Microsoft Forefront Threat Management Gateway: Using Network Monitor 3 for Troubleshooting TMG

  • 2/10/2010

Data Gathering with Network Monitor

When using Network Monitor for data gathering it is important to define your primary goal. In other words, what are you looking for? Many times a Network Monitor capture becomes painful to read because whoever is reading it doesn’t know what to look for. When you have a clear understanding of the goal of this capture, you can move forward to the next step, which is configuring Network Monitor for data gathering.

Network Monitor allows you to capture data using the Network Monitor Graphical User Interface (GUI) or by using the nmcap command-line interface. Troubleshooting scenarios with TMG sometimes require Network Monitor capture plus other logs. This is the nice thing about ISA Data Packager (which is part of the ISABPA): this tool also gathers Network Monitor captures from all TMG firewall network interfaces.

Using Network Monitor GUI

When performing a capture using the Network Monitor console, you need to address some issues before you get started. Figure 33-1 shows the Network Monitor interface, highlighting the main features available.

Figure 33-1

Figure 33-1 Network Monitor main screen

By default Network Monitor gathers data only on the following scenarios:

  • Traffic generated from the interface that you selected

  • Traffic where the selected interface is the destination

  • Broadcast traffic

If you want to gather all traffic seen by this interface—including that which has nothing to do with this interface—you need to click the P-Mode (Promiscuous Mode) button on the Select Networks panel. The Select Networks panel also presents the available network interfaces; this is one of the most important options in this dialog box. The majority of the issues that you troubleshoot on TMG will require you to get a Network Monitor capture for all relevant network interfaces on the TMG computer. To do that you need to clear the checkbox for any interfaces (by default both will appear selected) on which you do not wish to capture data and then click the New Capture tab (either on the toolbar or on the Recent Captures panel).

When a new Capture tab is created you will see a dialog box similar to the one shown in Figure 33-2.

Figure 33-2

Figure 33-2 New capture dialog box and the initial options for data gathering

When you are ready to reproduce the issue that you are troubleshooting, click the Start button located in the toolbar, as shown in Figure 33-2. When Network Monitor captures the traffic it creates a file to temporarily store the captured data. This file has a predefined size determined in the Network Monitor Options dialog box, and after it gets full, Network Monitor starts to overwrite the older packets capture within the capture’s temp file. To change the temp file location and the buffer size follow these steps:

  1. Click Tools.

  2. Click Options.

  3. Click the Capture tab. The dialog box shown in Figure 33-3 appears.

  4. Change the file location and the buffer size and then click OK.

After you finish reproducing the problem, click the Stop button to stop the capture and save the file by using the option Save As from the File menu. The Save As dialog box appears, as shown in Figure 33-4.

Figure 33-3

Figure 33-3 Available options for temp file location and buffer size

Figure 33-4

Figure 33-4 Selecting which frames you want to save

The following frame selection options are available in the Save As dialog box:

  • All Captured Frames Saves all the frames that were captured. Save the temp file with the name that you choose and then delete the temp file.

  • Displayed Frames Saves only the frames that are displayed in the capture tab. This option can be interesting if, for example, you want to save only the HTTP traffic from TMG to a specific IP address. You can create and apply a filter and you will only see frames that belong to this filter. This will reduce the final size of the .cap file that you are saving.

  • Selected Frames Saves only the frames that you selected (highlighted) in the capture dialog box.

  • Frame Range (e.g., 1,3,5-12) Saves only a specific range of frames.

Using Nmcap.exe

The user experience with Network Monitor GUI is much better than Network Monitor 2 for most scenarios. However, in some other scenarios automation and system resource usage are more important than having a nice interface in which to capture and interpret data. To limit the resources consumed by Network Monitor during the capture process, you can use the Nmcap command-line interface, which has a rich set of options for data gathering. For the purpose of this example you will capture traffic from all interfaces where the protocol is equal to HTTP (/capture http), setting a maximum file size to 40 MB (/file httptraffic.cap:40M) and stopping when you press the X key (/terminatewhen /keypress x). To accomplish this access follow these steps:

  1. Click Start, type cmd, and press Enter.

  2. Type following the command:

    Nmcap /network * /capture http /file httptraffic.cap:40M /terminatewhen /keypress x
  3. Press Enter. Open Internet Explorer and browse to After navigating through the site, go back to the command prompt window and press the X key.

  4. A file called httptraffic.cap will be available in the location where you started this command, which is the Network Monitor folder.

To see all the parameters available in the Nmcap command-line interface, type the command nmcap /?. To see some example scenarios of how to use Nmcap, type the command nmcap /example and press Enter.