DOCUMENT:Q244209 18-JUL-2002 [winnt] TITLE :How to Perform Network Tracing in a Switched Environment PRODUCT :Microsoft Windows NT PROD/VER:winnt:4.0 OPER/SYS: KEYWORDS:kbnetwork kbtool ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Workstation version 4.0 ------------------------------------------------------------------------------- SUMMARY ======= It is a common practice in high-traffic network environments to replace traditional Ethernet network hubs with intelligent switches. While this can improve computer and network performance, it makes tracing network traffic between computers difficult. An Ethernet switch works by directing packets to a specific MAC Address associated with the port. Because of this, when you try to use a network analyzer (such as Microsoft Network Monitor) in this environment, only packets with the analyzer computer's MAC address or broadcasts appear in the trace. This article describes two common methods for working around this behavior. MORE INFORMATION ================ To work around this behavior, it is necessary to arrange or configure the network so that the analyzer computer can receive all the necessary network traffic. There are two common methods for achieving this without re-engineering the entire network: Method 1 -------- This method is not available on all switches. Some switches allow for a port to be "attached" to the internal communications channels in the device. This port will now receive all traffic passing through the switch. Note that some manufacturers refer to this configuration as a Mirror Port. Method 2 -------- You can use a non-switched hub in conjunction with the switch. The hub will require a "crossover" or "uplink" port (or a suitably wired cable), which will be used to connect back to the switch. The target computer and analyzer computer are both connected to the hub, which is connected back to the switch. Now, the analyzer will receive all traffic for the target, as well as its own. NOTE: In making this change, it is also necessary to check data rates (10/100 or Gigabit networking) to ensure that all devices are compatible and will communicate successfully. Method 3 -------- Install Network Monitor on both endpoint systems. Start capturing simultaneously on both systems, immediately perform the test required, and then stop the capturing. Tracing in this manner shows the packets from the sending machine. You can then compare this trace to the trace of the receiving machines in order to discover if packets are received, not received or possibly duplicated at the endpoint. Duplication of packets has been seen in switched environments. Additional query words: netmon ====================================================================== Keywords : kbnetwork kbtool Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 Version : winnt:4.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.