Using a Network Monitor

  

These days connected applications are everywhere. Web Services and Indigo based applications are used to hook up various services over the internet. When something goes wrong you can debug all you want but ultimately you need to look at what is really going on the wire. Network Monitor is your friend. I am surprised how many people are not really aware of this tool called Network Monitor. Many people who have heard about it think that it is too complex to capture network traffic and understand the traffic.

In this article I would like explain in easy to understand terms, how to install a network monitor, how to capture traffic, how to save it and how to interpret it. My belief is that once you understand this and used the tool, you will wonder how you ever lived without it. Let’s jump in.

 

1. How to install a Network Monitor.
You might want to know that Network Monitor is a free tool.
Go to Control Panel, Add Remove Programs applet.
Then choose Add Remove Windows Components
Then Select Management and Monitoring Tools and click details.
Choose Network Monitor and proceed with the installation.
You may be prompted for the Windows Installation CD
After the installation, you will see the Network Monitor in the Administrative Tools.

2. Launching the Network Monitor for the first time.
When you launch the Network Monitor for the first time you will see a dialog that says “Please specify the network on which you want to capture the data”.
What does this mean?
Network Monitor captures data on a SPECIFIC network adapter. Even if you have only one physical network card, you may have more than one adapter. Don’t worry about this. It will be clear in a second.
Click OK to this dialog.
The dialog that pops up next [You can access the same dialog through the Capture/Networks menu option] is the one where you pick the “Network” you want to monitor. Expand the Local Computer node. You will see one or more Networks.
Which one to choose? Well it depends.
If you have a computer with one network card, simply choose the LAN Connection and click OK
If you have a computer with more than one network card, you have to choose one.
Open a command prompt and type IPCONFIG /all. Then for each Network interface, note down the physical address or MAC address. Once you know the MAC Address,
in the properties windows of the “Select a network” dialog we are talking about,
choose the network whose MAC address matches the MAC address of the network you want to monitor. Then Click OK.

3. Using Network Monitor.
Once you have selected a network to monitor, simply press the button that looks like the PLAY button on the toolbar or choose Capture/Start or press F10.
You should see some activity in the Frames per second and other bars. Launch a browser and go to a site. You should see some more activity. If you don’t see any activity on the screen, then you have selected a wrong network. Repeat #2.

At this point you can run any application including the one you want to debug.
The traffic generated by the application is captured. When you are ready to stop
capturing press the stop button or select Capture/Stop or press F11.
To display what you just captured, press F12.
To save the capture use File/Save as.
That’s it you have a capture file. You can send it to other people or look at it later.

4. What is in a capture file?
You might be wondering what exactly is in a capture file. The capture file contains every single frame that the computer received or sent on the “network” you chose. Even if you capture for a very small amount of time, you can get a LOT of frames.
But you don’t need to worry. Network Monitor has a lot of capabilities to filter and sort.

5. How do I find what I want in the capture file?
When you are looking at a capture you will find that there are several columns. First is the frame number. When you are explaining the issue to someone you can say something like  “I see something interesting in frame 999”. Then you can see the Time, Source MAC Address, Dest MAC address, Protocol, Description, etc. You may not find the columns exactly in the order I described but you can order the columns by drag and drop.

The protocol column is very interesting. This column tells you what the protocol is for the frame captured. On a network a lot of things are going on. On my computer I see HTTTP, BONE, ARP, RARP, DNS, TCP, ICMP6 among many other things.

Let’s say you are having an issue with one of your HTTP requests. You want to only
look at the HTTP requests and filter out the noise

Click on the funnel toolbar or choose Display/Filter or press F8. You will see a filter dialog. Double click on Protocol=Any line. Click Disable All. AT this point all the protocols are disabled. Then Click on HTTP [Use the scroll bars to find HTTP] and enable the protocol. Click OK.

Now you should see Protocol=HTTP. This means that the current filter only shows HTTP protocol. Now you can see only HTTP frames. Note that all the other protocols are still there in the capture, you are only seeing the HTTP frames. There is a way to not EVEN CAPTURE other protocols – this is achieved by the CAPTURE filter. We will not discuss that now.

OK now you are looking at HTTP frames. How to make sense of these? At this point You need to have knowledge on HTTP protocol and how to interpret the protocol.
If you double click it shows you the complete details of the HTTP protocol information in each packet.
Let me know if this is helpful and if you need more information.