Tech Info 064: Network Trace of PCShare SMB/CIFS protocols using MS “netmon.exe”

HELIOS Tech Info #064 

Fri, 29 Nov 2002

Network Trace of PCShare SMB / CIFS protocols using MS “netmon.exe”

With today's complex network configurations, e.g. different Windows versions, variety of applications, “service packs”, etc., a network trace is sometimes the only solution to analyze problems which cannot easily be reproduced in our HELIOS Labs.
To be able to analyze complex problems which may occur with special Windows applications using our PCShare SMB/CIFS Server we require that network tracing is done using the Windows application “netmon.exe”, which is included in “Windows 2000 Server” and “Advanced Server” products as a lite version. This network tracing program helps us to decode the SMB/CIFS protocol. We also accept saved “*.cap” files from other versions of “netmon.exe”, e.g. the versions included in “System Management Server” packages for Window NT, Windows 2K, and Windows XP.
“netmon” lite can collect broadcast/multicast packets and packets which are directly addressed to the Windows PC, and send from the Windows PC “netmon” is running on.
“netmon”, as distributed with “System Management Server”, can also collect packets which are addressed to or sent from a different computer.
Depending on the type of problem, “netmon” lite can be sufficient to collect relevant network communication.
Other network tracing tools may work for tracing, but cannot decode the trace in detail.
We strongly suggest to contact your HELIOS partner prior to investigate an issue by collecting network traces.
The “netmon.exe” application can be found in the “winntsystem32netmon” folder.
In case it is not yet installed on your “Windows 2000 Server” or “Advanced Server”, see the Microsoft description “To install Network Monitor”:

The trace can be done via the following steps:

  • Start “netmon.exe”
    Please note that “netmon.exe” must run on a dedicated Windows machine connected to the same HUB as the Windows workstation which you intend to trace.
  • Select: “Menu->Capture->Network”
    Choose the correct network adapter.
  • Select: “Menu->Capture->Buffer Settings”
    By default, only 1 Megabyte is reserved for tracing. Select at least 32 MB (depending on the unused memory of your tracing PC), if possible use all available memory.

    Please note that “netmon.exe” will _not_ use a ring buffer, so you must make sure that all data gets saved by using a large buffer.

    In the same dialog, set “Frame Size” to 2048 or 4096 bytes (default is Full), larger frame sizes are usually not required.
  • Start logging, try to reproduce the problem, and then stop the trace immediately to avoid additional tracing. If possible, the trace should include the login for the affected client.  Watch the “# Frames” field in “Captured Statistics”, the displayed number of packets should now be increasing, otherwise you may have selected the wrong network adapter.
  • Try to write down the packet range where the problem occurred (e.g. 10000 packets logged, problem started about packet 5580), as well as the TCP/IP and/or MAC addresses of the affected client and server.

Note:

Before transmitting a trace file it should be compressed, e.g. using “gzip”.
  • A report with a trace file (“xxx.cap”) should also include the following information:
    • Detailed problem information (file name/action which caused the problem, additional files, e.g. system messages, “shwo”, etc.)
    • Version number of used “netmon.exe” (available in the “Help” menu)