Interview Questions.

Q1. Should I Run Network Monitor On The Client, The Server, Or Both? What If The Client And Server Are The Same Computer?

Usually, whilst customer and server programs are at the same laptop, there may be no community traffic. Thus, you can't use Network Monitor to understand what is going on among the packages.

When you're troubleshooting HTTP or other text-based totally protocols, if you have two computers, and the client is getting back surprising effects, run Network Monitor on the server to see if the server is sending the perfect statistics.

You may additionally want to hint on both the patron and server if a firewall or intranet is causing network issues. In this situation, you may examine traces extra efficaciously in case you use the Net Time command to synchronize the machine time on the computer systems.

If you have three computers that talk in a 3-tier structure, you may run Network Monitor at the center tier due to the fact all traffic crosses that computer.

Q2. Can Capture And Display Filters Be Saved As The Default?

To shop a Capture or Display clear out as the default, you need to write over the existing document. The default Display filter document is known as Default.Df, and the default Capture filter out report is known as Default.Cf. These documents are typically positioned in the WinNT/System32/Netmon/Captures/ folder.

Alternatively, you could keep and load various clear out documents as wanted from within Network Monitor. To do this, click on Load on the Capture Filter or Display Filter dialog field.

Q3. Where Do I Get The Network Monitor Tool?

There are two versions of Network Monitor. The full model is shipped with Microsoft Systems Management Server (SMS). A "lite" version is protected with Windows NT Server and Windows 2000 Server and incorporates a subset of the features which are available within the full version.

Q4. Can The User Run Other Applications While Network Monitor Is Capturing Or Filtering The Network Traffic?

Yes, the overhead of NetMon is minimal, and other applications ought to no longer be impacted with the aid of Network Monitor.

Q5. Which Version Should I Use?

It relies upon on what type of site visitors you want to capture. Both versions of Network Monitor can seize traffic that is sent to or from the host laptop (the laptop that is strolling NetMon), which includes pronounces and traffic over a dial-up network connection. The complete model of Network Monitor additionally permits you to capture and display any frames from the network phase on which the computer that is running NetMon is living, no matter whether they are addressed to the host laptop.

Q6. What If The Network Adapter Card Does Not Support Promiscuous Mode? What Is Promiscuous Mode Anyway?

Promiscuous mode is a state wherein a network adapter card copies all the frames that bypass over the community to a local buffer, irrespective of the destination address. This mode allows Network Monitor to capture and show all network site visitors.

To use Network Monitor, your laptop should have a network card that supports promiscuous mode. If you are the usage of Network Monitor Agent on a far off pc, the nearby pc does now not need a network adapter card that supports promiscuous mode, however the remote pc does.

Q7. What Is The Difference Between The Network Monitor Agent And Network Monitor Tools And Agent?

The two primary additives of Network Monitor are the Network Monitor Agent and the consumer interface. The Network Monitor Agent monitors the community and passes visitors as much as the "software" (the person interface). The Network Monitor Agent can run on any compatible pc while this system is going for walks on a separate computer.

Pc can best see community visitors that passes across its community phase. Thus, it can be useful to have a Network Monitor Agent that is walking on a community in which the hassle is occurring, at the same time as the Network Monitor person interface runs from (for instance) the neighborhood place community (LAN) Administrator's pc on a distinct network segment. The LAN Administrator can then control the capture and consider the captured information from his or her laptop, even though the LAN Administrator isn't always at the section where the hassle is taking place.

Q8. What Security Risks Are Introduced By The Use Of Network Monitor?

Network Monitor is a "sniffer," particularly, it detects issues at the network. Because you may examine site visitors on the frame degree, all non-encrypted information is seen in a hint. For example, whilst you operate Microsoft Internet Information Server (IIS) with Basic Authentication, the password is exceeded as clear text and can be examine in a Network Monitor hint.

Q9. What Is The Difference Between A Media Access Control Address And An Ip Address? How Can I Distinguish One From Another?

A media get entry to manipulate (MAC) deal with is a completely unique, 12-digit (48-bit), hexadecimal range that the community interface card (NIC) producer "burns into" a laptop's community interface card. On a few cards, software can override this quantity, but the variety remains burned into the cardboard. MAC addresses also are known as "Hardware Addresses" and "Universally Administered Addresses" (UAAs). When they are overridden, MAC addresses are referred to as "Locally Administered Addresses" (LAAs). 

The media get admission to manage is the lowest layer of the community version that incorporates address facts. All frames on a local place network include a MAC address, regardless of the community protocol inside the body. The identical can not be said about Internet Protocol (IP) addresses, which reside at a better level of the network model. Non-IP traffic, which include traffic that makes use of the Novell IPX/SPX protocol, have a MAC cope with however now not an IP cope with.

An IP cope with is a 32-bit cope with that must be specific across a Trmission Control Protocol/Internet Protocol (TCP/IP) network. IP addresses are generally represented in dotted-decimal notation, which depicts each octet (eight bits) of an IP deal with as its decimal price and separates each octet with a duration.

Q10. How Does A Disconnect Appear In A Netmon Trace?

A TCP connection can be resulted in certainly one of  ways. A "swish" close makes use of the TCP FIN flag to reveal that the sender has no greater statistics to send. The TCP RST flag is used for an ended ("abortive") session disconnection.

Q11. What Is A Three-way Handshake?

Before any facts can be trmitted thru the TCP protocol, a dependable connection need to be set up. A "three-manner handshake" is the technique that TCP makes use of to establish this connection.

This technique cannot be thoroughly described in the context of this article. Briefly, three frames perceive a three-manner handshake. In the primary body, Computer1 sends a frame to Computer2 with the TCP SYN flag set. In the second one body, Computer2 sends a body back to Computer1 with each the SYN and ACK flags set. In the 0.33 frame, Computer1 sends a frame to Computer2 with the ACK flag set. Any  computer systems trade these three packets each time they installation a TCP connection.

Q12. How Does Network Monitor Interpret The Protocols In A Trace That Has Been Captured?

Network Monitor consists of protocol parsers that examine and interpret key objects within the raw records to interpret some of the most common protocols. As new standards and implementations evolve, there might be sure protocols for which NetMon does now not incorporate parsers. Individuals can write parsers for these protocols, or different companies may additionally write some of those parsers (which can be found on the Internet). Some extra parsers are covered within the Microsoft Resource kits.

Q13. What Is The Difference Between A Capture Filter And A Display Filter?

Before you run the Capture, you can set up a Capture filter to determine which frames are stored in the buffer. After the statistics is stored, you can set up a Display clear out to further consciousness attention on a particular set of frames.