Brien M. Posey
In the previous two articles, I have shown you some basic data capture techniques using Network Monitor. This part 3 will continue the discussion of how to analyze the data you captured.
For the sake of simplicity, we perform a simple ping operation. To do so, you must log on to the server that you will run Network Monitor, open a command prompt. When the command window is open, type the command ' PING ', then a space and the full domain name or an IP address of the network computer, but you have not pressed Enter now. Open Network Monitor and select the Start command from the Capture menu. Immediately switch to the command prompt and press Enter to execute the ping command. This command will return the results shown in Figure A. As soon as the command finishes, you will switch back to Network Monitor's screen and select the Stop command from the Capture menu. Doing so will capture the packets associated with the ping command, but will also capture some unrelated traffic.
Figure A: The returned results of the PING command
After you stop the capture process, click the Display Captured Data icon (
This means that if you used Network Monitor to handle a network problem in the real world, some inappropriate data might be captured. Knowing how to select data will be an essential skill because it will then identify the data you really need to care about.
If you look at Figure B, you will notice that there are quite a few packets captured. Our job is to filter the packets that are not related to the action we took to capture the packets that were captured more easily.
Figure B: Network Monitor shows traffic that is not related to your analysis
To do so, click the Filter icon on the toolbar. When you click, you will see a dialog box like Figure C. This dialog box shows that Network Monitor shows you all the data that has been captured regardless of the protocol or IP address.
Figure C: Display Filter dialog box
However, we have implemented PING from this computer to another computer and we know the IP addresses related to the PING command. Therefore, it is possible to filter other addresses. To do so, select the ANY ANY line and click the Edit Expression button. Now you will see a screen similar to Figure D.
Figure D: The Expression dialog box allows you to select addresses related to the current situation
This screen allows you to select the addresses of two computers that are relevant to your situation. Usually just select the source address and destination address, verify the direction column is set to, then click OK. In this particular case, everything is very simple.
You will see in this picture that there are many IP addresses related to the test computer. That's because this computer is a Web server and manages many websites, each with its own address. In the same situation, you should choose the main address of the computer unless there is a specific reason to use one of the remaining addresses.
Another thing here makes the display slightly confusing, but the destination address of the target machine is not displayed. You can fix this by clicking the Edit Addresses button. You will see a list of all addresses from the previous list. Click the Add button and you will have the opportunity to add an address to the list. Note in Figure E is to select the type of address (IP or MAC) you want to add. Click OK, then Close, the address will be added to the address filter.
Figure E: Add an address to the list
Now select the IP addresses related to the situation you are interested in, then click OK twice. The list of captured frames currently filtered only shows traffic from the selected computers, as shown in Figure F.
Figure F: The list of captured data displays only the frames that interest us
When our capture involves only the PING command, you absolutely won't have any problems locating the data you're looking for. In the real world, it sometimes happens that the data you are trying to capture may not exist inside the capture. There are two main conditions that can cause this. First, why your capture file may not have the data you care about is because most companies switch from using hubs to switches. On a network that uses hubs, each computer on the hub receives the same traffic. When the computer needs to communicate with another computer it will place a data packet on the wire and the packet will be transferred to other computers attached to the hub. The data receiving computer distinguishes this packet by observing the header of each packet, checking to see if it is the package sent to it. If the destination address corresponds to the MAC address of that computer, the device will open the packet and then its contents. Otherwise, it will be ignored.
For networks using switches it is different. When a computer sends a packet, the switch observes the packet header to determine which computer will receive the packet. It will then forward this packet to the switch port that the computer receives the connection to. Other computers are completely ignorant of this packet.
The reason why switches replace hubs is because they are more efficient and more secure. If a hub is used for two computers that want to send data at the same time, a conflict will occur and both packets in the process will be destroyed. Those two computers had to wait for a random amount of time to replay the data that had been conflicted. If there are more computers, the number of conflicts occurs more often and thus low network performance. That is why companies are switching to switch instead of hubs. Switches are difficult to capture data with Network Monitor. The reason for this is that with the way switches work, you can only capture data sent or from another computer to a computer that has Network Monitor running on it.
Another condition that can make the desired packages not captured is to use virtual computers. If a single server configures multiple virtual machines, then traffic to those virtual computers will probably not be captured because traffic between virtual computers is configured by a separate server without wires. However, you can also configure virtual computers so that traffic between them falls into the network, but that is beyond the scope of this article.
Conclude
In this article we have introduced you to the need for data filtering and why you cannot capture all the selected data. In Part 4 we will continue the discussion of how to analyze filtered data.
Working with Network Monitor (Part 5)