Download A Guide to Windows 2000 Server

Document related concepts

Remote Desktop Services wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Lag wikipedia , lookup

Computer network wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Airborne Networking wikipedia , lookup

Network tap wikipedia , lookup

Transcript
Chapter 15
Chapter 15:
Network Monitoring and Tuning
Learning Objectives
Chapter 15




Establish network benchmarks
Install Network Monitor Driver
Install, configure, and use Network
Monitor, including setting up filters and
triggers
Install and configure SNMP service
Learning Objectives (continued)
Chapter 15


Use System Monitor to monitor a
network
Troubleshoot and tune a network
Network Monitoring
Chapter 15


Networks are dynamic with changing
patterns of activity and rapid growth
toward more high-bandwidth demand
Monitoring a network is important to be
able to distinguish between problems
due to the network and problems due to
servers connected to the network
Network Benchmarks
Chapter 15

Plan to obtain network benchmarks to
help with problem diagnosis and
planning, such as:
 Slow,
average, and peak network activity in
relation to the work patterns of an
organization
 Network activity that is related to specific
protocols
 Network activity that is related to specific
servers and host computers
Network Benchmarks (continued)
Chapter 15
 Network
activity that is related to
workstations
 Network activity on individual subnets or
portions of a larger network
 Network traffic related to WAN
transmissions
 Network traffic created by particular
software
Windows 2000 Network
Monitoring Tools
Chapter 15

Network monitoring and management
tools in Windows 2000 include:
 Network
Monitor Driver
 Network Monitor
 SNMP service
 System Monitor
Network Monitor Driver and
Network Monitor
Chapter 15


Network Monitor Driver: Enables a
Microsoft-based server or workstation
NIC to gather network performance data
for assessment by the Microsoft Network
Monitor
Network Monitor: A Windows NT and
Windows 2000 network monitoring tool
that can capture and display network
performance data
Server Activities to Monitor
Chapter 15
Router
Main
business
network
Windows 2000 Server
with Network Monitor, the
Network Monitor Driver,
and RAS
Switches
Windows 2000
Server
Windows 2000
Professional
with the Network
Monitor Driver
l-up
line
Telephone
company
Dia
Figure 15-1
Using Network Monitor
Driver to gather network
performance information
on two separate networks
Windows 2000
Professional
with the Network
Monitor Driver
Branch
office
network
Windows 2000
Server
Installing Network
Monitor Driver
Chapter 15

To install Network Monitor Driver:
 Open
the Network and Dial-Up
Connections tool
 Right-click Local Area Connection
 Click Properties
 Click Install
 Double-click Protocol
 Double-click Network Monitor Driver
Installing Network
Monitor Driver (continued)
Chapter 15
Figure 15-2 Installing Network Monitor Driver
Using Network Monitor
Chapter 15

Network Monitor tracks information such
as:
 Percent
network utilization
 Frames and bytes transported per second
 Network station statistics
 Statistics captured for a specific interval of
time
 Transmissions per second
Using Network Monitor
(continued)
Chapter 15
 Broadcast,
unicast, and multicast information
 NIC statistics
 Error data
 Addresses of network stations
 Other network computers running Network
Monitor and Network Monitor Driver
Installing Network Monitor
Chapter 15

The general steps to install Network
Monitor are:
 Open
the Add/Remove Programs tool
 Double-click the component, Management
and Monitoring Tools
 Check Network Monitor Tools
Installing Network Monitor
(continued)
Chapter 15
Figure 15-3 Installing Network Monitor tools
Starting Network Monitor
Chapter 15

The general steps for starting a capture
session in network monitor are:
 Start
Network Monitor from the
Administrative Tools menu
 Select the network to monitor
 Click the Capture button to start capturing
information
 Click the Stop Capture button to stop
capturing information
Capturing Network Data
Chapter 15
Total pane
Graph pane
Session pane
Station pane
Figure 15-4 Network Monitor capturing data
Monitoring Tip
Chapter 15

As is true of other monitoring tools,
Network Monitor can create an extra
load on a server
Network Monitor Display
Chapter 15

Data captured in Network Monitor is
displayed interactively in four window
panes, but can be customized to show
only one, two, or three panes
Network Monitor Panes
Chapter 15
Pane
Information Provided in the Pane
Graph
Provides horizontal bar graphs of the following: %Network Utilization, Frames per Second, Bytes per
Second, Broadcasts per Second, and Multicasts per Second
Total
Provides total statistics about network activity that originates from or that is sent to the computer
(station) that is using Network Monitor and includes many statistics in each of the following categories:
Network Statistics, Capture Statistics, Per Second Statistics, Network Card (MAC) Statistics, Network
Card (MAC) Error Statistics
Session
Provides statistics about traffic from other computers on the network which include the MAC (device)
address of each computer’s NIC (see Chapter 2) and data about the number of frames sent from and
received by each computer
Station
Provides total statistics on all communicating network stations which include: Network (device)
address of each communicating computer, Frames Sent, Frames Received, Bytes Sent, Bytes Received,
Directed Frames Sent, Multicasts Sent, and Broadcasts Sent
Viewing a Line-by-Line Report
Chapter 15

After data is captured, you can view a
line-by-line capture summary report by
clicking the Stop and View Capture
button
Viewing a Line-by-Line Report
Chapter 15
Figure 15-5 Viewing capture summary data
Capture Summary
Window Information
Chapter 15
Column
Explanation
Frame
Shows the sequence of the frame as it was received, for example the
first frame captured is 1, the second frame captured is 2, and so on
Time
Shows when the frame was captured in one of three formats: relative
system time, when the frame was captured after capturing has been
started, or when the frame was captured after capturing was stopped
Source MAC Address
Shows the device address of the sending computer
Destination MAC
Shows the device address of the receiving computer
Address
Table 15-2 Capture Summary Window Information
Capture Summary Window
Information (continued)
Chapter 15
Column
Explanation
Protocol
Shows the protocol used in the transmission
Description
Provides the description of the communication
Source Other Address
Shows other address information, such as an IP address or a computer name for the
computer sending the frame
Source Other Destination
Shows other address information, such as an IP address or a computer name for the
computer receiving the frame
Type Other Address
Defines the type of addresses shown in the Source Other Address and Source Other
Destination columns, such as an IP address
Finding Specific Capture
Summary Information
Chapter 15

Use the Find button in the capture
summary display to find specific
information
Using Find
Chapter 15
Figure 15-6
Finding Transmission Events Associated with Server Lawyer
Monitoring Filter
Chapter 15

Network Monitor has a built-in ability to
configure a filter
 Filter:
A capacity in network monitoring
software that enables a network or server
administrator to view only designated
protocols, network events, network nodes,
or other specialized views of the network
Creating a Filter
Chapter 15

To create a filter in network monitor:
 Click
the Edit Capture Filter button and
click OK
 Set the specific parameters by doubleclicking any of: SAP/ETYPE, Address
Pairs, and Pattern Matches
 Click OK
 Continue Capturing data
Selecting Filter Options
Chapter 15
Figure 15-7 Creating a filter
Configuring SAPs and ETYPEs
Chapter 15
Figure 15-8 Selecting a protocol to capture in a filter
SAP and ETYPE
Chapter 15


Server Access Point (SAP): A service
access point, which specifies the network
process that should accept a frame at the
destination, such as TCP/IP
Ethertype (ETYPE): A property of an
Ethernet frame that includes a
specialized two-byte code used for
particular vendor functions
Capture Trigger
Chapter 15

Besides filtering, Network Monitor
supports using capture triggers
 Capture
trigger: Used as a way to have
Network Monitor perform a specific function
when a predefined situation occurs, such as
stopping a capture of network data when the
capture buffer is 50% full
Setting up a Trigger
Chapter 15
Figure 15-9 Setting up a trigger
Troubleshooting Tip
Chapter 15

Check the Graph pane for a quick
assessment of performance statistics
for:
%
Network Utilization
 Frames Per Second
 Bytes Per Second
 Broadcasts Per Second
 Multicasts Per Second
Diagnosing Common Problems
Chapter 15

Use Network Monitor to diagnose
problems such as:
 A NIC
creating a broadcast storm
 Inefficient multimedia applications
 Problems with bridges, switches, and
routers
 Problems with particular a workstation
 An overloaded server
Finding a Broadcast Storm
Chapter 15


A broadcast storm is a situation in which
one or more devices, such as a failing
NIC, are saturating the network with
traffic
Use the Network Monitor Broadcasts
Per Second statistic to help determine if
there is a broadcast storm and then
check the Session and Station panes for
the device(s) sending the broadcast(s)
Locating Unauthorized
Network Monitor Users
Chapter 15


Network Monitor can create problems
when it is used by network intruders or
unauthorized users
You can view all of the Network Monitor
users by clicking the Tools menu and then
clicking Identify Network Monitor users
Viewing Network Monitor Users
Chapter 15
Figure 15-10 Identifying all Network Monitor users
SNMP
Chapter 15

The Simple Network Management
Protocol (SNMP) is used to gather
standardized network performance
information and to control network
devices
SNMP Stations
Chapter 15

SNMP uses two kinds of network
stations:
 Network
Management Station (NMS):
Monitors and manages devices configured
with SNMP and collects information
 Agent: Any device configured for SNMP
from which an NMS can collect data –
SNMP agents include servers,
workstations, routers, switches, and hubs
Microsoft Systems
Compatible with SNMP
Chapter 15

The following systems can be managed
through SNMP:
 Windows
2000 and NT servers
 Windows 2000 and NT workstations
 WINS servers
 DHCP servers
 IIS servers
 Microsoft RAS and IAS servers
Installing SNMP
Chapter 15

To install SNMP:
 Open
the Add/Remove Programs tool
 Click Add/Remove Windows Components
 Double-click Management and Monitoring
tools
 Check Simple Network Management
Protocol and click OK
 Click Next and then click Finish
Configuring SNMP
Chapter 15

After installing SNMP, configure one or
more community names for security
 Community
name: In SNMP
communications, a password used by
network agents and the network
management station so that their
communications cannot be easily
intercepted by an unauthorized workstation
or device
Configuring SNMP (continued)
Chapter 15
Figure 15-11 Configuring the community name
SNMP Trap
Chapter 15

SNMP enables you to configure a trap
 Trap:
A specific situation or event detected
by SNMP that a network administrator may
want to be warned about or to track via a
network management station, such as
when a network device is unexpectedly
down or offline
Troubleshooting Tip
Chapter 15

If a trap that you set does not work,
make sure that the SNMP Trap Service
is started and set to start automatically
in Windows 2000 Server
Monitoring a Network
with System Monitor
Chapter 15


System Monitor contains a wide range
of objects for monitoring a network
Some objects only appear in System
Monitor if you have a particular protocol
installed
System Monitor Network
Monitoring Objects
Chapter 15
Object
Description
ICMP
Monitors network communications using the Internet Control Message Protocol
(ICMP), which is used by TCP/IP-based computers to share TCP/IP addressing and
error information
IP
Tracks Internet Protocol (IP) activity and addressing (available if TCP/IP is
installed in Windows 2000 Server)
NBT Connection
Monitors NetBIOS communications that are performed via TCP/IP data
communications
NetBEUI
Tracks NetBEUI communications, such as communication errors, bytes sent, and
data packets sent (available if NetBEUI is installed in Windows 2000 Server)
Table 15-3 System Monitor Network Monitoring Objects
System Monitor Network
Monitoring Objects (continued)
Chapter 15
Object
Description
NetBEUI Resource
Monitors resources used, such as the data storage areas (buffers) used by a NIC transmitting
NetBEUI data frames (available if NetBEUI is installed in Windows 2000 Server)
Network Interface
Tracks data that travels through the workstation or server NIC, such as the current bandwidth,
the number of bytes transmitted and received, number of packets sent, and packet transmission
and receipt errors
Network Segment
Monitors activity on the network segment to which the server or workstation is attached, such
as broadcast and network utilization data (at this writing Network Segment is not fully
implemented as an object in Windows 2000 Server, but expect it to be available as an update
via the Network Monitor Driver – because it is presently available in Windows NT 4.0)
System Monitor Network
Monitoring Objects (continued)
Chapter 15
Object
Description
NWLink IPX
Tracks IPX communications sent to and from a Novell NetWare
server, workstation, or an IPX-enabled print server (available only
if NWLink is installed in Windows 2000 Server)
NWLink NetBIOS
Tracks NetBIOS communications over IPX, such as bytes sent,
packet transmissions, and communications errors (available only if
NWLink is installed in Windows 2000 Server)
System Monitor Network
Monitoring Objects (continued)
Chapter 15
Object
Description
NWLink SPX
Monitors SPX communications sent to or from a Novell NetWare server or
workstation (available only if NWLink is installed in Windows 2000
Server)
TCP
Monitors TCP, including sent and received traffic and reset connections
(available if TCP/IP is installed in Windows 2000 Server)
UDP
Tracks the User Datagram Protocol (UDP, see Chapter 3), which is the
protocol used by network management stations, SNMP communications,
and network agents for sending messages between one another (available if
TCP/IP is installed in Windows 2000 Server)
Monitoring NICs, Servers,
and Network Devices
Chapter 15


System Monitor can be used to monitor
the NIC at the server to make sure that
it is working properly
System Monitor is also used to monitor
for network problems at the server and
between the server and network devices
Using System Monitor Objects to Monitor the
NIC, Server, and Network Devices
Chapter 15
Object: Counter
Explanation
Network Interface:
Measures the number of bytes received by the NIC per second and
Bytes Received/sec
how fast the NIC converts a frame that is in the form of an electrical
signal to one that can processed as data. If your benchmarks show that
this number is decreasing, there many be a problem in the NIC’s ability
to decode frames.
Network Interface:
Measures the number of bytes sent by the NIC per second and how
Bytes Sent/sec
fast the NIC encodes frames into electrical signals to place on the
network. If your benchmarks show that this number is decreasing,
there many be a problem in the NIC’s ability to encode frames.
Table 15-4 Using System Monitor Objects and Counters to Monitor the NIC,
Server, and Network Devices
Using System Monitor Objects to Monitor the
NIC, Server, and Network Devices (continued)
Chapter 15
Object: Counter
Explanation
Network Interface:
Measures the total number of bytes sent and received by the NIC per second,
Bytes Total/sec
including the speed of encoding and decoding frames. If your benchmarks
show that the speed represented by Bytes sent/sec and Bytes Received/sec are
about equal, but the Bytes Total/sec has decreased, check the local hubs,
bridges, or switches to make sure they are working normally, and if these
devices are fine, consider replacing the NIC which may be slow or
malfunctioning.
Server: Bytes
Measures incoming bytes processed by the server per second. You can use this
Received/sec
figure to set benchmarks and look for sudden decreases in traffic related to
problems at the server’s NIC, or at a local hub, bridge, or switch.
Using System Monitor Objects to Monitor the
NIC, Server, and Network Devices (continued)
Chapter 15
Object: Counter
Explanation
Server: Bytes
Tracks the number of bytes that the server has placed on the network per
Transmitted/sec
second. Also consider using this as a benchmark. If this number starts to
decrease compared to bytes received, and continues to decrease, it many
mean that the server is gradually becoming overloaded.
Server: Bytes Total/sec
Measures the incoming and outgoing bytes and can be used to
benchmark network activity at the server as well as server performance.
Using System Monitor Objects and
Counters to Monitor Protocols
Chapter 15
Object: Counter
Explanation
IP: Datagrams
These objects measure the IP datagrams (an IP datagram with an encapsulated
Received/sec,
TCP segment forms a packet) sent and received. Use these to establish
Datagrams Sent/sec, and benchmarks and to signal problems. For example, if there is a dramatic
Datagrams/sec
decrease in Datagrams Received, check to determine if there is a problem with
a router or Layer 3 (network layer) switch.
TCP: Segments
These objects measure the TCP segments inside IP datagrams and can be used
Received/sec, Segments
to establish benchmarks. There should be a one-to-one correspondence
Sent/sec, and
between IP datagrams and TCP segments or else there may be problem in how
Segments/sec
packets are being encoded or decoded at a device, possibly resulting in
dropped packets.
Table 15-5 Using System Monitor Objects and Counters to Monitor Protocols
Using System Monitor Objects and Counters
to Monitor Protocols (continued)
Chapter 15
Object: Counter
Explanation
IP: Fragmentation
Measures the number of datagrams that are not being broken apart and
Failures
resized for transmission across different networks. A high rate of these
errors indicates a problem with a network device, such as a router.
TCP: Segments
Measures the number of TCP segments that must be resent, such as when
Retransmitted/sec
segments are dropped or when IP datagrams are not properly fragmented
and reassembled, possibly indicating a problem at a router or NIC.
Using System Monitor Objects and Counters
to Monitor Server and Network Bottlenecks
Chapter 15
Object: Counter
Explanation
Network Segment:
Measures what percentage of the network bandwidth is in use – 40%
%Network Utilization
reflects a busy network, 70% signals a significant problem, such as a
NIC or bridge saturating the network, over 90% requires immediate
action to locate the source or sources of network bottlenecks.
Network Segment:
Tracks the number of broadcast frames sent per second and can be
Broadcast Frames/sec
used to help establish network benchmarks as well as find a network
station that is sending an abnormal number of broadcasts (including
the server).
Table 15-6 Using System Monitor Objects and Counters to Monitor Server and
Network Bottlenecks
Using System Monitor Objects and Counters to
Monitor Server and Network Bottlenecks (continued)
Chapter 15
Object: Counter
Explanation
Server: Errors System
Measures for system service problems at the server and reflects there is a
bottleneck, if a critical service is not started, such as the Workstation or
Server service. Suspect a problem when this value is over 0 or 1.
Server: Sessions Errored Measures the number of server sessions that have terminated due to errors
Out
and can indicate a problem connecting to the server or in accessing a
critical server service. Troubleshoot a server problem if this number is
frequently over 2.
Using System Monitor Objects and
Counters to Monitor a Web Server
Chapter 15
Object: Counter
Explanation
Web Server: Current
Measures the number of users currently logged on to the IIS Web
Connections
services. Use this to create Web server benchmarks and test the user
load on the server.
Web Server: Maximum
Tracks the maximum users who have been connected during the time
Connections
of monitoring and can be used to help you know when to tune the
server, such as to increase the maximum number of users, to create
more bandwidth, and to upgrade the server.
Table 15-7 Using System Monitor Objects to Monitor a Web Server
Using System Monitor Objects and Counters
to Monitor a Web Server (continued)
Chapter 15
Object: Counter
Explanation
Web Service: Bytes
Measures the incoming bytes processed by the Web server per second.
Received/sec counter
You can use this figure to set benchmarks and look for sudden decreases in
traffic related to problems at the server’s NIC or at some point on the
network.
Web Service: Bytes
Measures the number of bytes that the Web server has placed on the
Sent/sec counter
network per second. You can also use this as a benchmark. If this number
starts to decrease compared to bytes received, and continues to decrease, it
may mean that the server is overloaded, such as requiring a faster
processor and more L2 memory.
Using System Monitor Objects and Counters
to Monitor a Web Server (continued)
Chapter 15
Object: Counter
Explanation
FTP Service: Total Files
Measure the file activity by users and can be used to establish
Received,
benchmarks for FTP file activity.
Total Files Sent, and
Total Files Transferred
FTP Service: Bytes
Measure the network activity at the FTP server and can be used to
Received/sec, Bytes
establish benchmarks.
Sent/sec, Bytes Total/sec
Using System Monitor Objects and
Counters to Monitor SMTP Services
Chapter 15
Object: Counter
Explanation
SMTP Server: Messages
Measures total message traffic into the server and can be used to establish
Received Total
benchmarks.
SMTP Server: Messages
Measures the total message traffic out of the server and can be used to establish
Delivered Total
benchmarks.
SMTP Server: Local Queue
Shows the number of messages in the local SMTP message queue. If users report
Length
that they are not receiving e-mail, monitor this object:counter combination. The
message queue length should reflect constant change as it processes and routes
messages. If the length does not change, suspect that the queue or the service is
hung. Check to make sure that the Simple Mail Transport Protocol (SMTP)
service is started and set to start automatically. Also, try stopping and restarting
the service.
Using System Monitor Objects and Counters
to Monitor SMTP Services (continued)
Chapter 15
Object: Counter
Explanation
SMTP Server:
Tracks the number of discarded messages because they went
Badmailed Messages
through more hops than specified, possibly indicating that the
(Hop Count)
destination node is down or that there is a network problem between
the SMTP server and the destination.
SMTP Server: Outbound Tracks messages turned down at a destination. A high number may
Connections Refused
indicate that your site has someone who is randomly sending
messages out (spamming) or attempting surreptitious activities.
Network Tuning Tips
Chapter 15





Keep NIC drivers updated
Replace slow NICs
Tune the network access order
Implement TCP/IP exclusively, if
possible
Purchase servers that are equipped to
keep up with the server load
Network Tuning Tips (continued)
Chapter 15





Monitor for excessive BPDU broadcasts
Monitor the network for saturation from
broadcast storms
Replace aging, slower network devices
with newer, faster devices
Use multimedia applications that
support multicasting
Upgrade bandwidth to match the load
Chapter Summary
Chapter 15



Monitoring a network is as important as
monitoring a server
Establish network benchmarks to help in
preventing and diagnosing problems
Install the Network Monitor Driver and
Network Monitor together to enable
network monitoring from Windows 2000
Server
Chapter Summary
Chapter 15


Install Microsoft SNMP service to take
advantage of SNMP-based network
management station monitoring
Use the System Monitor’s networkrelated objects, counters, and instances
for in-depth network monitoring,
particularly of protocols