How Network Monitor works
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
How Network Monitor works
Data sent over a network is divided into frames. Each frame contains the following information:
Source address The address of the network adapter from which the frame originated.
Destination address The address of the network adapter that is meant to receive the frame. This address can also specify a group of network adapters.
Header information Information specific to each protocol used to send the frame.
Data The information (or a portion of it) being sent.
Every computer on a network segment receives frames transmitted on that segment. The network adapter in each computer retains and processes only those frames that are addressed to that adapter. The rest of the frames are dropped and no longer processed. The network adapter also retains broadcast (and potentially multicast) frames.
After installing Network Monitor, users can capture to a file all the frames sent to, or retained by, the network adapter of the computer on which it is installed. These captured frames can then be viewed or saved for later analysis. Users can design a capture filter so that only certain frames are captured. This filter can be configured to capture frames based on criteria such as source address, destination address, or protocol. Network Monitor also makes it possible for a user to design a capture trigger to initiate a specified action when Network Monitor detects a particular set of conditions on the network. This action can include starting a capture, ending a capture, or starting a program.
By default, the size of the capture buffer is 1 MB. You can reduce the amount of data you capture by shrinking the capture buffer.