Thursday, October 13, 2011

Tips: How to perform network troubleshooting tasks in MicrosoftNetworkMonitor

What is Microsoft Network Monitor?
Microsoft Network Monitor, it is one of the network diagnostic/monitoring tools that comes from Microsoft. The tool lets you perform network troubleshooting tasks with simple steps. This tool is capable of collecting information from a network’s data stream and displays different types of information that comprises:
•    the protocols used to send the frame
•    the destination address of the computer that received the frame
•    the data, or portion of the message being sent
•    the source address of the computer that sent a frame onto a network
•    and many others

What does it do?
The process called capturing is used in Microsoft Network Monitor. The process is used to collect information. Therefore, you can use this tool to capture statistics on all frames it detects on the network or on a specific subset of frames.

Here, let’s discuss about the followings:
•    where to take a capture,
•    how to gather documentation and use a cheat sheet,
•    how to customize what information should be captured,
•    how to customize the user interface,
•    how to make sense of the captured data,
•    how to get more information out of the data that’s captured, and
•    how to view specific frames in an XML format and in a window by themselves.
Where to take a capture
In this scenario, certain conditions are applied. It depends upon the number of machines involved or whether firewalls are in place.
For example, if you have two machines, there can be two possible scenarios: 1) when there are no firewalls involved and 2) when there are.
For the first one, it is possible to trace on either machine whereas, it is required to take a trace on both machines simultaneously in the second scenario.
The first trace on the first machine is to determine whether there are any data packets that are being dropped due to existing outbound firewall rules.
Besides, the trace on the second machine is for determining whether we have any inbound firewall rules that prevent data from coming in.
You can take traces on the following locations in a real world scenario.
1.    On the Windows 7 Client’s network interface
2.    On the internal side of the firewall
3.    On the external side of the firewall, and
4.    On the inbound network adapter on the Exchange Server
If the firewall is configured with rules that drop packets which you’re not aware of, the trace on the external side of the firewall should be there. Using these four traces, we can check if the packets left the Windows Client, went through the firewall and entered the Exchange Server.
How to gather documentation and use a cheat sheet?
It is required to use a cheat sheet to record data regarding the issues we encounter along the way. It is applicable when our network starts growing and we start implementing multiple machines.
Normally, it will take days or even weeks to resolve most of the issues and they involve traces with hundreds of thousands packets in them. Most of the times, we will not be going to troubleshoot a single trace in just one troubleshooting session.
If we don’t maintain any documentations, we’ll forget the details of certain issues in a trace and when it’s time to resume troubleshooting on it. Moreover, we’ll be forced to start all over again.
Following are the things should be recorded:
•    the issues themselves
•    IP addresses of the machines between which the information you’re looking for is located
•    packet numbers you’ve already analyzed or still have to analyze
Let’s have an example in which we can discuss how a typical cheat sheet is used:
Consider we have two domain controllers. One of them is DCI and it has an IP address of whereas, the other domain controller DC2 has an IP address of
Let’s also assume that we just mapped a network drive on DC1.
Here we have a typical Frame Summary that comprises the traffic generated when the network drive was mapped.

The data packets related to drive mapping are the ones that begin with SMBs (Small Message Block) packets. If, upon mapping the network drive an error occurred and we received an “Access denied” notification, we would have to document the issue.
Now, our cheat sheet should be a simple Notepad file where you would jot down the following information:
network drive mapping
error message - access denied

source ip address =
destination ip address =

We can add as many information as we think is necessary for more complicated setups. For an example, you can add a rudimentary graph illustrating what should have happened and where you think the problem might be residing at.
Therefore, we can easily understand if we get back to this issue subsequently.
How to customize what information should be captured?
Here, we can specify what is the information going to be captured by choosing a Parser Profile. There are five ready-made parser profiles that you can initially choose from. But if you want, you may also create customized parser profiles.

The following art the 5 ready-made parser profiles:
Pure - performs no parsing and very limited filtering;
HPC (High Performance Capture) - provides optimized filtering speeds but its filtering capability is limited to TCP and UDP protocols and some protocols related to these two.
Faster Pasing - parses more protocols like: ARP, HTTP, DNS, and NBTNS but doesn’t include SMB and SMB2.
Default - This is the default profile, which parses all the protocols mentioned previously as well as SMB, SMB2, and RPC.
Windows - parses every Windows-based protocol plus SQL. It is considered the heavyweight in terms of parsing cost.
The more data packet details a packet profile has, the slower the trace will be and the longer it will take to generate its view.
Here, the Packet Profiles are typically set before we begin our trace. If you wish to choose a packet profile, it is required to open Parser Profiles > NetworkMonitor Parsers. There you’ll find the parser profiles enumerated above.

How to customize the user interface?
Most of us required to have only the information shown in which we are interested. Moreover, they’ll be positioned where they can help you work more efficiently.
Some of the things you can do to organize the user interface include:
•    docking and un-docking panes
•    hiding unwanted panes
•    showing the panes you often need,
•    getting the default display settings back, and
•    changing the layout of the panes to Simple, Diagnostic, Developer, and the default layout

We can just click on the pane’s title bar for un-docking a pane. Then, press and hold the Shift button; then, click and drag the pane out of its docked position. Now, we can then move it to where you want it to be.
If you wish to hide a pane, just click the ‘x’ button on its upper-right corner.

If you wish to bring a hidden pane back into the view, it is required to navigate to the View menu and select the pane you wish to show. Then, you will also see the Restore Default Layout option under that menu.

If you click that, it will be restore the layout back to its default values. Therefore, it is required to move a lot of things around and later on realize.

How the Default Layout looks like?
Apart from the Default Layout, we have other pre-configured layouts to choose from. If you wish to use those layouts, it is required to just navigate to the Layout menu and select a layout from there. Make sure that the Restore Default Layout option can also be selected from that menu.

The Diagnostic layout is normally used if, in addition to other information, you want to see as many frames as possible.

Here’s the Developer layout.
If you’re at a customized layout after moving and removing panes you don’t like, you can save that layout for the future use. In order to perform that, it is required to just click the Save As button.

Now, in the Save As window, give the layout a name (e.g. cap3) and click the Save button.

Therefore, the next time you launch the Network Monitor, you can see that file is displayed as a link and ready for use.

B  y