Network performance analysis is a follow-up to other monitoring and tuning efforts that are specific to a workstation or server computer. After you have tested and optimized the client or server system's resources, look at the performance of the network. For information about monitoring and tuning your system's memory, processor, and disk systems, see the optimization chapters of the Microsoft® Windows® 2000 Server Resource Kit Server Operations Guide before analyzing the network components.

Figure 9.1 illustrates the sequence for monitoring system performance.

Figure 9.1 Sequence of Monitoring System Performance

When you are ready to examine your network's components, start by checking your networking hardware, including elements such as hubs, cables, routers, switches, and network adapters. For information about proper operation, see the manufacturer's documentation.

Use the most current network adapters and device drivers for your network components. In general, you want the widest bandwidth and highest-performing components possible for your entire system and budget. For example, to maximize the benefits of Windows 2000 networking performance enhancements, use adapters that support task offloading capabilities (checksum offloading, IP Security (IPSEC) offloading, or large send offloading) and interrupt moderation.

Note If you are using media-sense network adapters, Windows 2000 displays an icon in the Taskbar if the adapter becomes disconnected from the network medium. Because the driver supporting the adapter continues to run even when it is not processing traffic, the driver causes the system to continue to use resources unnecessarily. Therefore, you should attend to disconnected adapters when the system reports them. As soon as you see the icon, check the adapter connection. Reconnect the adapter if appropriate; otherwise disable or remove the adapter to avoid the waste of resources associated with this condition.

After you have checked the adapters and drivers, verify that your components are properly configured. Set adapters for speeds appropriate to the devices they are using. Notice that autodetection might not select the optimal speed for operation. For proper configuration, see the product documentation.

Windows 2000 provides two primary utilities for monitoring network performance: System Monitor and Network Monitor. System Monitor, installed with both Windows 2000 Professional and Windows 2000 Server, tracks resource utilization and network throughput. Network Monitor, which you can install on Windows 2000 Server, tracks network throughput in terms of captured network traffic. Network Monitor monitors only local traffic. For monitoring traffic sent to or from any computer on the network, or for remotely capturing frames (for example, over a dial-up network connection) from other computers on the network, upgrade to the version of Network Monitor that ships with Microsoft® Systems Management Server version 2.0, Service Pack 1 or later. To monitor these types of traffic, the system from which you capture must have the Network Monitor driver installed (computers running Windows NT 4.0 must have the Network Monitor Agent version 2.0 installed). There is no support for the Network Monitor driver on Windows 95 or Windows 98.

Use the following tools to examine network traffic and system resource utilization. For information about using System Monitor, see "Overview of Performance Monitoring" in this book.

By default, only an administrator has sufficient privileges to install the Network Monitor driver on a computer to be monitored, to install Network Monitor on the computer used for monitoring, or to start Network Monitor.

System Monitor

The built-in Performance console provides the ability to monitor network activity along with the other performance data on the system. Treat network components as another set of hardware resources to observe as part of your normal performance-monitoring routine.

Network activity can influence the performance not only of your network components but also of your system as a whole. You should monitor other resources along with network activity, such as disk, memory, and processor activity. System Monitor enables you to track network and system activity using a single tool. Use the following counters as part of your normal monitoring configuration:

·                     Cache\Data Map Hits %

·                     Cache\Fast Reads/sec

·                     Cache\Lazy Write Pages/sec

·                     Logical Disk\% Disk Space

·                     Memory\Available Bytes

·                     Memory\Nonpaged Pool Allocs

·                     Memory\Nonpaged Pool Bytes

·                     Memory\Paged Pool Allocs

·                     Memory\Paged Pool Bytes

·                     Processor(_Total)\% Processor Time

·                     System\Context Switches/sec

·                     System\Processor Queue Length

·                     Processor(_Total)\Interrupts/sec

Monitoring network activity with System Monitor involves examining performance data at each network layer, as defined in the Open Systems Interconnect (OSI) model; for information about this model, see Appendix A, "OSI Model," in the Windows 2000 Server Resource Kit TCP/IP Core Networking Guide. System Monitor provides performance objects for collection of data that reflect transmission rates, packet queue lengths, and other network performance data.

Note Because of the overhead of the protocol headers, actual transmission rates might differ from the rates specified for the wire or line in use.

Table 9.1 illustrates the network layers and their associated performance objects.

Table 9.1 Network Layers and Related Performance Objects

Begin with the lowest-level components and work your way up as you monitor performance data for your network. Monitor the objects described in this chapter over periods of time ranging from days to weeks, to a month. Using this data, determine a performance baseline, the typical level of performance you expect under typical workloads and usage. A performance baseline gives you a point from which to compare performance over time to identify growth trends, changing demands, or the emergence of a bottleneck. If performance within the baseline range becomes unsatisfactory, tune the network as described in "Resolving Network Bottlenecks" later in this chapter.

As with other resources, establish a baseline for network performance. When performance data is incompatible with your baseline values, investigate the cause. Abnormal network counter values on a server often indicate problems with its memory, processor, or disks. For that reason, the best approach to monitoring a server is to watch network counters in conjunction with Processor\% Processor Time, PhysicalDisk\% Disk Time, and Memory\Pages/sec.

For example, if a dramatic increase in Pages/sec is accompanied by a decrease in Bytes Total/sec handled by a server, the computer is probably running short of physical memory for network operations. Most network resources, including network adapters and protocol software, use nonpaged memory. If a computer is paging excessively, it could be because most of its physical memory has been allocated to network activities, leaving a small amount of memory for processes that use paged memory. To verify this situation, check the computer's system event log for entries indicating that it has run out of paged or nonpaged memory. Also monitor the nonpaged pool memory and overall memory counters. For more information about monitoring memory and performance, see "Evaluating Memory and Cache Usage" in this book.

Network Counters

Starting from the physical layer and working up to the application layer of the OSI model, you will monitor the performance objects and their counters described in the following sections.

Network Interface Object

Use the Network Interface object to monitor transmissions starting at the physical layer. The Network Interface object is installed by Transmission Control Protocol/Internet Protocol (TCP/IP) and monitors activity of the IP protocol. The object reports transmissions over the network adapter. There are no separate objects to monitor the adapters over other networking protocols.

When you use the Network Interface object counters, note that the instances include the loopback address, the network adapter, the dial-out wide area network (WAN) wrapper for each device bound under the Routing and Remote Access service, and the dial-up WAN wrapper for each device. The wrapper is code that surrounds network driver interface specification (NDIS) device drivers, providing a uniform interface between protocol drivers and NDIS device drivers and support routines that make the development of an NDIS driver easier.

The instances typically list the loopback address 127.0.0.1 first, and the remaining instances should match the binding order of the TCP/IP protocol. (If Routing and Remote Access does not use IP for a device, its traffic is not counted.) To view the binding order for TCP/IP, in the Network and Dial-up Connections dialog box, on the Connections menu, click Advanced.

Monitor the following Network Interface object counters:

Network Interface\Output Queue Length

Use this counter to indicate the length of the output packet queue. The value should be low. Queues that are one or two items long constitute satisfactory performance; longer queues mean that the adapter is waiting for the network and cannot keep pace with server requests.

Network Interface\Packets Outbound Discarded

Use this counter to determine if the network is saturated. If this counter continuously increases, it might indicate that a network is so busy that the network buffers cannot keep up with the outbound flow of packets.

Network Interface\Bytes Total/sec

Use this counter to determine how the network adapter is performing. The Bytes Total/sec counter should report high values, to indicate a large number of successful transmissions. Compare this value with the value reported by the Network Interface\Current Bandwidth counter, reflecting each adapter's bandwidth. If you see the Bytes Total/sec rate approaching the maximum transfer rate, the probability of collisions on the network increases. This in turn impacts performance by increasing the latency of packet transfer on the network. In this case, you might want to consider increasing the bandwidth or segmenting the network. For example, if using 100 megabit/sec fast Ethernet, and the total rate of bytes transferred per second approaches 65 percent of the maximum network bandwidth, you can improve performance by using a gigabit or faster Ethernet switch to segment the network into smaller networks.

Network Segment Objects

Use this object to report statistics for the local network segment. To use this object, you must have already installed the Network Monitor driver on the computer where you will run System Monitor and on the computer from which you will collect data. For more information about installing Network Monitor, see "Installing Network Monitor" later in this chapter.

Monitor the following Network Segment object counters:

Network Segment\Broadcast Frames Received/sec

Use this counter to establish a baseline when monitored over time. To determine the cause of a problem, investigate large variations from the baseline. Because each computer processes every broadcast, frequent broadcasts mean lower performance. Determine what level of broadcasts is excessive based on past performance and your expectations for the local site.

Network Segment\% Network Utilization

Use this counter to reflect the percentage of network bandwidth used for the local network segment. Use it to monitor the effect of different network operations (such as logon validation or account synchronization). A low value is preferred. This counter should not report values that exceed the maximum recommended for the type of configuration. For example, 30 percent utilization is the maximum recommended for an unswitched Ethernet network. This means that a 10-megabyte (MB) Ethernet network becomes bottlenecked when its throughput exceeds 3 MB per second. If the value of the counter is above 40 percent, collisions can cause problems. You need to determine the appropriate maximum value for this counter based on your network design and topology, and ensure that % Network Utilization does not exceed this limit.

Network Segment\Total Frames Received/sec

Use this counter to indicate when bridges and routers might be saturated. If network traffic exceeds recommended local area network (LAN) capacity, performance typically suffers across the network. To prevent this situation, it is important to monitor network-wide traffic levels, particularly on larger networks with bridges and routers.

Network Protocol Objects

When monitoring protocol counters, you are likely to be most concerned with transmission rates. Monitor these rates using counters such as Bytes Total/sec, Datagrams Received/sec and Datagrams Sent/sec, or Frames Received/sec and Frames Sent/sec. When looking at transfer counters, consider the capacity of your network. The value of Bytes Total/sec should not be close to or matching the network capacity, or the network might already be saturated.

Following is a list of typical protocol objects. Monitor the ones that pertain to the network protocol in use.

·                     For the TCP/IP protocol, use the TCP, IP, UDP, and Internet Control Message Protocol (ICMP) objects. To monitor traffic at the network layer, use the IP object counters Datagrams Forwarded/sec, Datagrams Received/sec, Datagrams/sec, and Datagrams Sent/sec. To monitor activity at the transport layer, use the TCP object counters Segments Received/sec, Segments Retransmitted/sec, Segments/sec, and Segments Sent/sec. ICMP is used for maintaining route tables and diagnosing problems. UDP is used for DNS host name and IP address resolution and for NetBIOS name resolution by a WINS server.

You should see high values for segments sent and received over the network. If not, reduce broadcast traffic. UDP\Datagrams/sec indicates the number of broadcasts sent and received. This value should be low. If the retransmission rate is high, there might be a hardware problem, so you need to investigate further with system counters such as the processor counters. Use baseline values to determine when these counters are out of range and might indicate a problem.

·                     For the NWLink protocol, use the following three objects to monitor: NWLink IPX for computers communicating over the IPX protocol, NWLink NetBIOS for computers communicating over the IPX protocol, and NWLink SPX for computers connecting over the SPX protocol.

Each of these objects has the following counters that provide information about network transmissions:

·                                Bytes Total/sec

·                                Frame Bytes Sent/sec

·                                Frame Bytes Received/sec

·                                Frames Rejected/sec

Bytes Total/sec should be high on an active network. Frames Rejected/sec should be low.

Note NWLink performance objects display only zeros for counters that report on frame activity.

·                     For the NetBEUI protocol, use the NetBEUI and NetBEUI resource objects. Monitor Bytes Total/sec and other transmission counters such as NetBEUI\Frame Bytes Received/sec and NetBEUI\Frame Bytes Sent/sec. In addition, track Frames Rejected/sec for increasing values. Also include NetBEUI Resource\Times Exhausted, which can indicate if resource buffers are being consumed. Information about the resource objects is also recorded in the event log.

·                     For the AppleTalk protocol, use the AppleTalk object counters.

For information about these counters, see the Performance Counter Reference on the Windows 2000 Resource Kit companion CD.

Improving performance over a slow WAN link under Windows 2000 Server

In general, Windows 2000 is self-tuning, and registry entries related to TCP/IP require no adjustment. If you are using a slow WAN link, adjusting registry entries for TCP/IP can improve performance; however, these changes can adversely affect computers that are short of memory. The following procedure describes how to edit the entries in the registry.

To edit TCP/IP entries in the registry

1.                  On the Start menu, click Run.

2.                  In the Run dialog box, type Regedt32, and then click OK.

The following is a list of entries in HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Tcpip \Parameters that have an effect on performance when connecting by means of a slow WAN link. For information about these and other related registry settings, see "Technical Reference to the Windows 2000 Registry" on the Windows 2000 Resource Kit companion CD.

Caution Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. To configure or customize Windows 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

·                     TcpMaxConnectRetransmissions. The value of this entry can be increased to allow a connection over a slow WAN but should not be set so long that connection attempts never time out. The default is 2 and can range from 0 to 0xFF.

·                     TcpMaxDataRetransmissions. The value of this entry can be lengthened although this time-out is automatically doubled every time a transmission is re-attempted. The default is 5 and can range from 0 to 0xFFFFFFFF.

·                     TcpWindowSize. When modifying this entry, set it to the product of the bandwidth multiplied by the length of the "round trip" between the local computer and the server.

·                     MaxUserPort. The value of this entry can be changed to achieve higher throughput by allowing the creation of more sockets. The value can be set to 0xFFFE. The default is 0x1388. The minimum value is 0x400; values 0 to 0x3FF are reserved for services.

·                     MaxHashTableSize. The value of this entry can be changed to achieve higher throughput by allowing for faster look-up on connections. The default is 0x200 and can range from 0x40 to 0x10000. On a server in a multiprocessor environment, do not increase MaxHashTableSize beyond the estimated maximum number of concurrent connections.

·                     NumTcbTablePartitions. The value of this entry can be changed to partition the TCP control block (TCB) table to avoid contention. The default is 0x4; the value should be a power of two, that is, 2, 4, 8, 16, 32, and so on. On multiprocessor systems, change the number of partitions to four times the number of processors in your system.

NBT Connection Object

Use this object to track session-layer transmissions between computers. NBT stands for NetBT, an abbreviation for NetBIOS over TCP/IP. This feature provides the NetBIOS programming interface over the TCP/IP protocol. It is used for monitoring routed servers that use NetBIOS name resolution.

Application-Layer Objects

Finally, monitor services or applications at the presentation or application layers. By default, Setup installs the Browser, Redirector, Server, and Server Work Queues objects on computers running Windows 2000. These objects describe performance of file and print services using the Server Message Block (SMB) Protocol.

Note For detailed information about performance objects and counters, see the Performance Counter Reference on the Windows 2000 Resource Kit companion CD.

Browser Object

The primary function of the Browser service is to provide a list of computers sharing resources in a domain along with a list of other domain and workgroup names across the wide area network (WAN). This list is provided to clients that view network resources with My Network Places or the net view command. Active Directory replaces the computer browser service used in earlier versions of Windows to provide the Network Basic Input/Output System (NetBIOS) name resolution. The browser service in Windows 2000 provides backward compatibility with client computers that are running earlier versions of Windows.

The Browser performance object consists of counters that measure the rates of announcements, enumerations, and other browser transmissions. If your organization is maintaining domains under Windows NT Server version 4.0, use the counters in Table 9.2 for monitoring the Browser service.

Table 9.2 Browser Object Counters

For information about the NTDS performance object that reports performance data for Active Directory, or about counters that report lightweight directory access protocol (LDAP) activity, see the Performance Counter Reference on the Windows 2000 Resource Kit companion CD.

Troubleshooting Performance Problems with the Browser Service

Improving the performance of computers running the Browser service relies primarily on reducing traffic. You can do this in several ways:

·                     Configure the computer so that it does not send announcements to browsers on the domain and thereby reduce traffic. Do this by editing the registry. Add the Hidden registry entry to HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \lanmanserver \parameters with a data type of REG_DWORD and a value of 1 (hidden).

Caution Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows. To configure or customize Windows, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

·                     Reduce the number of browser list entries. If a computer rarely shares network resources, configure it so that it doesn't become a browser server. This will reduce the size of the browse list that must be maintained and transferred upon request. Set the value of the MaintainServerList entry in HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Browser \Parameters to No. For more information about browser service configuration, see "Browser Service" in the Windows 2000 TCP/IP Core Networking Guide.

·                     Eliminate unnecessary network protocols. If a network uses three protocols, all browser announcements and elections will be repeated three times, one for each protocol. If you can reduce the number of protocols, it will have a large impact on reducing browser-related network traffic.

In addition, two registry entries can be configured to control the amount of network traffic generated by the browser. Add the following entries to the registry subkey HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Browser \Parameters.

·                     MasterPeriodicity. MasterPeriodicity specifies how frequently a master browser contacts the domain master browser. The default value is 720 seconds (12 minutes), with a minimum of 300 seconds (five minutes), and a maximum value of 0x418937 (4,294,967 seconds). This entry has the REG_DWORD data type, and can be changed without restarting the computer. Setting the value of this entry too low can increase traffic on the WAN traffic.

·                     BackupPeriodicity. BackupPeriodicity specifies how frequently a backup browser contacts the master browser. Add this entry to the registry with the REG_DWORD data type. You must restart Windows 2000 to make changes to this entry effective. The default value for BackupPeriodicity is 720 seconds. Changing this value to 1800 (30 minutes) reduces the frequency of browse list updates. This entry does not affect the WAN, because backup browsers always communicate with a local master browser, never with a remote one.

·                     Limit the number of workgroups on the network.

·                     Configure a system to be a preferred master browser on each subnet where no domain controller exists.

Redirector Object

Use the Redirector object counters for the Workstation service, and the Server and Server Work Queues objects for the Server service. The counters for these objects describe activity at the presentation layer of the networking architecture, as described in Table 9.3.

Table 9.3 Redirector Object Counters

Server Object

The Server service supports file and print sharing and is important for communication between local and remote processes. Its companion, the Workstation service, provides network connections and communication. A computer uses the Workstation service to send requests to a server; the Server service responds to those requests. A server computer can run both services.

In general, memory and disk space are considerations on computers running the Server service, and overall server monitoring should include counters for these resources. Because many services might run on top of the Server service, you should also consider the requirements of those services when assessing server requirements. For more information about performance of the Server and Workstation services, monitor the computer using the counters in Table 9.4.

Table 9.4 Server Object Counters

Some additional counters, although not performance related, provide useful information about server security. These include:

·                     Server\Errors Access Permissions

·                     Server\Errors Granted Access

·                     Server\Errors Logon

Server Work Queues Object

The Server Work Queues performance object consists of counters that monitor the length of queues and objects in the queues. See Table 9.5.

Table 9.5 Server Work Queues Object Counters

Troubleshooting Problems Involving the Server Service

In some cases, the Server service can be associated with performance problems, as described in this section.

Event log reports an event ID 2009.

An event ID 2009 might appear listed in the event log if the server could not expand an internal table because the table had reached the maximum size. These internal tables track active sessions, resource connections, open files, and open searches, so this error message can be generated by problems involving these activities.

Table 9.6 lists counters you can use to investigate these activities and possible related problems.

Table 9.6 Server Object Counters Used to Troubleshoot Event ID 2009 Events

MS-DOS applications or older applications that do not make Win32 calls do not have a method for closing searches after they complete. In order to handle this situation, the Server service uses several search time parameters to clear the search handle and reclaim the memory allocated to the search buffers. If you want to adjust the search time parameters to avoid events, change the values for the following entries in HKEY_LOCAL_MACHINE \SYSTEM CurrentControlSet\Services\lanmanserver\parameters in the Windows 2000 registry:

Caution Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows. To configure or customize Windows, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

Trace Logs

The new trace log feature in Windows 2000 makes it possible to closely associate network input/output operations to the workload on a computer. Trace logs are a component of Performance Logs and Alerts. When configured to include Network TCP/IP activity, trace logs report TCP sends and receives as events, and measure the time required to complete these events, along with the bytes transmitted and other data. Using trace data, you can associate network traffic with the services or applications initiating it with the bandwidth utilization of the service or application. Note that trace logs are not output in readable format and must be parsed. The operating system does not provide a parser for trace logs. For information about creating and configuring trace logs, see Windows 2000 Help.

Network Monitor

Unlike System Monitor, which is used to monitor anything from hardware to software, Network Monitor focuses exclusively on network activity. To understand the traffic and behavior of your network components, install and use Network Monitor.

Network Monitor Features

Network administrators use Microsoft Windows 2000 Network Monitor to view and detect problems on local area networks (LANs). For example, as a network administrator, you can use Network Monitor to diagnose hardware and software problems when two or more computers cannot communicate. You can also copy a log of network activity into a file and then send the file to a professional network analyst or support organization.

Network application developers can use Network Monitor to monitor and debug network applications as they are developed.

Network Monitor monitors the network data stream, which consists of all information transferred over a network at any given time. Prior to transmission, this information is divided by the network software into smaller pieces, called frames or packets. Each frame contains:

·                     The source address of the computer that sent the message.

·                     The destination address of the computer that received the frame.

·                     Headers from each protocol used to send the frame.

·                     The data or a portion of the information being sent.

The process by which Network Monitor copies frames is referred to as capturing. You can use Network Monitor to capture all local network traffic or you can single out a subset of frames to be captured. You can also make a capture respond to events on your network. For example, you can make the network start an executable file when Network Monitor detects a particular set of conditions on the network.

After you have captured data, you can view it in the Network Monitor user interface. Network Monitor does much of the data analysis for you by translating the raw capture data into its logical frame structure.

For security reasons, Windows 2000 Network Monitor captures only those frames, including broadcast and multicast frames, sent to or from the local computer. Network Monitor also displays overall network segment statistics for broadcast frames, multicast frames, network utilization, total bytes received per second, and total frames received per second.

In addition, to help protect your network from unauthorized use of Network Monitor installations, Network Monitor can detect other installations of Network Monitor that are running on the local segment of your network. Network Monitor also detects all instances of the Network Monitor driver being used remotely (by either Network Monitor from Systems Management Server or the Network Segment object in System Monitor) to capture data on your network.

When Network Monitor detects other Network Monitor installations running on the network, it displays the following information:

·                     The name of the computer

·                     The name of the user logged on at the computer

·                     The state of Network Monitor on the remote computer (running, capturing, or transmitting)

·                     The adapter address of the remote computer

·                     The version number of Network Monitor on the remote computer

In some instances, your network architecture might prevent one installation of Network Monitor from detecting another. For example, if an installation is separated from yours by a router that does not forward multicasts, your installation cannot detect that installation.

Network Monitor uses a network driver interface specification (NDIS) feature to copy all frames it detects to its capture buffer, a resizable storage area in memory. The default size is 1 MB; you can adjust the size manually as needed. The buffer is a memory-mapped file and occupies disk space.

Note Because Network Monitor uses the local only mode of NDIS instead of promiscuous mode (in which the network adapter passes on all frames sent on the network), you can use Network Monitor even if your network adapter does not support promiscuous mode. Networking performance is not affected when you use an NDIS driver to capture frames. (Putting the network adapter in promiscuous mode can add 30 percent or more to the load on the CPU.)

Installing Network Monitor

To set up Network Monitor, perform two steps:

·                     Install the Network Monitor driver on any computer from which you want to capture data for analysis with Network Monitor.

·                     Install the Network Monitor utilities on a computer running Windows 2000 Server on which data will be captured.

You can install the driver on a computer running either Windows 2000 Professional or Windows 2000 Server. Installing the driver also installs the Network Segment object for use in System Monitor.

Installing the driver does not install Network Monitor itself. Instead, install the Network Monitor Tools on a computer running Windows 2000 Server to install Network Monitor.

To install the Network Monitor driver

1.                  Click Start, point to Settings, click Control Panel, and then double-click Network and Dial-up Connections.

2.                  In Network and Dial-up Connections, right-click Local Area Connection, and then click Properties.

3.                  In the Local Area Connection Properties dialog box, click Install.

4.                  In the Select Network Component Type dialog box, click Protocol, and then click Add.

5.                  In the Select Network Protocol dialog box, click Network Monitor Driver, and then click OK.

If prompted for additional files, insert your Windows 2000 CD, or type a path to the location of the files on a network.

To display and analyze captured data, use the following procedure to install Network Monitor Tools on a computer running Windows 2000 Server. Network Monitor Tools installs Network Monitor along with the Network Monitor driver. If you are running Windows 2000 Server and are installing Network Monitor Tools, you can bypass the preceding procedure; you do not need to install the Network Monitor driver separately.

To install Network Monitor Tools

1.                  Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Programs.

2.                  In the Add/Remove Programs dialog box, double-click Add/Remove Windows Components.

3.                  In the Windows Component Wizard dialog box, click Next.

4.                  Under Components, click Management and Monitoring Tools, and then click the Details button.

5.                  Under Subcomponents of Management and Monitoring Tools, select the Network Monitor Tools check box, and then click OK.

6.                  Click Next to proceed with installation, and then click Finish and Close to exit.

To start Network Monitor on a computer running Windows 2000 Server

1.                  Click Start, point to Programs, and point to Administrative Tools.

2.                  Under Administrative Tools, click Network Monitor.

For information about how to work with the Network Monitor user interface, see Windows 2000 Server Help.

Capturing Frame Data

When you've installed the Network Monitor driver on the computer from which to capture data (hereafter called the source computer) and installed Network Monitor Tools on the computer that will perform the capture (hereafter called destination computer), you can begin to capture data.

To capture data

1.                  Open Network Monitor.

2.                  On the Capture menu, click Start.

Or, click the Capture button on the toolbar.

As frames are captured from the network, statistics about the frames are displayed in the Network Monitor Capture window, as shown in Figure 9.2.

If your browser does not support inline frames, click here to view on a separate page.

Figure 9.2 Network Monitor Capture Window

Network Monitor displays session statistics from the first 100 unique network sessions it detects. The Network Monitor Capture window includes the panes listed in Table 9.7.

Table 9.7 Description of Display Options for the Capture Pane

To reset statistics and see information on the next 100 network sessions detected, on the Capture menu, click Clear Statistics. To capture only those frames that originate with specific computers, determine the addresses of the computers on your network and associate the address with its DNS or NetBIOS name. After these associations are made, you can save the names to an address database (.adr) file that can be used to design capture filters and display filters. The capture filter allows you to specify criteria for inclusion in or exclusion from the capture. If the address is not available in the address database, try to capture all traffic and, after stopping and viewing the capture, use the Find All Names command on the Display menu to locate the address.

Note Capture filters can significantly increase the processor's workload because each packet must be processed through the filter and either saved or discarded. In some cases, using complex filters might result in missed frames.

An example of such a filter is an address pair, used to capture frames from specific computers on the network. An address pair consists of:

·                     The addresses of the computers between which you want to monitor traffic. Note that you can capture to a computer or to a router; however, you cannot select multiple address pairs with the OR operation. You must run multiple instances of Network Monitor to capture to either a computer or a router simultaneously. (An address is a hexadecimal number that identifies a computer uniquely on the network.)

·                     Arrows that specify the traffic direction you want to monitor.

·                     The INCLUDE or EXCLUDE keyword, indicating how Network Monitor should respond to a frame that meets a filter's specifications.

Regardless of the sequence in which statements appear in the Capture Filter dialog box, EXCLUDE statements are evaluated first. Therefore, if a frame meets the criteria specified in an EXCLUDE statement in a filter containing both an EXCLUDE and INCLUDE statement, that frame is discarded. Network Monitor does not test that frame by INCLUDE statements to see if it meets that criterion also.

For example, to capture all the traffic from Joe's computer except the traffic from Joe to Anne, use the following capture filter in the address section:

include Joe <----> Any
exclude Joe <----> Anne

If there are no include lines, the default address
your_computer_name – – – – Any
is used by default.

Figure 9.3 shows the Capture Filter dialog box, accessed from the Capture menu or by pressing F8 in the Capture window.

If your browser does not support inline frames, click here to view on a separate page.

Figure 9.3 Capture Filter Dialog Box

To design a capture filter, specify decision statements in the Capture Filter dialog box. For information about display filters, see "Displaying Captured Data" later in this chapter.

By specifying a pattern match in a capture filter, you can:

·                     Limit a capture to only those frames containing a specific pattern of ASCII or hexadecimal data.

·                     Specify how many bytes into the frame the pattern must occur. This number of bytes is known as an offset.

When you filter based on a pattern match, you must specify where the pattern occurs in the frame (how many bytes from the beginning or end). If your network medium has a variable size in the media access control protocol, such as Ethernet or Token Ring, specify to count from the end of the topology header.

·                     To capture frames sent using a specific protocol, specify the protocol on the capture filter SAP/ETYPE= line. Available protocols appear in the dialog box when you double-click the SAP/ETYPE= line. For example, to capture only IP frames, disable all protocols and then enable IP ETYPE 0x800 and IP SAP 0x6. By default, all of the protocols that Network Monitor supports are enabled.

·                     Use a capture trigger to automate actions to follow the capture. A trigger is a set of conditions that, when met, initiate an action. For example, before using Network Monitor to capture data from the network, you can set a trigger to stop the capture or to run a program or command file. You can also specify the conditions under which these actions will occur. One example of a trigger is a pattern match. You can save a trigger to the local computer if you save a capture filter. The default file path for saving filters is the \System32\Netmon\Captures directory in the root directory.

Table 9.8 describes the trigger types you can use to specify the condition that starts the trigger.

Table 9.8 Trigger Types for Network Monitor Captures

If your computer uses multiple network adapters, use Network Monitor to collect data from multiple network adapters, and then either switch between the two adapters or run multiple instances of Network Monitor.

To switch between adapters

·                     On the Capture menu, click Networks, and then select a different adapter.

Modem adapters appear as ETHERNET with a dial-up connection flag set to TRUE.

After capturing data, you might want to save it. For example, it is useful to save captures before starting another capture (to prevent loss of the captured data) if you think you might need to analyze the data later, or if you need to document network use or problems. When you save captured data, the data in the capture buffer is written to a capture (.cap) file.

Displaying Captured Data

To simplify data analysis, Network Monitor interprets raw data collected during the capture and displays it in the Frame Viewer window.

To display captured information in the Frame Viewer window, from the Capture menu, click Stop and View while the capture is running. You can also display captures by opening a file with the .cap extension.

Figure 9.4 shows the key elements in the Frame Viewer window.

If your browser does not support inline frames, click here to view on a separate page.

Figure 9.4 Frame Viewer Window

Table 9.9 lists Frame Viewer's panes.

Table 9.9 Frame Viewer Panes

You can use a display filter to determine which frames to display. Like a capture filter, a display filter functions like a database query, allowing you to single out specific types of information. Because a display filter operates on data that has already been captured, it does not affect the contents of the Network Monitor capture buffer. You can filter a frame by:

·                     The frame's source or destination address.

·                     The protocols used to send the frame.

·                     The properties and values the frame contains. (A property is a data field within a protocol header. A protocol's properties, collectively, indicate the purpose of the protocol.)

Figure 9.5 shows the Display Filter dialog box, accessed from the Display menu or by pressing F8 in the Frame Viewer window.

If your browser does not support inline frames, click here to view on a separate page.

Figure 9.5 Display Filter Dialog Box

To design a display filter, specify decision statements in the Display Filter dialog box. Information in the Display Filter dialog box is in the form of a decision tree, which is a graphical representation of a filter's logic. When you modify display filter specifications, the decision tree reflects these modifications. Table 9.10 lists various types of filter items you can use.

Table 9.10 Filter Item Options

You must click OK to save the specified decision statement and add it to the decision tree before adding another decision statement.

Although capture filters are limited to four address filter expressions, display filters are not. With display filters, you can also use AND, OR, and NOT logic.

When you display captured data, all available information about the captured frames appears in the Frame Viewer window. To display only those frames sent by a specific protocol, edit the Protocol line in the Display Filter dialog box.

Protocol properties are information that defines a protocol's purpose. Because the purpose of protocols varies, properties differ from one protocol to another.

Suppose, for example, that you have captured a large number of frames using the SMB protocol but want to examine only those frames in which the SMB protocol was used to create a directory on your computer. In this instance, you can single out frames where the SMB command property is equal to make directory.

When you display captured data, all addresses from which information was captured appear in the Frame Viewer window. To display only those frames originating from a specific computer, edit the ANY <– –> ANY line in the Display Filter dialog box.

Reviewing Captured Data

Perform the steps in the following list as part of your routine for reviewing and analyzing captured data:

·                     Follow a session using source and destination IP address and port numbers.

·                     If you find a Reset, focus on the sequence numbers and acknowledgments that precede it.

Try to understand the activity you are seeing:

·                                Is the sender doing retries?

If so, note the number of retries and the time elapsed. The default number of retries for TCP/IP is 5. This value might be different for other protocols.

·                                Did the sender back up and resend the previous packet?

·                                Is the receiver asking for a missed frame by acknowledging a previous sequence number?

·                                Does the size of the data being sent and received correspond to the size of the maximum transmit unit (MTU) of the hardware? If not, you might have the wrong network settings

·                                Is there a lengthy delay for receipt of acknowledgements or for transmission of subsequent packets? This could indicate that the destination computer has inadequate resources or that the application is performing inefficiently.

A reset can be caused by time-outs at the TCP layer or by time-outs of higher-layer protocols. Resets originating at the TCP layer should be easy to read from the trace. It might be more difficult to determine the cause of resets originating from higher-layer protocols such as the server message block (SMB).

For example, an SMB read might time out in 45 seconds and cause a reset of the session even though communications are slow but working at the TCP layer. The trace might only narrow down what component is at fault. From there you might need to use other troubleshooting methods to determine the cause.

To see TCP sequencing when higher-level protocols are present, start Network Monitor and edit the Expression dialog box, using the following steps. Figure 9.6 shows the Expression dialog box.

If your browser does not support inline frames, click here to view on a separate page.

Figure 9.6 Expression Dialog Box

To see TCP sequencing

1.                  Start Network Monitor.

2.                  Display captured data.

3.                  On the Display menu, click Options.

4.                  Select Auto (based on protocols in display filter), and then click OK.

5.                  Click Display, and then click Filter.

6.                  Double-click Protocol=Any.

7.                  Click the Protocol tab, and then click Disable All.

8.                  In the Disabled Protocols list box, click TCP.

9.                  Click Enabled, then click OK, and click OK again.

Network Monitor Performance Issues

Network Monitor creates a memory-mapped file for its capture buffer. For best results, make sure to create a capture buffer large enough to accommodate the traffic you need.

In addition, although you cannot adjust the frame size, you can store only part of the frame, thus reducing the amount of wasted capture buffer space. For example, if you are interested only in the data in the frame header, set the frame size (in bytes) to the size of the header frame. Network Monitor discards the frame data as it stores frames in the capture buffer, thereby using less capture buffer space.

Tip Windows Event Viewer shows start, stop, and connection events for Network Monitor. To verify Network Monitor operation, or as a first step in tracking down Network Monitor problems, examine the event log.

Typical causes for network bottlenecks are an overloaded server, an overloaded network, or a loss of network integrity. The following techniques can help to address some of these problems.

·                     If communicating over Token Ring, FDDI or switched Ethernet networks, attempt to balance network traffic by distributing client connections across multiple network adapters. When using multiple network adapters, make sure that the network adapters are distributed among the PCI buses. For example, if you have four network adapters with three PCI buses, one 64-bit and two 32-bit, allocate two network adapters to the 64-bit bus and one adapter to each 32-bit bus. Splitting the adapters across multiple Ethernet segments is an effective way to eliminate an overloaded network if the physical environment is switched Ethernet, and all adapters are on the same physical segment. For more information about adding network adapters, see "Adding Network Adapters" later in this chapter.

·                     Use adapters with the highest bandwidth available for best performance. Note that increasing bandwidth increases the number of transmissions that are taking place and in turn makes more work for your system, including more interrupts being generated. Remove unused network adapters to reduce overhead.

·                     Use adapters that support task offloading capabilities (checksum offloading, IPSEC offloading, and large send offloading).

·                     If your network uses multiple protocols, place each protocol on a different adapter. Make sure to use the most efficient protocols, especially ones that minimize broadcasts. Notice that reducing the number of protocols installed can increase performance.

·                     High rates of interrupts from network adapters can reduce performance. Using network adapters that batch interrupts by means of interrupt moderation can improve this performance problem, provided the adapter driver supports this capability. Another option is to bind interrupts arising from network adapters to a particular processor to improve performance. When using Interrupt Filter to bind a network adapter to a set of processors. For more information about processor affinity and Interrupt Filter, see "Measuring Multiprocessor System Activity" in this book. For more information about Interrupt Filter, see online Help on the Windows 2000 Resource Kit companion CD.

·                     Divide your network into multiple subnets or segments, attaching the server to each segment with a separate adapter. This reduces congestion at the server by spreading server requests.

·                     Although binding order is relevant on the client computer, there is no reason to reorder server bindings because the server accepts incoming connections based on the protocol used by the client computer.

·                     Use offline folders to work on network applications without being connected to a network. Offline folders make use of client-side caching, thereby reducing network traffic.

Adding Network Adapters

You need to disable some bindings to allow network adapters in the same computer on the same network segment to operate correctly when using NetBEUI. The reason for this is that, if you have two adapters on the same segment and install NetBEUI, the computer sees duplicate computer names due to the resulting NetBIOS name conflict, generates an error, and fails to start system services correctly. This also occurs on bridged or switched networks. In this case you also see the Event ID 2505 error in the event log, indicating a duplicate name on the network. The error might appear in the event log as either of the following messages:

·                     Event ID : 2505 The server could not bind to the transport/device/netbt_ adapter_driver because another computer on the network has the same name. The server could not start.

·                     Event ID : 2505 The server could not bind to the transport/device/nbf_adapter_driver because another computer on the network has the same name. The server could not start.

This problem does not affect routable protocols such as TCP/IP or AppleTalk because when you install or reconfigure them, you have to choose a network adapter, and this automatically disables the protocol's bindings to other adapters. In addition, the operating system treats NetBT as a namespace and need not be disabled. You can manually configure multiple network adapters in a computer by disabling NetBEUI bindings to network adapters other than the one you want to use for the NetBEUI protocol. To do this, disable the following bindings:

·                     Server to NetBEUI protocol to adapter_driver to adapter

·                     Workstation to NetBEUI protocol to adapter_driver to adapter

·                     NetBEUI protocol to adapter_driver to adapter

·                     NetBIOS interface to NetBEUI protocol to adapter_driver to adapter

When you have disabled all of these bindings, network operations can proceed.

In addition, if all clients have equal network access to any of the network adapters on the multihomed computer, and all of the client and server network adapters are on the same subnet, you can help to distribute the client connections between the server network adapters by adding the RandomAdapter registry entry in HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Netbt \Parameters. In this way, each network adapter will still respond to the name query, but each network adapter will choose the IP address randomly from all the network adapters on the server. This helps to distribute network sessions among the network adapters, but does not necessarily balance the load because network traffic might vary greatly between the sessions.

Caution Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. To configure or customize Windows 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.