for those hard-to-track issues that surface every morning at 3 a.m.

There are actually two types of logs available in the Performance Logs and Alerts utility: Counter logs and Trace logs. It is the Counter logs that you will be specifically interested in when monitoring network traffic. (The Trace logs are used to record a preset selection of system events such as process creation or deletion and page faults. It is not used for recording network traffic statistics.)

How you view information after it has been recorded into a Counter log will depend on what file format you used to create the log. Binary files can be opened in the Performance Console and viewed in the graph format, just as if the information were live. For those with SQL or another compatible database, the option to store information in a SQL format will be most attractive.

One word of caution when using the Performance Console: You should avoid enabling too much logging. Doing so will create additional load on the system, which in addition to slowing other aspects of the server down, can cause the statistics provided by Performance Console to be skewed. Enabling too many counters, or setting the sample rate too short, can ultimately be self-defeating. For this reason, consider carefully what statistics you are interested in, and make sure you are recording information only as frequently as you really need to. Conversely, it is also important not to have information recorded too seldom. If you do, as mentioned in Part 1, you might actually miss important spikes in network traffic as they occur in between sampling points.

Continued on Page 2: Why Install Network Monitor?

Continued From Page 1

Why Install Network Monitor?
While the Performance Console is a good tool for monitoring how much network traffic is being handled by a server, on some occasions you might need to take your monitoring activities one step further and determine where network traffic is being sent to and from. In this case, unless you want to invest in a third-party product, you will need to install the Network Monitor utility provided with Windows Server 2003. The Network Monitor utility is not loaded by default, but is easy to install through the Control Panel, Add/Remove Programs, Add/Remove Windows Components. Network Monitor is part of the Management and Monitoring Tools group of programs, and can be installed as part of the group or individually.

The version of Network Monitor provided with Windows Server 2003 is a stripped-down version of the tool provided with Microsoft Systems Management Server (SMS). The main difference between the two is that the Windows Server 2003 version of Network Monitor does not allow you to view any network traffic other than that sent or received by the system on which it is running. There are also other, minor differences, like the inability to edit and retransmit traffic. The more advanced SMS version also allows you to determine which user or protocol is occupying the most network bandwidth.

Even with these limitations, though, the Network Monitor utility still provides enough features to perform basic network traffic and packet analysis. For example, you can see what IP addresses or MAC addresses are responsible for creating network traffic. This kind of information can be particularly useful if you suspect that a certain user is hogging bandwidth, or less nefariously, using a system with a faulty network card. You can also perform functions such as determining what the levels of DHCP traffic are on the network. Again, this can be useful in determining server placement and other network planning activities.

Network Monitor also allows you to capture and view packets from the network. This can be useful if you want to see what data is being transmitted over the network. Be warned, however, that only certain types of protocols and files will allow you to easily view a packet contents. Expert analysis of packet contents is an art form, and justified only if you have a situation such as a security concern — in which case, it is probably time to call in someone who is experienced in such matters anyway.

Beyond Built-in Tools
As you can see, creating a solid network traffic monitoring strategy is achievable with the tools provided with the Windows Server 2003. That said, there are some other relatively inexpensive network traffic monitoring solutions that may be worth your attention. However, be careful to evaluate these additional benefits of third-party products. You might find that the previously discussed tools such Performance Console do the job just as well — or at least just as well as you need them to.

Here are links to a few network traffic monitoring and packet analysis tools that may be of interest. Most of these tools have versions available for free download, so you can try before you buy. Many of them also offer additional functionality over just plain network traffic monitoring capabilities.

TrafMeter is network traffic monitoring tool allows you to create include/exclude filters to see the cumulative effect of different types of network traffic on your network. The product is free to download and evaluate, but only allows you to create one traffic filter. A full version is available for between $99 and $695.

Sniff'em is a full-featured network traffic monitoring tool that provides comprehensive support for all commonly used network interfaces including USB and FireWire devices. It also supports dial-up adapters. Pricing starts at $100, but Sniff'em is available in a number of licensing models, including special deals for academic and non-profit organizations.

TracePlus/Ethernet is a powerful tool that provides a wide range of reports, filters and other features for tracking and monitoring network usage. TracePlus/Ethernet can be used to import packet capture files from a range of other network monitoring applications including Microsoft Network Monitor. Pricing for TracePlus/Ethernet is $349, with discounts available for multiple license purchases. Product demonstrations are also available.