Monday, December 28, 2009

TestTitle

zhanguo

Tips for Getting Started

See Also

This section contains general tips for getting started using Network Monitor.



Installation

During installation, network connectivity can briefly be lost as the driver is installed.



System Resources

Network Monitor can use significant system resources. If memory utilization is a factor, consider using the command-line capture utility, NMCap. For more information, see Network Monitor Tools.



The following are significant items:



Disc space: When capturing, Network Monitor currently stores frames in a sequence of capture files named cap*.tmp in the Local Settings\Temp directory. By default it continues to store a series of these files of 20 MB each until the disc is within 2 percent of being full; then it stops capturing. To change the temporary file size and the disc space limit for capture files, on the Network Monitor Tools menu, click Options, then click Capture. The location for these files is not configurable.





Memory and processor utilization: Conversations are enabled by default. When conversations are enabled, Network Monitor assigns properties to frames and groups them into conversations by using these properties. A conversation is a group of frames that are related to each other at a specific protocol level. Network Monitor displays these conversations and their related frames as a tree in the Network Conversations window. The Network Conversations window can be closed, and conversations can be disabled. On the Tools menu, click Options, click Capture, and then clear the Enable Conversations check box. This reduces memory and processor utilization during capture. However, some higher-level protocol filters require conversation properties and do not work with conversation support turned off.







Windows Parsers

At installation, only a subset of the parsers are enabled. Most Windows parsers have been enabled as stubs only, which means that they do not parse completely.To load the full parsers, take the following steps:



On the Tools menu, click Options, and then click Parser.





Select the Windows row and click Stubs to change the Set column to Full.





Click Save and Reload Parsers and then click OK.







Filtering

The following tips can be useful to get started filtering effectively:



Type a period (.) in the Display Filter or Capture Filter window to get the top-level elements on which you can filter. The most useful are Protocol and Property.





Start with the protocol name, if you know it, or any other item at the top level (Protocol, Property, or Struct), or one level below that.





Right-click any field in the Frame Details window to learn how to filter on that field and find other frames like the one you are looking at.





Right-click any column in the Frame Summary window to add a filter that returns similar frames.





Use the Boolean AND, OR, and NOT operators to combine arguments in a filter.





To follow a single TCP stream, or other stream, right-click a frame, click Find Conversation, and then click TCP.







Configuring the Workspace

The Network Monitor workspace is configurable to meet your current needs. All windows can be resized.

See Also

Other Resources

Getting Started


Tips for Getting Started

See Also

This section contains general tips for getting started using Network Monitor.



Installation

During installation, network connectivity can briefly be lost as the driver is installed.



System Resources

Network Monitor can use significant system resources. If memory utilization is a factor, consider using the command-line capture utility, NMCap. For more information, see Network Monitor Tools.



The following are significant items:



Disc space: When capturing, Network Monitor currently stores frames in a sequence of capture files named cap*.tmp in the Local Settings\Temp directory. By default it continues to store a series of these files of 20 MB each until the disc is within 2 percent of being full; then it stops capturing. To change the temporary file size and the disc space limit for capture files, on the Network Monitor Tools menu, click Options, then click Capture. The location for these files is not configurable.





Memory and processor utilization: Conversations are enabled by default. When conversations are enabled, Network Monitor assigns properties to frames and groups them into conversations by using these properties. A conversation is a group of frames that are related to each other at a specific protocol level. Network Monitor displays these conversations and their related frames as a tree in the Network Conversations window. The Network Conversations window can be closed, and conversations can be disabled. On the Tools menu, click Options, click Capture, and then clear the Enable Conversations check box. This reduces memory and processor utilization during capture. However, some higher-level protocol filters require conversation properties and do not work with conversation support turned off.







Windows Parsers

At installation, only a subset of the parsers are enabled. Most Windows parsers have been enabled as stubs only, which means that they do not parse completely.To load the full parsers, take the following steps:



On the Tools menu, click Options, and then click Parser.





Select the Windows row and click Stubs to change the Set column to Full.





Click Save and Reload Parsers and then click OK.







Filtering

The following tips can be useful to get started filtering effectively:



Type a period (.) in the Display Filter or Capture Filter window to get the top-level elements on which you can filter. The most useful are Protocol and Property.





Start with the protocol name, if you know it, or any other item at the top level (Protocol, Property, or Struct), or one level below that.





Right-click any field in the Frame Details window to learn how to filter on that field and find other frames like the one you are looking at.





Right-click any column in the Frame Summary window to add a filter that returns similar frames.





Use the Boolean AND, OR, and NOT operators to combine arguments in a filter.





To follow a single TCP stream, or other stream, right-click a frame, click Find Conversation, and then click TCP.


Configuring the Workspace

The Network Monitor workspace is configurable to meet your current needs. All windows can be resized.
See Also

Other Resources

Getting Started

zhanguo
Posted by at

3 comments:

  1. YangDecember 28, 2009 at 6:32 PM

    For example, if you selected an Outlook conversation to see what the e-mail response time is, you would want to filter on the protocol to eliminate all keep-alive requests and acknowledgments. Apply the following filter: protocol.MSRPC. Then, you see only the actual messages and responses, as shown in the following table.

    Time Delta Frame Number Source Destination Description
    0.000000
    3
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x112 Opnum=0xB Context=0x0 Hint=0xF4

    0.001000
    4
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x112 Context=0x0 Hint=0x68 Cancels=0x0

    0.004000
    5
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x113 Opnum=0xB Context=0x0 Hint=0xC4

    0.001000
    6
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x113 Context=0x0 Hint=0x6C Cancels=0x0

    0.006000
    7
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x114 Opnum=0xB Context=0x0 Hint=0xA90

    0.184011
    9
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x114 Context=0x0 Hint=0x2D0 Cancels=0x0

    0.004000
    11
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x116 Opnum=0xB Context=0x0 Hint=0xC0

    0.002000
    13
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x116 Context=0x0 Hint=0x218 Cancels=0x0


    The deltas of .001 or 002 in the first, second, and fourth request-response pairs are normal and indicate that the network is running efficiently. The .184 delta for the third pair is relatively large and could indicate an expensive request or a slow server.

    Note:
    Filtering for MSRPC also includes other protocols that ride on top of MSRPC.

    See Also
    Other Resources
    Diagnosing Basic Network Problems

    kapuzhongjiang

    ReplyDelete
  2. YangDecember 28, 2009 at 7:23 PM

    kapuzhongjiang
    . Apply the following filter: protocol.MSRPC. Then, you see only the actual messages and responses, as shown in the following table.

    Time Delta Frame Number Source Destination Description
    0.000000
    3
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x112 Opnum=0xB Context=0x0 Hint=0xF4

    0.001000
    4
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x112 Context=0x0 Hint=0x68 Cancels=0x0

    0.004000
    5
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x113 Opnum=0xB Context=0x0 Hint=0xC4

    0.001000
    6
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x113 Context=0x0 Hint=0x6C Cancels=0x0

    0.006000
    7
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x114 Opnum=0xB Context=0x0 Hint=0xA90

    0.184011
    9
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x114 Context=0x0 Hint=0x2D0 Cancels=0x0

    0.004000
    11
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x116 Opnum=0xB Context=0x0 Hint=0xC0

    0.002000
    13
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x116 Context=0x0 Hint=0x218 Cancels=0x0


    The deltas of .001 or 002 in the first, second, and fourth request-response pairs are normal and indicate that the network is running efficiently. The .184 delta for the third pair is relatively large and could indicate an expensive request or a slow server.

    Note:
    Filtering for MSRPC also includes other protocols that ride on top of MSRPC.

    See Also
    Other Resources
    Diagnosing Basic Network Problems

    kapuzhongjiang

    ReplyDelete
  3. YangDecember 28, 2009 at 7:24 PM

    kapuzhongjiang
    . Apply the following filter: protocol.MSRPC. Then, you see only the actual messages and responses, as shown in the following table.

    Time Delta Frame Number Source Destination Description
    0.000000
    3
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x112 Opnum=0xB Context=0x0 Hint=0xF4

    0.001000
    4
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x112 Context=0x0 Hint=0x68 Cancels=0x0

    0.004000
    5
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x113 Opnum=0xB Context=0x0 Hint=0xC4

    0.001000
    6
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x113 Context=0x0 Hint=0x6C Cancels=0x0

    0.006000
    7
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x114 Opnum=0xB Context=0x0 Hint=0xA90

    0.184011
    9
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x114 Context=0x0 Hint=0x2D0 Cancels=0x0

    0.004000
    11
    157.59.136.191
    157.54.61.199
    MSRPC:c/o Request: unknown Call=0x116 Opnum=0xB Context=0x0 Hint=0xC0

    0.002000
    13
    157.54.61.199
    157.59.136.191
    MSRPC:c/o Response: unknown Call=0x116 Context=0x0 Hint=0x218 Cancels=0x0


    The deltas of .001 or 002 in the first, second, and fourth request-response pairs are normal and indicate that the network is running efficiently. The .184 delta for the third pair is relatively large and could indicate an expensive request or a slow server.

    Note:
    Filtering for MSRPC also includes other protocols that ride on top of MSRPC.

    See Also
    Other Resources
    Diagnosing Basic Network Problems

    kapuzhongjiang

    ReplyDelete

Subscribe to: Post Comments (Atom)