Microsoft Forefront Threat Management Gateway: Using Network Monitor 3 for Troubleshooting TMG

  • 2/10/2010
Contents

Data Gathering with Network Monitor

When using Network Monitor for data gathering it is important to define your primary goal. In other words, what are you looking for? Many times a Network Monitor capture becomes painful to read because whoever is reading it doesn’t know what to look for. When you have a clear understanding of the goal of this capture, you can move forward to the next step, which is configuring Network Monitor for data gathering.

Network Monitor allows you to capture data using the Network Monitor Graphical User Interface (GUI) or by using the nmcap command-line interface. Troubleshooting scenarios with TMG sometimes require Network Monitor capture plus other logs. This is the nice thing about ISA Data Packager (which is part of the ISABPA): this tool also gathers Network Monitor captures from all TMG firewall network interfaces.

MORE INFO

See the following post for more information on ISA Data Packager: http://blogs.technet.com/yuridiogenes/archive/2009/05/07/using-isabpa-for-proactive-and-reactive-work-with-isa-server-part-2-of-2.aspx.

Using Network Monitor GUI

When performing a capture using the Network Monitor console, you need to address some issues before you get started. Figure 33-1 shows the Network Monitor interface, highlighting the main features available.

Figure 33-1

Figure 33-1 Network Monitor main screen

By default Network Monitor gathers data only on the following scenarios:

  • Traffic generated from the interface that you selected

  • Traffic where the selected interface is the destination

  • Broadcast traffic

If you want to gather all traffic seen by this interface—including that which has nothing to do with this interface—you need to click the P-Mode (Promiscuous Mode) button on the Select Networks panel. The Select Networks panel also presents the available network interfaces; this is one of the most important options in this dialog box. The majority of the issues that you troubleshoot on TMG will require you to get a Network Monitor capture for all relevant network interfaces on the TMG computer. To do that you need to clear the checkbox for any interfaces (by default both will appear selected) on which you do not wish to capture data and then click the New Capture tab (either on the toolbar or on the Recent Captures panel).

When a new Capture tab is created you will see a dialog box similar to the one shown in Figure 33-2.

Figure 33-2

Figure 33-2 New capture dialog box and the initial options for data gathering

When you are ready to reproduce the issue that you are troubleshooting, click the Start button located in the toolbar, as shown in Figure 33-2. When Network Monitor captures the traffic it creates a file to temporarily store the captured data. This file has a predefined size determined in the Network Monitor Options dialog box, and after it gets full, Network Monitor starts to overwrite the older packets capture within the capture’s temp file. To change the temp file location and the buffer size follow these steps:

  1. Click Tools.

  2. Click Options.

  3. Click the Capture tab. The dialog box shown in Figure 33-3 appears.

  4. Change the file location and the buffer size and then click OK.

After you finish reproducing the problem, click the Stop button to stop the capture and save the file by using the option Save As from the File menu. The Save As dialog box appears, as shown in Figure 33-4.

Figure 33-3

Figure 33-3 Available options for temp file location and buffer size

Figure 33-4

Figure 33-4 Selecting which frames you want to save

The following frame selection options are available in the Save As dialog box:

  • All Captured Frames Saves all the frames that were captured. Save the temp file with the name that you choose and then delete the temp file.

  • Displayed Frames Saves only the frames that are displayed in the capture tab. This option can be interesting if, for example, you want to save only the HTTP traffic from TMG to a specific IP address. You can create and apply a filter and you will only see frames that belong to this filter. This will reduce the final size of the .cap file that you are saving.

  • Selected Frames Saves only the frames that you selected (highlighted) in the capture dialog box.

  • Frame Range (e.g., 1,3,5-12) Saves only a specific range of frames.

NOTE

Later in this chapter we will explain how to analyze a capture and use the available options within the Capture tab in the Network Monitor interface.

Using Nmcap.exe

The user experience with Network Monitor GUI is much better than Network Monitor 2 for most scenarios. However, in some other scenarios automation and system resource usage are more important than having a nice interface in which to capture and interpret data. To limit the resources consumed by Network Monitor during the capture process, you can use the Nmcap command-line interface, which has a rich set of options for data gathering. For the purpose of this example you will capture traffic from all interfaces where the protocol is equal to HTTP (/capture http), setting a maximum file size to 40 MB (/file httptraffic.cap:40M) and stopping when you press the X key (/terminatewhen /keypress x). To accomplish this access follow these steps:

  1. Click Start, type cmd, and press Enter.

  2. Type following the command:

    Nmcap /network * /capture http /file httptraffic.cap:40M /terminatewhen /keypress x

  3. Press Enter. Open Internet Explorer and browse to http://www.microsoft.com. After navigating through the site, go back to the command prompt window and press the X key.

  4. A file called httptraffic.cap will be available in the location where you started this command, which is the Network Monitor folder.

To see all the parameters available in the Nmcap command-line interface, type the command nmcap /?. To see some example scenarios of how to use Nmcap, type the command nmcap /example and press Enter.

NOTE

A tool called the Network Monitor Wizard was created to assist in the task of configuring the Nmcap command-line based on parameters that can be specified by stepping through the wizard. You can download this tool (and the source code) from http://netwiz.codeplex.com.

REAL WORLD: The Infamous 5783 Event

One of the most challenging scenarios for data gathering is the one that happens intermittently, where there is no immediately discernable pattern and when there is no one available to get data. A classic example is when the ISA or TMG firewall loses connectivity with a domain controller and triggers the event 5783 in the System Log, which says that no domain controllers are available. This problem can be caused by so many issues that a broad data gathering method is required to really understand what is going on.

Nmcap does not have a way to stop a capture if a particular event happens. However, one option you can use in the Windows Server 2008 Event Viewer feature allows you to trigger an action when a specific event occurs. However, this is not an ideal option because when event 5783 appears, it means that the issue already happened—the communication of interest is done, and capturing data from this point will not reveal what happened during that precise time frame. In a scenario like this the goal is really to keep capturing until the event happens. In other words, stop Network Monitor capture when event 5783 appears in the event log.

Fortunately, the Network Monitor Team listens to the user community and has developed a helpful tool called NM3EventCap. For this particular case the command line is pretty simple. Just type NM3EventCap.exe TheEvent.cap 5783. You can use other parameters, such as the maximum file size, number of adapters to capture, and so on. Download this tool from http://nm3eventcap.codeplex.com. This tool was built based on Network Monitor API, which you can also start playing with by downloading the SDK from http://nmexperts.codeplex.com.

Save to your account

This chapter is from the book