Back to 12/96 How To: Programming Windows
Up to Table of Contents
Ahead to 12/96 Enterprise Windows: Enterprise Administrator

12/96 Enterprise Windows: Windows NT

Wiretap with NT Server 4.0

It's possible, if you know a thing or two about NT's Network Monitor tool.

by John D. Ruley

I have a soft spot for in-the-trenches technical folks (I used to be one myself), so I keep an eye out for tools that can make their lives easier. One such tool is a protocol analyzer. It's sort of a network technician's power-saw: It cuts through layers of network software to show you what's really happening on the LAN.

Protocol analyzers boast the ultimate sign of techno-envy: a cool nickname. They're called "sniffers" because they sniff network packets traveling across a LAN. (Data General, in fact, offers a protocol analyzer under the Sniffer brand name.) A sniffer might sound like a wiretap to you. In fact, it is a wiretap. Protocol analyzers also have the key prerequisite for a tool that all technicians lust after: They were too expensive for any individual (and most company branch offices) to afford. Until now!

Microsoft offers a software sniffer called Network Monitor (Microsoft insiders often refer to this tool as Bloodhound). Network Monitor first shipped back in 1994 with Systems Management Server (SMS) 1.0, Microsoft's combination software distribution/inventory/troubleshooting system and sauna (OK,

I'm kidding about the sauna). I was very impressed by Network Monitor back then, noting that it alone would almost justify SMS's cost.

The surprise is you no longer have to buy SMS to get Network Monitor. A version of the software sniffer is included in NT Server 4.0. Launch it by clicking on Start/Administrative Tools/Network Monitor.

To capture some network data, select Capture/ Start. If there's traffic flowing across your network, you'll see the network statistics in the upper- right corner change rapidly. If there isn't any traffic, go to another networked machine and create some by browsing the LAN.

Next, run back to the first PC (which is capturing the traffic you just created). After a dozen or so network frames have been captured, select Capture/Stop and View. This will activate a screen with summary data. Double-click any line in the summary, and you'll see Detail and Hex windows for the frame associated with that line (see the sidebar "Network Monitor").

Network Monitor includes a set of parsers that look at the network frames and attempt to decode them. With just a little understanding of what protocols NT uses, you can start to get a pretty good idea about what's going on. For instance, here's the actual data from an SMB negotiate packet (one that's sent when an SMB client-NT, Windows 95, Windows for Workgroups-sets up a session with NT Server):



00070: 1.0..XENIX CORE


00090:ORKS 1.03..LANMA

000A0:N1.0..Windows fo

000B0:r Workgroups 3.1


000D0:NMAN2.1..NT LM 0


The packet above is practically a short course in PC network history. It includes IBM's original PC Network Program (which introduced PC NetBIOS), the Xenix core that Microsoft licensed (and still uses as an e-mail platform for some employees in Redmond), MS-Net, LAN Manager, and-what's this?-NT LM 0.12. Yes, NT LAN Manager version 0.12. The truth comes out at last! NT Server really is LAN Manager on Windows NT (the Registry shows this, too).

After I got Network Monitor running on my LAN, I tried an experiment. I started a capture, then went to an NT Workstation and started an ftp session. The sidebar shows a captured frame from that session. Here's what it says:




00030:!..0..PASS test.


Check out the portion that says PASS test, which is the password for my ftp test account. What you are looking at is the network frame sent to the server when I responded to this message:


ftp> open ncr_nt

Connected to ncr_nt.

220 ncr-nt Microsoft FTP Service (Version 2.0).

User (ncr_nt:(none)): test

331 Password required for test.


What did I type? You guessed it: t-e-s-t. The ftp client sent those letters in a PASS packet to the ftp server. But don't blame Microsoft for this-IIS is very good about warning you what will happen if you permit non-anonymous log-in to the ftp service.

Now you know why I call Network Monitor the NT Server Wiretap. It can show clear-text passwords, user names and the like (native NT passwords use encrypted authentication, so you can't see them, but text file data is another matter). However, in the wrong hands, it's potentially a very real security risk.

Microsoft recognizes this risk and enforces some limitations on Network Monitor. First, as an Administrative Tool, it's not available to every NT user (though you should be careful about who has access to your server's WINNT\SYSTEM32\ NETMON directory). It also doesn't support Promiscuous Mode, which is used by most hardware sniffers. Hence, only packets sent to or from the NT server that the Network Monitor is running on can be captured. Network Monitor also supports capture and view passwords, so that even unauthorized administrators won't be able to use it. In addition, it includes a feature that lets you see if anyone else is running Network Monitor on your LAN.

Then again, if you want a really efficient wiretap, Microsoft sells a more advanced version of Network Monitor with SMS. This version does support Promiscuous Mode (and, in fact, requires it), as well as remote capture. You can actually control SMS Network Monitor using a dial-up line.

Brilliant and bogus

The brilliant move this month: Microsoft's Distributed File System (DFS) beta, which was one of the surprises Microsoft dropped on me while I was writing this column. DFS installs as a network service in NT Server 4.0, much like Network Monitor, and adds a DFS Administrator tool to the Start menu's Administrative Tools folder. With DFS Administrator, you can set up a completely arbitrary tree structure spanning not only multiple servers, but different operating systems-any network operating system for which NT and Windows 95 have a network redirector is supported: NetWare, NFS, you name it! Microsoft built the DFS client into both NT 4.0 Workstation and Server. A Windows 95 client is included with the beta.

You can find the DFS beta on Microsoft's NT Server Web page:

As for this month's bogus: the winner is-again-Microsoft's NT Workstation 4.0 license. In last month's column, I warned you about the license agreement's 10-inbound connection limit. At the time, I knew the license restricted NT Workstation 4.0's use as a Web, file and print server; but since then I've learned that Microsoft intends the limit to apply to any network server application, including telnet servers, UNIX line printer servers and X/11 client-server systems.

I've spoken to Microsoft executives up to and including Jim Allchin, the senior vice president in charge of Personal and Business Systems, the group that oversees both Windows 95 and NT. These executives unanimously state that NT Workstation isn't intended for server use. Microsoft seems focused on optimizing NT Workstation as a true desktop system, at the expense of workstation-level functionality. Their answer to those of us who need more than 10 connections to our desktops: "Buy NT Server."

In a word: bogus!

Editor-at-Large John D. Ruley is the principal author of Networking Windows NT 4.0, Third Edition (John Wiley & Sons, 1996). Contact John in the "Enterprise View" topic of the WINDOWS Magazine areas on America Online and CompuServe, via his Web page at jruley or at

Back to 12/96 How To: Programming Windows
Up to Table of Contents
Ahead to 12/96 Enterprise Windows: Enterprise Administrator