Microsoft KB Archive/933741

= Information about Network Monitor 3 =

Article ID: 933741

Article Last Modified on 7/24/2007

-

APPLIES TO


 * Windows Vista Ultimate
 * Windows Vista Enterprise
 * Windows Vista Ultimate 64-bit Edition
 * Windows Vista Enterprise 64-bit Edition

-



INTRODUCTION
This article contains information about Microsoft Network Monitor 3. Network Monitor 3 is a protocol analyzer. It enables you to capture, to view, and to analyze network data. You can use it to help troubleshoot problems with applications on the network.

This article contains download and support information, installation notes, and general usage information about Network Monitor 3. Network Monitor 3.1 is the latest version.



MORE INFORMATION
Network Monitor 3 is a complete overhaul of the earlier Network Monitor 2. version. Some key features of Network Monitor 3 include the following:
 * Script-based parser model
 * Simultaneous capture sessions
 * Support for Windows Vista
 * Support for 32-bit platforms and for 64-bit platforms
 * Support for network conversations

Download and support information
To download Network Monitor 3.1 visit the following Microsoft Web site:

http://download.microsoft.com/download/1/8/f/18fd3dfa-ea78-4ed0-a62d-f5b043391ea4/NM31_Release_x86.msi

Support information for Network Monitor 3 is located at the following Microsoft Connect Web site:

http://connect.microsoft.com

You must sign in to the Web site by using a Windows Live ID. After you sign in, you can apply to participate in the program. To do this, in the Options column of the table, click Apply next to Network Monitor 3. After you enroll in the program, you have access to newsgroups, and you can submit bug reports.

Installation notes
Network Monitor 3.1 can co-exist with earlier versions of Network Monitor. By default, Network Monitor 3.1 is installed in the &quot;%Program Files%\Microsoft Network Monitor 3.0&quot; folder. Therefore, conflicts do not occur if an earlier version is installed in a different folder on the computer. When you install Network Monitor 3.1, Network Monitor 3 is uninstalled.

Network Monitor 3.1 includes a new driver for Windows Vista-based computers. This new driver supports new features of the Network Driver Interface Specification (NDIS) 6.0 driver. If you are using tools that rely on Network Monitor 2. NPPTools, the tools will no longer work. To capture network data in Windows Vista, you must use Network Monitor 3.1. Network Monitor 2. does not capture network data correctly in Windows Vista.

Suggested hardware to run Network Monitor 3.1 is listed as follows:
 * 1 GHz or faster processor
 * 1 GB or more memory
 * 25 MB free space on the hard disk, and additional hard disk space to store capture files

Network Monitor 3.1 is supported on the following operating systems:
 * Windows Vista
 * Microsoft Windows XP
 * Microsoft Windows Server 2003

Warnings and cautions
Currently, we do not recommend that you run Network Monitor 3 on production systems. In scenarios where load is something to consider, use the command-line version of Network Monitor 3 to capture network data. The command-line version is Nmcap.exe. For more information about Nmcap.exe, see the &quot;Nmcap.exe command-line tool&quot; section.

Network Monitor 3 may consume lots of system resources. Some things to consider are listed as follows.
 * Disk space

When you start a capture session, Network Monitor 3 stores frames in a sequence of capture files that are located in the \Temp folder. By default, the size of each capture file is 20 MB. By default, if you do not stop the capture session, Network Monitor 3 continues to store capture files in the \Temp folder until the free hard disk space on the computer is less than 2 percent. Then, Network Monitor 3 stops the capture session.

You can configure the capture file size, the location where the capture files are stored, the free hard disk space limit, and other capture options. To do this, on the Tools menu, point to Options, and then click the Capture tab.
 * Memory use

In addition to capturing data, Network Monitor 3 assigns properties to frames, and then uses the properties to group the frames into conversations. Network Monitor 3 displays the conversations and the associated frames in a tree structure in the Network Conversations pane.

The Conversations feature of Network Monitor 3 significantly increases memory use. This may cause the computer to become unresponsive. By default, the Conversations feature is turned off. Some higher-level protocol filters require conversation properties. To turn on the Conversations feature, click the Start Page tab, and then click to select the Enable Conversations check box.
 * Processor utilization

The Conversations feature of Network Monitor 3 may significantly increase processor utilization when lots of frames are processed. By default, the Conversations feature is turned off, as mentioned in the &quot;Memory use&quot; section.

General usage
General usage information for Network Monitor 3 is listed as follows.
 * Capture network data

As mentioned earlier, Network Monitor 3 may consume lots of system resources. Therefore, if you want to minimize the effect on system resources that may occur when you use Network Monitor 3 to capture data, use the Nmcap.exe command-line tool to capture data.

Network Monitor 3 enables you to collect network data and to view the network data in real time as the data is captured. To start a capture session in Network Monitor 3, click the Start Page tab, click Create a new capture tab, and then either click the Start Capture button, or press F10.
 * Filters

Network Monitor 3 uses a simple syntax that is expression-based to filter frames. All frames that match the expression are displayed to the user. For more information about filters, do any of the following:
 * View the topics in the &quot;Using Filters&quot; section of the Network Monitor 3 User's Guide. To do this, on the Help menu, click Contents, and then double-click Using Filters.
 * On the Help menu, point to How Do I, and then click Use Filters.
 * Use the Capture Filter tab or the Display Filter tab to view standard filters.
 * Conversations

By default, the Conversations feature is turned off. This is the default setting because the Conversations feature can consume lots of memory, especially in scenarios when you capture data for long periods of time. To turn on the Conversations feature, click the Start Page tab, and then click to select the Enable Conversations check box.

When you turn on the Conversations feature, frames are grouped and displayed in the Network Conversations pane in a tree structure according to the conversations to which they belong. For example, TCP data that uses the same source port and the same destination port is organized into a group. When you click a node in the Network Conversations pane, the corresponding conversation filter is automatically applied to the frames in the Frame Summary pane. Only frames that belong to that particular conversation are displayed.
 * Nmcap.exe command-line tool

The Nmcap.exe command-line tool enables you to configure when you want to start a capture session or to stop a capture session. You can also use the Nmcap.exe command-line tool to created chained captures. Chained captures enable you to create multiple capture files. However, the size of the capture files remains small.
 * Network Parsing Language (NPL)

Network Monitor 3 parsers are written in a language specifically to make parser development more straightforward. This also provides a level of protection against potential exploitation from malicious code that may occur if parsers were created as DLL files. NPL provides access to parsers. You can view or modify the parsers that are included in Network Monitor 3.

Common issues
Common issues include the following:  Protocols may not parse correctly. This issue may occur if either of the following conditions is true:  The Conversations feature is turned off.

Certain protocols depend on conversation properties to store state values that may be needed in later frames. For example, TCP needs conversations to store information about retransmitted frames. The filter for TCP Retransmits will not work unless the Conversations feature is enabled.

Similarly, the Server Message Block (SMB) protocol cannot translate the response to a Transact command, because the response does not contain the original command. The information is saved in conversation properties. The parser and the associated protocol may be available under the Microsoft Communications Protocol Program (MCPP) and the Microsoft Work Group Server Protocol Program (WSPP). To learn more about how to become a licensee, visit the following Microsoft Web site:

http://www.microsoft.com/about/legal/intellectualproperty/protocols/mcpp.mspx

These parsers are considered confidential Microsoft intellectual property and are not distributed publicly. Therefore, these parsers are not part of the publicly-released version of Network Monitor 3  You receive one of the following error messages when you run Network Monitor 3 on a Windows Vista-based computer:

None of the network adapters are bound to the Netmon driver

This network adapter is not configured to capture with Network Monitor

This issue occurs if either of the following conditions is true:  You are not running Network Monitor 3 as administrator. You are not a member of the Netmon Users group.</li></ul>

For more information, see the Network Monitor 3 releases notes or see the &quot;Operating on Windows Vista&quot; topic in Network Monitor 3 Help.</li></ul>

<div class="references_section">