Network Monitor Does Not Capture Outbound Frames (152643)



The information in this article applies to:

  • Microsoft Systems Management Server 1.2

This article was previously published under Q152643
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

When capturing network traffic "to and from" the local computer, Network Monitor captures and displays only one-way traffic (traffic to the computer). Network Monitor running on systems with network interface cards (NICs) that use monolithic Ndis 4.0 drivers may exhibit this symptom.

MORE INFORMATION

LocalOnly is a new bit that Ndis4.0 supports. It gives Network Monitor the ability to acquire all the network traffic that is going to and from your computer without going into Promiscuous Mode, which is very expensive. Some cards, which are monolithic (non-miniport) or are miniport but implement their own loopback, indicate that they handle the LocalOnly bit, but actually they do not.

WORKAROUND

To work around this behavior, add the ForcePmode registry subkey.

Warning Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

Network Monitor 1.0

  1. Run Registry Editor.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bh\Parameters

  3. On Edit menu, click Add Key, and then add the following key:

    Key Name: ForcePmode
    Class: <leave blank>

  4. On the Edit menu, click Add Value, and then add the following:

    Value Name: EPRO1 <example>
    Data Type: REG_DWORD
    Data: 1

    The value should be the same as the name in the SYSTEM\CurrentControlSet\Services\bh\Linkage key, under the Bind Value with the leading "\Device\" stripped off. There are multiple cards on the same line, space delimited.
  5. Click OK, and then quit Registry Editor.
  6. Shut down and then restart Windows NT.
Note This does NOT effect Network Monitor counters within Perfmon because pmode will be used.

Network Monitor 2.0

  1. Run Registry Editor.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm\Parameters

  3. On Edit menu, click Add Key, and then add the following key:

    Key Name: ForcePmode
    Class: <leave blank>

  4. On the Edit menu, click Add Value, and then add the following:

    Value Name: EPRO1 <example>
    Data Type: REG_DWORD
    Data: 1


    The value should be the same as the name in the SYSTEM\CurrentControlSet\Services\nm\Linkage key, under the Bind Value with the leading "\Device\" stripped off. There are multiple cards on the same line, space delimited.
  5. Click OK, and then quit Registry Editor.
  6. Shut down and then restart Windows 2000.

Modification Type:MinorLast Reviewed:6/14/2005
Keywords:kbNetworkMon KB152643