Microsoft(R) Network Monitor Version 2.0 Release Notes January 1999 (c)Microsoft Corporation, 1998. All rights reserved. ====================================================== This document contains late-breaking information about Microsoft Network Monitor version 2.0 functionality that is not available in the product documentation. Please read these release notes thoroughly before you install Network Monitor. Use Support Online to search the Microsoft Knowledge Base and other technical resources for fast, accurate answers. To begin your search, go to http://www.microsoft.com/support/. If you have comments or suggestions about Network Monitor, please send them to smswish@microsoft.com. --------- Contents --------- 1. System Requirements 2. Setup Issues 3. Hardware Issues 4. User Interface Issues 5. Monitor Control Tool Issues 6. Network Monitor Agent Remote Installation and Capture Issues ---------------------- 1. System Requirements ---------------------- The following are the prerequisites for installing and using the Network Monitor 2.0 Agent: * Microsoft Windows NT(R) version 4.0, Service Pack 4 (or later) must be installed. (The Help incorrectly states Service Pack 3.) * You must have a network adapter card that supports promiscuous mode, a state in which the network adapter card can be directed by a device driver to pass on to the operating system all the frames that pass over the network. To determine whether your card supports promiscuous mode, see the documentation that accompanies the card. * On the computer running Network Monitor, you must be logged on as a user with administrative rights. When using the Network Monitor user interface, you must also have the following software installed: * Microsoft Internet Explorer version 4.01, Service Pack 1 (or later). Network Monitor and the Monitor Control Tool use this program to access the Help files and configure monitors. * If you want to use monitors, the Windows Management service in Web-Based Enterprise Management (WBEM). Network Monitor and the Monitor Control service use Windows Management to generate and forward events. Windows Management is part of WBEM, which is a collection of technologies designed to facilitate management of the enterprise. WBEM Setup is available on the Systems Management Server (SMS) version 2.0 compact disc (Smssetup\Bin\\Wbemsdk.exe). NOTE: Windows Management Instrumentation (WMI) is the Microsoft implementation of the WBEM standard developed by the Desktop Management Task Force (DMTF) for identifying and manipulating managed objects. In the Network Monitor documentation, certain components might be documented as using WBEM (an earlier name for WMI). In these cases, however, the process flow and functionality are essentially unchanged. ---------------- 2. Setup Issues ---------------- * BEFORE you run Setup and install Network Monitor 2.0, remove any previous beta versions of Network Monitor 2.0. * During Setup, when you specify the installation directory for Network Monitor, if the path contains more than 100 characters, Setup fails. ------------------- 3. Hardware Issues ------------------- * NOTE: There are some problems with some token-ring adapter cards; please test them fully in your environment. * If you are using a Madge Smart 16/14 PCI Ringnode [BM] token-ring network adapter card, you must enable Traffic Statistics Gathering for that card. If the Madge Smart network adapter card is already installed on the Windows NT 4.0 computer, do the following: 1. In Control Panel, double-click the Network icon, and then click the Adapters tab. 2. In the Network Adapters list, select the Madge Smart network adapter card. 3. Click Properties. 4. In the configuration dialog box, select the Enable option for Traffic Statistics Gathering. 5. Click OK to close the configuration dialog box. 6. Click OK to close the Network dialog box in Control Panel. If the Madge Smart network adapter card is already installed on the Microsoft Windows(R) 2000 computer, do the following: 1. Right-click My Computer, and then click Properties. 2. In the System Properties dialog box, click the Hardware tab, and then click Device Manager. 3. Double-click Network Adapters, right-click the Madge Smart network adapter card, and then click Properties. 4. Click Advanced. 5. In the Property list, click Statistics Gathering Mode. 6. In the Value dialog box, click Yes, and then click OK. 7. Close Device Manager. * NOTE: Do not use the driver supplied by the manufacturer for the Madge token-ring network adapter cards. Instead, use the driver that is made available through Windows NT 4.0 and Windows 2000. ------------------------ 4. User Interface Issues ------------------------ When you are using Network Monitor, you might encounter the following behaviors in this release: * If your Windows 2000 computer has the version of Network Monitor that was provided with it AND the full version of Network Monitor (installed from the Systems Management Server 2.0 compact disc), both instances are able to capture network data sent to and from other computers. * When you set the Temporary Capture directory, note that names that include a 5C character are not supported. * If you change the Temporary Capture directory and the "Default network is invalid" error message appears, it is likely that the temporary capture directory you specified is invalid. Make sure that you specify a directory on a local non-removable drive. (Network and floppy drives are invalid locations.) * If you change the Temporary Capture directory, the change does not take effect until you quit and restart Network Monitor. It is strongly recommended that you restart Network Monitor BEFORE you start a new capture. * The maximum size for a capture buffer is 1024 MB. If you are creating large capture files (such as a 1024 MB capture), Windows is likely to run out of virtual memory. You can resolve part of the problem by increasing the Windows paging-file swap size; however, this will not resolve the problem completely. When Windows runs low on memory, Network Monitor will continue to capture (although frames might be dropped because of slow system performance). After the capture is complete, Windows might not have enough free memory to display the large capture file. If this situation occurs, make sure to save the capture BEFORE you attempt to view the capture file contents. After you save the capture file, quit and then restart Network Monitor, and then open the large capture file. * If no frames are captured (because of a capture filter or no network traffic), you cannot save the capture file because it does not contain data. However, when you start a new capture, you will be prompted to save the file. When prompted to save the file, click No. If you click Yes, the following misleading error message appears: "The file cannot be overwritten because access is denied. You will have to save under a different name." If you attempt to save the file under a different name, the same error message appears and the file will not be saved. * If you receive an "Access Denied" error message after repeated attempts to save a capture file, in the Save As dialog box click Cancel, and then try to view the capture file. If you cannot view the file, make sure that the Capture Statistics # of Frames in Buffer is greater than 0. A value of 0 means that you were unable to save the file because the capture contained no data. If the # of Frames in Buffer value is greater than 0, you were unable to save the capture file because it is invalid. One reason that the capture file might be invalid is because you changed the Temporary Capture Directory, and did not then exit and restart Network Monitor BEFORE the capture was started. Note that when you have an invalid capture, all the captured data is lost. * After you add comment frames to a capture and then save and close the capture file, when you try to open the capture file again, one of the following occurs: - The capture file opens, but no comments were saved. - The capture file fails to open. When this happens, on the Edit menu, disable the Read Only option before you save the capture file. * On large captures (more than 65,576 frames, or approximately 50 MB), the scroll bar does not work correctly. In such cases, use the PAGE DOWN key or the END key when viewing capture files. * When you install Network Monitor 2.0 on a computer that already has Network Monitor 1.2 installed, Performance Monitor counters are duplicated. To correct this problem, at the command prompt, type "lodctr.exe nmctrs.ini". The Network Monitor 2.0 object will then be called "Network Segment (v2)". * When you run the TCP Retransmit expert, TCP Broadcasts and IPX multicasts appear as "UNKNOWN" in the Name column. * Under some conditions the Average Server Response Time expert returns incorrect averages for server time. (Instead of sorting the list of requests and discarding duplicates, all requests are saved. This situation can result in averages that are significantly inflated from the actual averages.) This problem occurs if your capture contains a lot of Server Message Block (SMB) traffic; if most of the traffic is non-SMB, the server averages are accurate. Also, the larger the capture file, the greater the inaccuracy of averages for server response time. * If you capture network data sent between two computers that use a different code page than the one on your local computer, some frame data fields might not be readable in Network Monitor. * The Microsoft IntelliMouse(R) wheel does not work when you attempt to scroll in the y-axis in the Graph pane of the Capture window. You can scroll, however, by using IntelliMouse to move the scroll box in the scroll bar. * In the Event Viewer, the Find command is case-sensitive. * The /buffersize parameter for Netmon.exe allows you to specify any number, including negative numbers. Network Monitor supports a valid buffer size from 1 to 1024 MB (in whole number increments). Negative values result in a "Not enough memory" error, and numbers larger than 1024 might fail because of a lack of virtual memory. * Network Monitor can read only uncompressed Network General Sniffer capture files. ------------------------------- 5. Monitor Control Tool Issues ------------------------------- * Some token-ring network adapter cards report that they support local-only mode, but they will not pass along functionals (a token ring named multicast). If you notice that Security Monitor is not stopping unauthorized users from capturing, you must edit the registry, as follows, to force the card into promiscuous mode: 1. Review the tab of the Monitor Control Tool to determine the permanent MAC address. 2. In Registry Editor, add the following new registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nm\ Parameters\ForcePmode. (Leave the Class empty.) 3. Add a new value to this new registry key and specify the MAC address as the Value Name, Data type of REG_SZ, and a non-empty string. The next time Network Monitor or the Monitor Control service runs, the network adapter card will run in promiscuous mode. * Do not alter the "Log On As" behavior of the Monitor Control service, or it will not function correctly. * If you start the computer that runs the Monitor Control Tool and it cannot reach a domain controller, when you start the Monitor Control service after logging in, your computer will not receive any monitor events. The following message appears: "Windows Management denied us access to the database - unable to register for events". * In the Security Monitor output, the user name will always be listed as "SYSTEM" because the Monitor Control service runs in the SYSTEM context. * The log file generated by Security Monitor (%netmon%\Secmon.log), which is created only if Security Monitor has been run on the local computer, is not very readable in Microsoft Notepad. You can best view the Secmon.log file in Microsoft Excel. Select "Fixed Width" as the data type if you are prompted to do so by Excel when it opens the file. ---------------------------------------------------------------- 6. Network Monitor Agent Remote Installation and Capture Issues ---------------------------------------------------------------- * When Network Monitor Agent is installed on a remote computer, before you can connect to the agent and perform a remote capture, the following conditions must be met: 1. You must have Network Monitor 2.0 installed on both the local and remote computers. 2. You must have administrative privileges on both computers. Note that when Network Monitor finishes a remote capture, the capture file is saved to the hard disk of the remote computer. * Network Monitor fails to connect remotely to the Network Monitor Agent on a Windows 2000 remote computer and generates the following error: "Connection Failure Unknown. Error 0x80004002." To correct this situation, from a command prompt on the Windows 2000 remote computer, type the following command to register the agent: regsvr32 psnppagn.dll * To capture data over a RAS connection, do the following: 1. Start Network Monitor. 2. On the Capture menu, click Networks. 3. In the Select a Network dialog box, double-click Local Computer. 4. Click one of the two connections with the 000000000000 MAC address, and then click OK. 5. On the Capture menu, click Start. If your RAS connection is active but Network Monitor does not capture traffic, return to the Select a Network dialog box, select the other RAS connection and try to capture again. (One of the connections is for incoming calls; the other is for outgoing calls.) *Network Monitor cannot transmit frames over a RAS connection, but no error message appears when you use the Transmit commands over a RAS connection. * If the "No NPPs found..." error message appears after you start Network Monitor, you will not be able to capture network traffic, although you can still open capture files that were created during earlier sessions of Network Monitor. The usual cause of this error message is that the Network Monitor driver (Nmnt.sys) could not be located in the %windir%\System32\Drivers directory. To ensure that the Network Monitor Agent v2 driver is installed correctly, do the following: 1. Verify that the driver is installed as a network service (on Windows NT 4.0) or as a network protocol (on Windows 2000). 2. If the driver is installed, remove it and then reinstall it. 3. If reinstalling the driver does not resolve the problem, remove Network Monitor Tools, and then reinstall them. 4. If reinstalling Network Monitor Tools does not resolve the problem, on the Network Monitor Options menu, click Change Temporary Capture Directory, and make sure that the temporary capture directory is a valid directory on a drive that you have read and write access to. Make sure that this drive has enough free disk space (at least 1 MB free, plus the buffer size). If you change the Temporary Capture directory, you must exit and restart Network Monitor for the changes to take effect. * If you receive the "An unknown error 102 has occurred" error message in Network Monitor when you start a capture on a disconnected remote computer, the remote computer is no longer available on the network. * If you attempt to connect to a remote computer that exists but that is disconnected from the network, Network Monitor might take a long time to time out.