The SMS 2.0 CD-ROM includes the Network Monitor console application and the Network Monitor Agent version 2 for Windows NT/2000. The console provides the user interface for viewing traffic on the network. Figure 7-6 shows the Network Monitor interface and how the Network Monitor captures packets from local and remote segments.
Figure 7-6. Monitoring local and remote segments.
An agent can be active on the computer running the Network Monitor in order that local network traffic be captured. The agent may also be run on another computer on the local segment. When the agent is run on a computer other than the computer running Network Monitor, the agent is referred to as remote. When a remote agent is used, it stores copies of local frames in a buffer and forwards the session summary statistics to the Network Monitor console.
A remote agent is selected from the Capture - Networks menu item in Network Monitor.
In this case, the agent is remote with respect to the Network Monitor and is local with respect to the segment being monitored. Again, the remote agent is selected from the Capture - Networks menu item in Network Monitor.
Installation of the Network Monitor varies depending on the operating system. The Network Monitor and Network Monitor Agent version 2 driver are installed through the SMS 2.0 Setup program, or after installation by running SETUP.EXE from the \NMEXT directory on the SMS 2.0 installation CD-ROM. The Windows 2000 installation CD-ROM includes the Network Monitor Agent version 2 driver. Monitors and experts are included in the version of Network Monitor bundled with SMS 2.0.
Windows 95/98 and Windows for Workgroups can run previous versions of Network Monitor, but may not run the version of Network Monitor or the Network Monitor Agent version 2 included with SMS 2.0. On Windows 95/98 computers, Network Monitor is installed through a setup program contained on SMS version 1.2 CD-ROM in the \NMEXT\DISK1 directory. The agent driver is installed as a network component in the Windows 95/98 Network dialog box from the Windows 95/98 installation CD-ROM.
The SMS 1.1 CD-ROM contains the \NMEXT\DISK1 directory, which can be used to install the Network Monitor on a Windows for WorkGroups computer. After installing the Network Monitor, the Win32s components must be reinstalled for the Network Monitor to function properly.
NOTE
The versions of Network Monitor for Windows for Workgroups and for Windows 95/98 do not include Experts or the Network Monitor Control Tool.
There are three ways to start Network Monitor and the Network Monitor Control Tool: by selecting Network Monitor or the Network Monitor Control Tool from the Tools node in the SMS Administrator console; by selecting one of the shortcut icons in the SMS program group; or by using the Windows NT command line `Start' option. The syntax for the Network Monitor command is:
netmon [options] |
Network Monitor and the Network Monitor Control Tool are found in the \SMS\NETMON\platform directory on site servers. If the SMS Network Monitor is installed on a non-site server, it is found in the \SMSADMIN\ NETMON\platform directory. There are number of command line options that can be specified when running netmon from the command prompt. For example, start netmon /remote:nts2 instructs Network Monitor to find and use the computer named NTS2 to capture packets using the Network Monitor Agent driver. Other command line options are listed in the Network Monitor help file under the page titled "Start Network Monitor from a Command Line."
The command line command that runs the Network Monitor Control Tool is:
mcsui |
NOTE
There is no need to type start before the netmon or mcsui command, as specified in the help documents included with SMS 2.0.
Network monitoring, commonly referred to as packet sniffing, exposes data in frames that are traversing the network. Unauthorized use of the Network Monitor to collect and examine network data compromises the security of the network. Previous versions of the Network Monitor Agent driver included password security to control who could use the agent to collect frames. In SMS 2.0, running Network Monitor is controlled centrally using the Security Monitor. Security Monitor is one of the monitors included with the Network Monitor Control Tool.
When Network Monitor is running, the Network Monitor Agent driver broadcasts a security packet stating that it is running. If a computer running the Network Monitor has not been included on the Security Monitor Configuration page (Figure 7-7), Security Monitor sends a frame to the computer running the agent driver that forces the Network Interface Card (NIC) out of promiscuous mode. The Network Monitor Agent driver then empties the local capture buffer and destroys the capture file.
To configure the security monitor, start the Network Monitor Control Tool and select Security Monitor (labeled 1 in Figure 7-7). After enabling the Security Monitor, select it from the `Enabled Monitors' box (2). Click the Configure button (3) to display the Configure Security Monitor 1 dialog box. Add NIC hardware addresses to the `Valid MAC Addresses' box (4).
Figure 7-7. Configuring Security Monitor from the Network Monitor Control Tool.
Security Monitor watches for security packets from all instances of the Network Monitor Agent driver on the local network segment. To monitor unauthorized attempts to capture network data on remote segments, ensure that an instance of Security Monitor is running on each network segment.
The Network Monitor user interface is divided into four sections as shown in Figure 7-8 and described next.
Figure 7-8. The Network Monitor application displaying frame statistics.
Network Monitor automatically builds an address database of "friendly names" to help identify individual stations. Captures are filtered based on computer address (or address pairs), protocols, or data patterns within the frame. These friendly names appear in the session statistics, and station statistics sections in place of the network adapter card addresses. For example, in Figure 7-8 the computer named NTS2 is displayed with its NetBIOS computer name.
Filtering can be used before a capture is initiated and after the capture has been completed. Filters configured before a capture begins are called capture filters. Filters configured after data has been captured are called display filters.
Filters are defined in the Capture Filter dialog box, as shown in Figure 7-9. This dialog box is accessed from the Capture menu, `Filters' option in Network Monitor.
Figure 7-9. The Capture Filter dialog box in Network Monitor.
When `SAP/ETYPE = Any SAP or Any ETYPE' is selected, you use the edit button to enable or disable protocol level captures. When '(Address Pairs)' is selected, you filter network traffic between specific NICs or computers in the network and choose in which direction traffic should be filtered, whether in one direction or in both directions. If you select the '(Pattern Matches)' option, you filter which packets are collected to meet a specific pattern in Hex or ASCII, and you fine-tune the pattern match by selecting a specific position within the packets to query for. This type of highly defined pattern match is called a packet offset.
Triggers are created in the Capture Trigger dialog box, as shown in Figure 7-10. When a certain condition, or a set of conditions, defined for the capture trigger is met, the trigger can stop the capture and run a program or batch file. Figure 7-10 shows which events cause the execution of a trigger, and the result when a trigger condition has been met.
Figure 7-10. The Capture Trigger dialog box in Network Monitor.
Triggers can also be set for remote networks using the Windows NT Network Monitor Agent driver. If the trigger involves running a program or a batch file, the execution will be invisible to users of the remote system. Execute Command Line triggers set on a remote capture always run on the remote system.
When viewing captured data, the Summary window (Figure 7-11) displays a summary of all frames captured. A display filter can be set to filter frames of interest, such as those from a particular host or those using a particular protocol. Colors can be added to highlight specific frames.
Figure 7-11. The Network Monitor Capture Summary window.
The Network Monitor Capture Summary window has three panes. The toolbar's Zoom tool can be used to maximize or reduce each pane. To view all three panes simultaneously, double-click any frame.
This pane lists all frames included in the current view of the captured data. When a frame is highlighted in the Summary pane, Network Monitor displays the frame's contents in the Detail and Hex panes (2 and 3 in Figure 7-11).
The columns in the Summary pane can be moved and resized. The nine columns in the Summary pane are as follows:
| Column | Description |
|---|---|
| Frame | All frames captured during one capture session are numbered in order of capture time. The frame number appears in this column. If a display filter is set, this column displays only those frames matching the filter. |
| Time | Displays the frame's capture time relative to the beginning of the capture process. Depending on display settings (see the Display Options menu item), this may indicate time of day when the frame was captured or time elapsed since the previous frame capture. |
| Src MAC Addr | Displays the NIC hardware address or the NetBIOS name of the computer sending the frame. |
| Dst MAC Addr | Displays the NIC hardware address or the NetBIOS name of the computer receiving the frame. |
| Protocol | The highest-layer protocol used to transmit the frame. |
| Description | A summary of the frame's contents. The summary information can show the first protocol used in that frame, the last protocol used in that frame, or an automatic selection. |
| Src Other Addr | An identifying address for the originator of the frame other than the media access control address. This might be an IP or IPX address. |
| Dst Other Addr | Same as above, except that it is the destination of the frame. |
| Type Other Addr | Displays the address type of the addresses displayed in the Src Other Addr and Dst Other Addr columns. |
This pane displays protocol information for the frame currently highlighted in the Summary pane. When a frame contains several protocol layers, the Detail pane displays the outermost level first.
When a protocol is selected in the Detail pane, the associated hexadecimal strings for the current frame are highlighted (in the same color as that used for the protocol) in the Hex pane. If a protocol has a "+" beside it, more information will appear in the Detail pane by clicking the protocol or by selecting the protocol and pressing ENTER. When the protocol information is expanded, a line of data appears for each property associated with that frame.
This pane displays, in hexadecimal format, the content of the selected frame. The highlighted information in the Detail pane will show the corresponding hexadecimal data highlighted in the Hex pane. Network Monitor displays each byte in the frame as two hexadecimal characters, 00 to FF. The corresponding ASCII characters appear on the right. If the Read Only menu option (on the Display menu) is cleared, the frame's contents can be edited by changing hexadecimal values or by typing text in the ASCII section.
Captures can be printed in summary or expanded mode, printing all, or a range, of frames. In addition, captured data can be saved for viewing at a later time.
NOTE
For additional information on SMS Network Monitor, view the online Network Monitor help file (NETMON2.CHM). For additional information on the Monitor Control Tool, view the Monitor Control Tool online help file (MCSUI.CHM).
In this exercise, you will use the SMS 2.0 version of Network Monitor and the Network Monitor Experts to analyze local network traffic. If the SMS Administrator console is not running, start it now.
A menu appears.
The Microsoft Network Monitor window appears.
In the following steps, you will add entries in the address database for the site server.
The Address Database dialog box appears.
The Address Information dialog box appears.
The Address Database dialog box appears displaying Computer 2's address.
The Address Information dialog box appears displaying the media access control address of the site server computer.
The Address Database dialog box appears displaying both computer addresses.
The Save Addresses as dialog box appears.
The Save Addresses as message box appears indicating the file already exists, and prompts you to replace it.
The Address Database dialog box appears.
In the following steps, you will configure a capture filter to capture traffic between Computer 1 and Computer 2.
The Capture Filter dialog box appears.
The Address Expression dialog box appears.
The Capture Filter dialog box appears. Notice under (Address Pairs) that the entries for the site server and Computer 2 appear.
The Network Monitor window appears.
In the following step, you will start a capture session.
The network capture is started. Notice data appears in the four Network Monitor panes.
In the following steps, you will generate network traffic for the capture session from Computer 2 and then answer questions based on the captured data.
The network capture is stopped. Notice the data that appears in the Network Monitor panes.
The Microsoft Network Monitor — [Capture: 1 (Summary)] window appears displaying the traffic that was captured.
The Protocol Colors dialog box appears.
All captured frames that are RPC calls to the server service are displayed in red.
This is the client computer requesting the list of shared resources from the server.
This is the server's response to the request for the list of shared resources.
The Microsoft Network Monitor _ [Capture: 1 (Summary)] window displays three panes.
How large was the packet?
What is the source IP address?
What shares were listed for SERVER1?
What was the elapsed time of the capture?
How many bytes were transmitted during the capture session?
Were there any broadcast frames in the capture?
In the following steps, you will save the capture session.
The Save as dialog box appears.
In the following steps, you will use Network Monitor Experts to help analyze the captured data and answer questions from data provided by the experts.
The Network Monitor Experts dialog box appears.
The Microsoft Network Monitor _ [Run 1: filepath\*.cap] window appears.
The Expert Status View, [Run 1: filepath\*.cap], Capture: 1 (Detail), and the \ETHERNET\NET media access control address Capture Window (Station Stats) dialog boxes appear.
Notice that all experts were 100 percent successful in completion.
Which protocol (other than FRAME or ETHERNET) generated the highest number of frames?
Which protocol generated the highest number of bytes claimed?
Which address generated the highest number of frames?
Which address generated the highest number of bytes?
Network Monitor closes.
In this exercise, you will configure a monitor for using the Network Monitor Control Tool that detects invalid IP address ranges. If the SMS Administrator console is not running, start it now.
The Monitor Control Tool window appears displaying the available monitors for the local computer.
The Monitor is not configured message box appears, prompting you to configure the monitor now.
The Configure IPRange Monitor dialog box appears displaying the list of valid and invalid IP addresses.
This is the IP address of Computer 2. While this is a valid address, you will have the monitor tell you it is invalid for testing.
A Security Alert message box appears, prompting you to send this information to the Internet zone.
The Monitor Control Tool window appears with IPRange Monitor 1 under 'Enabled Monitors.'
Notice the IPRange Monitor 1 status has changed to Running.
In the following steps, you will access Computer 2 to cause the monitor to signal an event.
The Monitor Event Viewer window appears, displaying all events that have been registered by running monitors.
Notice the information presented indicating that the event is an invalid source address, showing which the computer that monitored the event, and presenting the offending addresses.
The Monitor Control Tool window appears.