Venkat Matta

it's all about the Performance Testing

NetMon – Capture Date

The capture process

The process by which Network Monitor copies frames is referred to as capturing. You can capture all network traffic to and from the local network adapter, or you can set a capture filter and capture a subset of frames. You can also specify a set of conditions that trigger an event. If you create triggers, Network Monitor can respond to events on your network. For example, you can make the operating system start an executable file when Network Monitor detects a particular set of conditions on the network. After you have captured data, you can view it. Network Monitor translates the raw capture data into its logical frame structure.

While Network Monitor captures frames from the network, statistics about the frames appear in the Capture window, which has four panes:

Pane Displays
Capture window: Graph pane A graphical representation of frames sent to or from the local computer.
Capture window: Session Statistics pane Statistics about current individual sessions.
Capture window: Station Statistics pane Statistics about frames sent to or from the computer running Network Monitor.
Capture window: Total Statistics pane Summary statistics about frames sent to or from the local computer since the capture process began.

Network Monitor uses the Network Driver Interface Specification (NDIS) facility to copy all frames it detects to its capture buffer.

Capture window: Graph pane

 The Graph pane graphically represents the total capture statistics of the current capture data. This pane appears in the upper-left corner of the Capture Window, and it is on by default.

% Network Utilization
The percentage of your network adapter’s capacity that the current capture uses. This percentage is calculated by dividing the rate at which your adapter is sending and receiving frames by the maximum rate at which your adapter can process those frames.
Frames Per Second
The number of frames that the adapter is capturing every second.
Bytes Per Second
The number of bytes that the adapter is capturing every second.
Broadcasts Per Second
The number of broadcasts that the adapter is capturing every second.
Multicasts Per Second
The number of multicasts that the adapter is capturing every second.

Capture window: Session Statistics pane

A session designates the data that is sent to or from the local computer. The Session Statistics pane displays statistics on a per-session basis. The pane also identifies both participants in a session and displays how much information passed in either direction between them.

This pane appears in the left-center portion of the Capture Window, and it is on by default.

Network Address 1
The network address of the first participant in a network session.
1 –> 2
The number of frames sent from the address listed in the Network Address 1 column to the address listed in the Network Address 2 column.
1 <– 2
The number of frames sent from the address listed in the Network Address 2 column to the address listed in the Network Address 1 column.
Network Address 2
The network address of the second participant in a network session.

Note

  • Network Monitor reflects session statistics of only the first 100 unique addresses that it detects. To gather statistics on a specific workstation, design a capture filter. To reset statistics and view information about the next 100 detected network sessions, click the Capture menu, and then click Clear Statistics.

Capture window: Station Statistics pane

The Station Statistics pane displays statistics that describe the network activity of your workstation. This pane appears at the bottom of the Capture Window, and it is on by default.

Network Address
The network address of the computer on which the frames were captured.
Frames Sent
The number of frames sent from the address listed in the Network Address column.
Frames Rcvd
The number of frames received by the address listed in the Network Address column.
Bytes Sent
The number of bytes sent by the address listed in the Network Address column.
Bytes Rcvd
The number of bytes received by the address listed in the Network Address column.
Directed Frames Sent
The number of non-broadcast, non-multicast frames transferred over the network from the associated address.
Multicasts Sent
The number of times the address listed in the Network Address column has sent frames to a subset of computers on the network, by sending “FFFFFFFFFFFF.”
Broadcasts Sent
The number of times that the address listed in the Network Address column has sent frames to all computers on the network.

Note

  • Network Monitor reflects station statistics of only the first 128 unique addresses that it detects. To gather statistics on a specific workstation, design a capture filter.

Capture window: Total Statistics pane

The Total Statistics pane provides an overall view of network traffic sent to or from the local computer. This pane appears in the upper-right corner of the Capture Window, and it is on by default.

Network Statistics
The total amount of traffic that has been sent to or from the local computer since the current capture began. These statistics include:

  • The total number of frames sent to or from the local computer.
  • The total number of broadcasts sent to or from the local computer.
  • The total number of multicasts sent to or from the local computer.
  • The total number of bytes sent to or from the local computer.
  • The total number of frames dropped.
  • The network status. On an Ethernet network, this entry will always be Normal. On a token ring network, this entry reflects whether the token is present locally.
Captured Statistics
Total statistics that describe the current capture, including:

  • The total number of captured frames.
  • The total number of frames in the temporary capture file.
  • The number of frames dropped when the buffer was exceeded.
  • The total number of captured bytes.
  • The total number of bytes in the temporary capture file.
  • The percentage of allotted buffer space that is in use.
  • The number of frames dropped by Network Monitor.
Per Second Statistics
Statistical averages of current activity and continual updates of this average to reflect current per-second activity. The statistics in this panel include all frames (even frames that were excluded by a capture filter). Per-second statistics include:

  • The average number of frames per second detected since the capture began.
  • The average number of bytes per second detected since the capture began.
  • The average number of broadcast messages per second detected since the capture began.
  • The average number of multicast messages per second detected since the capture began.
  • The percentage of network utilization. This statistic shows the percentage of your network adapter’s capacity that the current capture uses. This percentage is calculated by dividing the rate at which your adapter is sending and receiving frames by the maximum rate at which your adapter can process those frames.
Network Card (MAC) Statistics
Statistics that reflect average activity detected by your network adapter since the current capture began. The statistics in this pane reflect all the network activity that your network adapter can receive. These statistics include:

  • Total frames detected by the network adapter.
  • Total broadcast frames detected by the network adapter.
  • Total multicast frames detected by the network adapter.
  • Total bytes detected by the network adapter.
Network Card (MAC) Error Statistics
Statistics that reflect adapter-related errors that have occurred since the capture began. These statistics include:

  • Number of errors that occurred because the cyclical redundancy check (CRC) did not match the actual bytes received.
  • Number of frames that the network adapter detected but that were dropped because Network Monitor lacked sufficient buffer space.
  • Number of frames that the network adapter detected but that were dropped because of hardware constraints.
    Note
  •  Not all network adapters support these statistics. If your network adapter does not   support a statistic, the value is replaced with Unsupported.

Capture filters

A capture filter functions like a database query that you can use to specify the types of network information you want to monitor. For example, to see only a specific subset of computers or protocols, you can create an address database, use the database to add addresses to your filter, and then save the filter to a file. By filtering frames, you save both buffer resources and time. Later, if necessary, you can load the capture filter file and use the filter again.

Designing a capture filter

To design a capture filter, specify decision statements in the Capture Filter dialog box. This dialog box displays the filter’s decision tree, which is a graphical representation of a filter’s logic. When you include or exclude information from your capture specifications, the decision tree reflects these specifications.

Filtering by protocol

To capture frames sent using a specific protocol, specify the protocol on the SAP/ETYPE= line of the capture filter. For example, to capture only IP frames, disable all protocols and then enable IP ETYPE 0x800 and IP SAP 0x6. By default, all of the protocols that Network Monitor supports are enabled. You can only specify protocols with ETYPE or SAP.

Filtering by address

To capture frames sent from a specific computer on your network to your computer or sent from your computer to a specific computer on your network, specify one or more address pairs in a capture filter. You can monitor up to four address pairs simultaneously.

An address pair consists of:

  • The addresses of the two computers you want to monitor traffic between.
  • Arrows that specify the traffic direction you want to monitor.
  • The INCLUDE or EXCLUDE keyword, indicating how Network Monitor should respond to a frame that meets a filter’s specifications.

Regardless of the sequence in which statements appear in the Capture Filter dialog box, EXCLUDE statements are evaluated first. Therefore, if a frame meets the criteria specified in an EXCLUDE statement in a filter containing both an EXCLUDE and INCLUDE statement, that frame is discarded. Network Monitor does not test that frame by INCLUDE statements to see if it meets that criterion also.

For example, to capture all the traffic from Joe’s computer except the traffic from Joe to Anne, use the following capture filter address section:

Addresses

include Joe <—-> Any

exclude Joe <—-> Anne

If there are no INCLUDE lines, YourComputer <—-> Any is used implicitly.

Filtering by data pattern

By specifying a pattern match in a capture filter, you can:

  • Limit a capture to only those frames containing a specific pattern of ASCII or hexadecimal data.
  • Specify how many bytes (offsets) of the frame must be ignored before the search begins.

When you filter based on a pattern match, you must specify where, in the frame, the search for the pattern should begin. This setting specifies, in bytes, the distance from the beginning of the frame or the end of the topology header to the point at which the pattern might occur. If your network medium has a variable size in the media access control protocol, such as Ethernet or token ring, specify to count from the end of the topology header.

Capture triggers

If you create capture triggers, Network Monitor can respond to events on your network. By default, no trigger is set.

Types of triggers

Network Monitor can detect how full your capture buffer is, and whether a specific pattern appears in a captured frame. You can create capture triggers that depend on either or both of these criteria.

If you specify a trigger that depends on a specific pattern appearing in a captured frame, Network Monitor performs the action you specify when it detects a frame that contains the pattern you specify. The pattern can be an ASCII string or a hexadecimal string. You can also specify a trigger which depends on a specific pattern appearing in a captured frame and a certain percentage of the capture buffer being filled. You can also specify whether Network Monitor should start its search at the beginning of each frame, after the end of the header of each frame, or some number of bytes after either of these locations. By default, Network Monitor searches the entire frame for the pattern.

Trigger actions

You can choose one of the following actions to occur when the trigger criteria are met:

  • The computer beeps.
  • Network Monitor stops capturing frames.
  • A command that you specify runs.To specify a command that starts a program, type the path and the name of the program file, or click Browse and navigate to the program file. To use an MS-DOS command, such as copy, type CMD /K, and then type the command.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Information

This entry was posted on March 30, 2016 by in Netmon.

Shortlink

https://wp.me/p7mXfY-aN

Navigation

Blog at WordPress.com.

%d bloggers like this: