by August 1, 2000 0 comments

This program is an optional component in Windows 2000 Server,
and is useful for network administrators for monitoring network traffic. To add
it, you have to go to Add/Remove programs and select Add/Remove Windows
Components. Then, in Management and Networking Tools, select Microsoft Network
Monitor. The version installed is 2.0 Lite, which has most of the advanced
features disabled. For the software to be fully enabled, you’ll need to buy
and install Microsoft Systems Management Server.

How it works

Microsoft Network Monitor captures packets flowing to or from
your server and stores them in a temporary directory. You can also capture
packets flowing between specific computers on the network, but that option is
available only in the full version. You can open up this temporary file and
analyze the captured packets. Each captured packet is treated as a frame, and
the temporary file contains information such as description, protocol, source
computer, and destination computer for each frame. You can click on any specific
frame to get more information on it, such as length, protocol and the contents
of the frame in hexadecimal code.

If you want a more focused set of packets to be monitored,
then you can use filters. Here you can specify the protocols to be monitored,
the computers to be monitored, and the direction of flow of packets–that is,
to the server, from the server, or both ways.

Overall, a quick utility to monitor network traffic.

NetWare’s TCP/IP Console

This utility in NetWare can be used to get statistics and
information on machines that are running TCP/IP on your network. To start it,
type load TCPCON at the server command line. You’ll now see a screen, which
shows various statistics such as IP received, sent, and forwarded, TCP
connections, and TCP received and sent, and uptime. There’s a menu below this,
which has more options like protocol information–which gives information on
IP, ICMP, UDP, TCP, OSPF, and EGP protocols, Statistics, and Interfaces.

The information that you see is for the server you’re
working on. To get information on remote clients, first make sure that they’re
running SNMP. In Win 98, you do this by going to Network Neighborhood
Properties, and adding Services. One of the options you get is SNMP agent for
NetWare. This has to be installed. Now, in the SNMP access configuration menu,
change transport protocol from local system to TCP/IP. In the host field, give
the client’s IP address. Then, save the settings and exit. You’ll now start
getting information for that client.

Similar to TCPCON, there’s a utility called IPXCON for
monitoring IPX activity.

tcpdump for Linux

tcpdump is a packet sniffer–a tool that can capture and see
the contents of all packets flowing across the network. You can find tcpdump in
the RedHat CD as an RPM. You run tcpdump as:


Doing this would clutter your screen with information on all
the packets passing through your network. A good idea is to redirect the output
of tcpdump to a file for later analysis.

tcpdump > analysis.log

tcpdump can take in many command line parameters. Some of the
frequently used ones are:

-c count : show count number of packets

-e : show the link level header

-q : print less protocol information

-i iface : listen to interface iface, for example, eth0

-n : list numeric addresses and port numbers

-N : show only the hostname instead of FQDN (Fully
Qualified Domain Name)

-s X : capture X number of bytes from each packet

-S : show absolute TCP sequence numbers

-v and -vv : increases the amount of information. -vv
gives more information than -v

By default, the interface listened to is eth0–the first
interface found after the loopback interface lo. The number of bytes captured by
default–which is 68–suffices for most purposes. -e and -q are useful for
peeking into the link header and to get less–but easy to read–information on
each packet, respectively.

You may not be looking for all the packets that flow through
your network. So, you can capture packets flowing through selective hosts. For
this use tcpdump’s filtering expressions, in which you can use
"and", "or" and "not" to build up the filter you

Some of the common filtering expressions are:

type : type can be host, net or port, the default is

src hostip : specify the IP address of the originating

dst hostip : specify the IP address of the destination

host hostip : specify the IP address of the host, for
which you want to monitor all packets–to and from

src port : specify the source port of the packets

dst port : specify the destination port of the packets

port : specify the port, to monitor packets to and from

protocol : specify the protocol used by the packet, for
example, TCP, IP, UDP, ICMP, ARP, RARP, etc

Let’s take a few examples here.

tcpdump host

will capture all incoming and outgoing packets from the
machine with IP

tcpdump src and dst 192. 168.1.1

will capture all packets moving from to Note the use of "and" here.

You can capture packets of specific protocols, as in:

tcpdump tcp

To capture all packets destined to a specific port, like ftp:

tcpdump host and port ftp

If you use a port’s name like ftp, it must be defined in
/etc/services. Alternatively, you can use the port number, 21 in this case.

Output of tcpdump

The tcpdump output contains a line corresponding to each
packet it has gone through. The format of each line depends on the protocol in
use–TCP, UDP, ICMP, IP, etc. In any case, each line contains the time at which
the packet is received. You can use the -t option to remove the time. For
continuous network monitoring, run tcpdump on a separate terminal, or open a
terminal window in X and start tcpdump in it. You can filter specific network
traffic you want to see, by piping out the output of tcpdump to grep as:

tcpdump | grep Broadcast

It’s highly recommended that you go through the manual
pages of tcpdump. It provides myriad options for efficient network monitoring.

If you want to do a graphical analysis of your network
traffic, you can opt for tools like ethereal–downloadable from,
or ntop–downloadable from http://www-serra.

Sachin Makhija and Shekhar Govindarajan

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.