Display Data
The Frame Viewer window
Network Monitor simplifies data analysis by interpreting raw data collected during the capture and displaying it in the Frame Viewer window.The Frame Viewer window includes the following panes:
| Pane | Displays |
|---|---|
| Frame Viewer window: Summary pane | General information about the captured frames in the order that they were captured in. |
| Frame Viewer window: Detail pane | The contents of the frame, including the protocols that were used to send it. |
| Frame Viewer window: Hexadecimal pane | Hexadecimal and ASCII representations of the captured data. |
Frame Viewer window: Summary pane
The Frame Viewer Window, Summary pane, displays a list of the frames in the order in which they were captured.
- Frame
- The frame number, which is listed in the order that the frame was captured. Frame numbers begin with 1.
- Time
- The time that the frame was captured. The way that the capture time is expressed depends on the display options that you specify. The time is expressed as one of the following:
- The absolute system time that the frame was captured.
- The time that the frame was captured relative to the beginning of the capture. This value is expressed in microseconds.
- The time that the frame was captured relative to the capture completion time of the frame that precedes it. This value is specified in microseconds.
- Src MAC Addr
- The network address of the computer that sent the frame.
- Dst MAC Addr
- The network address of the computer that the frame was sent to.
- Protocol
- The primary protocol that was used to send the frame.
- Description
- A brief description of the contents of the frame.
- Src Other Addr
- The IP or IPX/XNS address associated with the address displayed in the Src MAC Addr column.
- Dst Other Addr
- The IP or IPX/XNS address associated with the address displayed in the Dst MAC Addr column.
- Type Other Addr
- The types of the addresses displayed in the Src Other Addr and Dst Other Addr columns.
Note
- The IPX/SPX protocol is not available on Windows XP 64-bit Edition (Itanium) and the 64-bit versions of the Windows Server 2003 family.
Frame Viewer window: Detail pane
The Frame Viewer window Detail pane displays information about the frame that is currently selected in the Frame Viewer window: Summary pane. This information includes details about the selected frame and about the protocols that were used to send it.You can expand or collapse the levels of detail that appear in this pane by double-clicking the lines that appear next to plus (+) or minus (-) signs.
- Frame
- The base properties of the selected frame. These properties include:
- The date and time that the frame was captured.
- The time (measured in milliseconds) that elapsed between the capture of the current frame and the capture of the frame that precedes it.
- The frame number in the sequence of total frames captured.
- The length of the frame (in bytes).
- The amount of the frame (in bytes) that was captured.
- The number of bytes in the frame not parsed by the base parser.
- Protocol
- The protocol section of the Detail pane consists of all information that appears below the end of the Frame section. The length of the section varies, depending on the number of protocols used to send the frame. Network Monitor displays the protocols from the lowest-level protocol to the highest-level protocol.When you click a line in this pane, Network Monitor selects the raw representation of this line (which appears in the Hexadecimal pane) automatically.
Frame Viewer window: Hexadecimal pane
The Frame Viewer Window Hexadecimal pane consists of two sections.
- The hexadecimal section displays the contents of the frame in hexadecimal form.
- The ASCII section displays an alphabetical representation of the ASCII contents of the frame.
When you select a line in the Detail pane, the section of the frame that the line represents is selected automatically in both sections of the Hexadecimal pane.
Filtering data
Like a capture filter, a display filter helps you to isolate specific types of information. Unlike a capture filter, however, a display filter operates on data that has already been captured. You can use a display filter to configure how much captured data appears in the Frame Viewer Window, or you can use it to save data to a capture file.
Use display filters to determine which frame to display. You can filter a frame by:
- Its source or destination address.
- The protocols it contains.
- The properties and values that it contains. The properties of a protocol collectively indicate the purpose of the protocol.
The structure of the display-filter decision tree is flexible. You can define a simple, rather flat structure, or you can make it complex, as your needs dictate.
Protocols Used
When you display captured data, all available information about the captured frames appears in the Frame Viewer window. You can display only the frames which contain a specific protocol by editing the Protocol == line in the Display Filter dialog box.
Network Monitor processes the filter you have designed and applies it to the contents of the Frame Viewer window.
Protocol Properties
You can use a display filter to isolate frames that contain specific protocol properties. Protocol properties consist of the elements of information that define the purpose of a protocol. Because the purposes of protocols vary, properties differ from one protocol to another.
As an example, you might capture a large number of frames with SMB protocol but want to examine only those frames in which the SMB protocol was used to create a directory on a remote computer. In this situation, you could isolate frames that include the Make DirectorySMB command property.
Network Monitor identifies the protocols used to send a frame on the network by using a protocol parser. Each protocol that Network Monitor supports has a corresponding parser.
Computer Addresses
When you display captured data, by default all addresses that you capture information from appear in the Frame Viewer window. You can display only those frames that originate or are sent to a specific computer by editing the ANY <–> ANY line in the Edit Display Filterdialog box.
Filtering and address databases
Often, you need to capture only those frames that originate with or are sent to specific computers. To do this, you must know the addresses of the computers on your network.
You can use the ping command to find the IP address of a computer if you know its computer name. For more information, see the section “Testing connections by using ping” in Command-line utilities.
Venkat Matta 