Hello AskPerf readers! My name is Austin and I am a Technical Lead on the Performance team. In several of our posts, we’ve discussed troubleshooting server performance issues, especially on file servers. Most of you have probably already read our post on Network .PST files, or Windows Explorer and SMB Traffic. We have seen an increase in file server load issue that go beyond some of the obvious issues such as Network .PST files, misbehaving filter drivers, or pool memory depletion. As server environments continue to scale upwards with larger file server needs and thousands of clients connecting to file servers for user profiles and redirected documents, these issues become more common.
When troubleshooting these issues, there is often a need to capture a Network trace of the problem while it is occurring. However, not every administrator is comfortable with capturing network traces. On top of that, reading network traces is a bit of an art – and one that does take some time to master. Today we are going to discuss a tool that can help you capture a network trace with very little effort. In my next post, I’ll show you how to take that network trace and perform a quick analysis on it that doesn’t require you to be a network expert and apply some simple fixes that have resolved many of the issues that we have seen. So, let’s get started …
The tool we are going to use is Network Monitor 3.1 OneClick. This is a free tool available from the Microsoft Download Center. There are two OneClick packages available – Autorun and ExtractOnly. The Autorun package installs Network Monitor 3.1 on your machine if you did not previously have it installed and begin a network capture. The capture is designed to stop automatically when it reaches 30MB in size, or after 120 minutes – whichever comes first. After the capture completes, if you did not have Network Monitor 3.1 already installed on your machine, then Network Monitor 3.1 is automatically uninstalled. The ExtractOnly packages is used if you want to save the OneClick utility on a USB key or other portable media and run the tool later on a different machine. Let’s take a look at how the Autorun package runs on a Windows Server 2008 machine.
When you run the tool, the first thing you are prompted for is a path to save your network capture. As you can see, the default location to save the capture is in your profile in the “Network Captures” folder. For this demonstration, I am going to save the data in a different location – C:\TOOLS\NETCAPS.
If you are running this tool on Windows Vista or Windows Server 2008 with UAC enabled, you will see the following if you did not run the program with elevated privileges. Alternatively, if your user account is in the NetMon Users group on the local machine, you should not encounter this error:
So, let’s try this again – and this time, we’ll launch the program with elevated privileges:
This time, Network Monitor 3.1 installed successfully, and the capture is launched. If I look in the folder where I saved the capture, I can see that the capture reached the maximum size of 30MB and has stopped growing:
Once I am ready to end the capture (assuming that 120 minutes has not elapsed and auto-terminated the capture), I hit the ‘x’ key to terminate the capture and the capturing ends, and Network Monitor is removed:
And that’s how easy it is to get a Network Capture on a server! The OneClick application automatically captures the traffic on all network interfaces so you don’t even need to worry about specifying which network card to monitor – which is very useful on multi-homed machines, such as cluster servers.
With that, it is time to bring this post to an end. In my next post, we’ll take a look at an actual capture from a file server having issues and go over a quick fix you might be able to use in your environment,
– Austin Mack