Network Monitor for NON-experts!

Aug 5, 2009 at 7:29 PM
Edited Aug 5, 2009 at 7:31 PM

I've been using sniffers of various sorts for many years.  I know my way around protocol analysis; that's not an issue. 

But NetMon has a serious user interface problem that makes it difficult to use by people who are non-expert, not in protocol analysis, but in using NetMon itself.  It's a needless discouragement preventing more people from using what is otherwise not a bad program.  And it's a _major_ issue for people -- like small business consultants with an eye on the clock --  who don't have hours to sit around discovering how to use new software.

The issue is filters.  It is a pain in the butt trying to set up filters so one can focus on the traffic you're interested in.  All you have is that little window to type in filter strings.  No GUI, no wizard, no obvious pick list.  And the help for the filters is almost non-existent.  Just try to find a syntax definition.  For comparison, have a look at the program TracePlus.  It'll do practically anything you want for filtering, with a very useable GUI interface.

If you think I'm complaining too much, it may be because you're an expert.  Sorry, you don't qualify. 

It should be possible to install NetMon for the first time and, within a few minutes, have a network trace of selected traffic by type and address.  The only thing preventing that is the user interface.

IMNSHO, the single most important thing Network Monitor needs, to encourage greater use by more users, is a better user interface for, and better documentation on, using filters.

/kenw

Aug 14, 2009 at 5:12 PM

We do understand there's some more room to make it really simply for people to create filters.  In fact this is one thing that Network Monitor 2.x did better in some regards.  But here are some helpful tips for creating filters today.

1.  If you see a frame and you are interested in finding other frames like it, you can right click in the frame details or the column details and create a filter based on that value.  This also a good way to learn how filters work.

2.  With intellisense you can type dot ".", and see the top level items.  This is a good way to find protocol and field names.  In fact if you type "protocol." you will see a list of all the protocols.  Of course you have to understand that typing in a protocol allows you to filter on that protocol which I agree is not as obvious as it could be.

3. We have a bunch of standard filters built in under the folder icon in the display/capture filter window.  This is also another great way to learn how to filter and provides examples for many of the basic filtering tasks.

4. For documentation you can look at the "How do I Use Filters" and "Using Fiters" in the documentation from the help menu.

5. Finally we also have a video on filtering which goes over some of this.  You can access these videos from our blog: http://blogs.technet.com/netmon/archive/2008/07/11/nm3-tv-video-help-for-using-nm3.aspx

 

Hope that helps, and as we move forward we hope to make filtering even easier.

Thanks,

Paul

Aug 14, 2009 at 8:28 PM
Edited Aug 14, 2009 at 8:30 PM

Thanks, Paul. That's useful information. I'm not letting you off the hook that easily, though. You've helped me, and the few other people who will read this -- who are, almost by definition, not the people we need to help.

 What we have here is... something ubiquitous in our world: a user interface designed by experts, for people like themselves, with essentially zero testing as to whether it actually works for the nominal target audience.

 This is not just about training wheels. It's about productivity. Most users will use a sniffer only occasionally, as needed; they won't remember all the details from one instance to the next. They just need to get the job done: from setup to results, with the least amount of wasted time.

  I was serious, by the way: download the free trial of TracePlus (a product written by one person, I believe) and try it out. It'll help you get a feel for how big "some room" is.

/kenw 

Aug 17, 2009 at 10:46 PM

I did just download TracePlus and gave it a try.  But it seems the filter button is grayed out, so perhaps this isn't available in the free version?

One issue is understanding what each end user whats to get out of your product.  Protocol Analyzers are very general tools and can be used for many differnt types of problems.  So it's challanging to providing an simple interface that is useful for varied tasks.  This type of discovery isn't always easy to understand by looking at another product.

Perhaps it would be better to have you list out your common scenarios and tell me how TracePlus does a good job of making this easy for you.  This way we can understand where you and others are coming from and how one solution works for you.

Paul

Aug 19, 2009 at 1:50 AM

Hi, Paul.   Glad you took me seriously and gave it a shot, but I think maybe you're trying too hard.   Just launch TracePlus and click the Capture icon (the universal green "go" triangle, much like Netmon). 

When you start a capture, TracePlus immediately opens the "capture settings" dialog, with the Filter Settings showing default of "all packets", a drop-down list of filters for various protocols, and tabs for selecting by address, etc.  No command syntax to guess at.  If you are happy the default settings, click "Start". 

I'm not sure how you could make it much quicker or easier.  

When I do network analysis, I'm usually doing one of two things.  Either:

- I'm trying to analyse a specific protocol involving one or two hosts, in which case I will want to filter by address and protocol, either uni- or bi-directionally.

- I'm trying to locate the source of unusual traffic, and just want to display all the traffic or a selected protocol in a graph highlighting the most active participants.  TracePlus starts doing this automatically, before I even start a capture sessions.  I see no indication Netmon3 even can.

I stand by my original position: NetMon3's biggest handicap is its inscrutable  user interface.

/kenw

From: paullong [mailto:notifications@codeplex.com]
Sent: August-17-09 3:46 PM
To: Ken Wallewein
Subject: Re: Network Monitor for NON-experts! [NMExperts:64597]

From: paullong

I did just download TracePlus and gave it a try. But it seems the filter button is grayed out, so perhaps this isn't available in the free version?

One issue is understanding what each end user whats to get out of your product. Protocol Analyzers are very general tools and can be used for many differnt types of problems. So it's challanging to providing an simple interface that is useful for varied tasks. This type of discovery isn't always easy to understand by looking at another product.

Perhaps it would be better to have you list out your common scenarios and tell me how TracePlus does a good job of making this easy for you. This way we can understand where you and others are coming from and how one solution works for you.

Paul

Read the full discussion online.

To add a post to this discussion, reply to this email (NMExperts@discussions.codeplex.com)

To start a new discussion for this project, email NMExperts@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com

Aug 20, 2009 at 3:58 PM

Ah, I see now.  Before I was openning a trace, which is actually what I do the most when I use a Protocol Analyzer.  Obvoiuslly Live Capture is another popular scenario, just not one I personally engage in a lot.  But now that I see the interface and this would apply to both scenarios in the sense that it shows a way to simplify filtering.  And I believe this alligns with the thoughts and direction of the team in terms of ideas we've already discussed for making it easier to filter for these common scenarios.  As we move to our next version we will keep this all in mind plus the scenarios you listed above. 

For your most active participants scenario, we do have a solution today.  However it's not enabled in the live capture scenario, again another limitation we hope to remove in future version.  We have an expert called Top Users, which allows you to understand the top talkers in a saved trace.  You probably arleady saw this expert on the main page, but I wanted to point it out just in case.  We integrated this as an add on to avoid product bloat.  And as I mentioned before we hope to get better integration in the future so these types of thigns will be availalbe in live capture scenarios.

Please if you have further discussion or suggestions our Forums at http://social.technet.microsoft.com/Forums/en-US/netmon/threads would be a great place to discuss these types of things. 

Paul