Network Monitor is a software protocol analyzer. Protocol analyzers eavesdrop on data communications. With Ethernet, every message sent includes a destination address. LANs share the media with all workstations and although every NIC detects each message, normally only the NIC that matches the address will read the message. Protocol analyzers take advantage of the shared environment by putting the NIC in promiscuous mode so that every message can be read.

Windows Server includes the Lite version of Network Monitor. It captures only traffic to and from the local server. Microsoft's SMS package includes the full version of Network Monitor that uses promiscuous mode thereby capturing all LAN traffic. The binary network frames are then decoded and displayed, identifying the sender and receiver and labeling all of the protocol layers and fields.

ç  Client LAN packets  è					ç Server LAN packets è
	packet		packet		packet		packet
Network Monitor capturing LAN packets

An important field in TCP and UDP is the port number. The port number identifies the destination service on the server. For example, web requests using HTTP will have the port number set to 80. Other well known port numbers are identified in a table below

Visit www.ethereal.com to get a protocol analyzer similar to Network Monitor. It will run on Windows Professional which does not include Network Monitor.

Understanding everything about network protocols requires long-term study. Network Monitor is an excellent tool to use in this study. Without much understanding of protocols, you can still use Network Monitor to study network problems by capturing LAN packets and noting source and destination addresses for

• MAC Media Access Control addresses such as Ethernet addresses
• IP addresses
• Port numbers addressing network services

Network Monitor displays real-time statistics while capturing data as shown below. The windows is divided into panes as follows.

Take special note of broadcast traffic because broadcasts cause interrupts on all machines in the subnet. Broadcasts from remote computers will cause interrupts on every local computer thereby affecting performance on every local computer.

Once captured, each frame can be viewed and investigated in the capture window. Initially, the summary pane displays a summary of each frame in each line. If you double-click one of the frames, the window then divides into three panes as follows.

Keyboard Exercise

Start Network Monitor, start the capture and then wait until some network traffic is collected. Select the Stop and View option and then investigate some of the captured packets.