Microsoft KB Archive/155586

{| = How to Make a Network Trace with Network Monitor =
 * width="100%"|

Last reviewed: February 26, 1997

Article ID: Q155586 1.00 1.10 WINDOWS kb3rdparty kbnetwork kbusage kbhowto The information in this article applies to:


 * Microsoft Systems Management Server versions 1.0 and 1.1
 * Microsoft Network Monitor 1.x

SUMMARY
During the resolution of a problem escalated to Microsoft Support personnel, you may be asked to make a trace of all incoming or outgoing traffic to a certain system. If the capture is too large or contains traffic irrelevant to the problem, the engineer may find it difficult to isolate the relevant network traffic in the capture file.

This article describes exact steps needed to accomplish a narrowed network trace that captures only information needed by the support engineer.

MORE INFORMATION
This article assumes you have Network Monitor installed and running. If you are running Microsoft Systems Management Server 1.x, you can launch Network Monitor from the SMS Administrator program group. If you received a copy of Network Monitor from Microsoft Technical Support, please follow instructions provided in the Readme.txt file to install it.

 Start Network Monitor. If the systems involved are participating in a WAN, please see "Tracing in a WAN Environment" before continuing. On the Capture menu, click Buffer Settings..., and type 4 in the Buffer Size (In MB) dialog box. Click OK. On the Capture menu, click Filter, or press F8.  Isolate the capture to the specific monitored computer with the following steps: a. Make sure that the SAP/ETYPE value is equal to "Any SAP or Any      ETYPE." If not, click on the Line button in the Edit box, click Enable All, and then click OK. b. Remove any "Include" statement under the nested "AND (Address      Pairs)" and "AND (Pattern Matches)." To delete, click each entry and select the Line button in the Delete box. NOTE: Only one entry is defined under the "AND (Address Pairs)" and it reads "INCLUDE *ANY <-->ANY" by default. Make sure it is removed. c. Click the Address button in the Add box and locate the computer to be      monitored in the Station 1 box on the left. If the computer is not in     the list: 1) In the Address Expression window, click Edit Addresses.      2) Click Add. 3) Complete Type, Address (MAC address), and Name (this is a friendly name, NOT the NetBIOS name) and click OK to close the Address Information window. Now, the Address Database window should list the computer to be monitored. If you don't know how to find out the MAC address of the computer, please see the section "Finding MAC Addresses." 4) Click OK to close the Address Database window. d. Select the computer to be monitored in the Station 1 box on the left. Make sure the Include radio button is selected. e. Click the "<-->" in the Direction middle column. f. Click the *ANY option in the Station 2 box on the right. g. Click OK to close the Address Expression window.   Now your Capture Filter window should look like the following: AND |---SAP/ETYPE = Any SAP or Any ETYPE |---AND (Address Pairs) | + INCLUDE XXXXX (ETHERNET) <--> *ANY |---AND (Pattern Matches) where XXXXX is the friendly name you gave to the computer. If you do not see this tree, please re-do step 4 until you obtain the expected behavior.   Immediately perform the steps needed to reproduce the error condition. For example, if the problem is related to a failing file copy operation to a network share, start copying the files immediately.   Once the error condition occurs, immediately stop the trace. After the error condition occurs at least once, stop the trace to have an exact sample of the error. Following the previous example, once the error "The system cannot find the path specified" appears, the capture should be stopped to have a narrowed trace.   Save the trace file (.cap) and send it to the support engineer as requested. The closer to the error condition you start and stop tracing, the better. A network trace too large and/or containing irrelevant traffic can be useless and too time consuming to analyze. </li></ol>

Tracing in a WAN Environment
Sometimes, you may be asked to make a capture of network traffic between two specific computers that are separated by one or more routers. In these cases, the support engineer may want to analyze all network traffic between the first computer and its nearest router, and all network traffic between the second computer and its nearest router. Most of the time, this is done to check whether or not network packets are being lost or corrupted somewhere between the routers. To make these traces consistent and to be able to read these traces simultaneously, the system clocks must be synchronized between the two computers prior to making the trace. Use the following steps to synchronize time between two computers:

<ol> Choose the computer against which to synchronize the time.</li>  From the other computer, type the command net time //<ComputerName> /set /yes where <ComputerName> is the name of the computer from step 1. </li> Verify the computers have the same time by typing TIME at each one.</li> Proceed with the trace.</li></ol>

Finding Media Access Control Addresses
If the computer to be monitored is running:

<ul> An MS-DOS-based network client, run MSD at that computer.</li> Windows for Workgroups 3.11 (running TCP/IP), type IPCONFIG /ALL from the command line.</li> Windows 95, run WINIPCFG from the command line at the local workstation.</li>  Windows NT, at the local console, use one of these options: NET CONFIG SERVER from the command line IPCONFIG /ALL from the command line IPXROUTE config from the command line arp -a from the command line Getmac.exe from the Windows NT Resource Kit WinMSD </li> Windows NT, remotely, run Getmac.exe from the Windows NT Resource Kit</li></ul>
 * }