Skip navigation

Performance Monitor and Networks

Optimize network performance with Performance Monitor

I discussed Windows NT Performance Monitor basics in "The Windows NT Performance Monitor," March 1997, and "More Windows NT Performance Monitor," April 1997. You can download these articles from the Windows NT Magazine Web site ( In this article, I'll discuss how you can use Performance Monitor to analyze and optimize your network, and I'll show you how Performance Monitor can help you troubleshoot your network.

After you open a Performance Monitor session, you need to add the counters to track network activity. Performance Monitor adds counters as you add software components to your system. The more network protocols and services you install, the more counters Performance Monitor uses. I'll discuss the NetBEUI, TCP/IP, Network Interface, Network Segment, and Server counters.

If you're running NetBEUI, you can add several counters. Screen 1, page 220, shows how to add the NetBEUI and NetBEUI Resource counters.

The NetBEUI counter. The NetBEUI object measures network performance. You might have multiple instances of this object, as Screen 2, page 220, shows. For example, if the NetBEUI protocol is bound to the network card and your dial-up adapter, you'll have more than one instance. The default NetBEUI counter is Bytes Total/sec. This counter measures the total bytes your computer sends and receives on the NetBEUI protocol. It measures the data bytes but not the related control information.

When you optimize your network, you need to consider the type of network traffic. All network traffic travels as frames. You can classify network frames as datagram traffic or session traffic. Datagrams are packets whose delivery to a remote computer isn't acknowledged or guaranteed. The network typically uses a datagram when the browser service calls an election to name a computer as Master Browser. The logon process and name resolution (finding the network address that goes with a computer name) also use datagrams. The network generates a session to guarantee error-free data transfer over an established connection. The total bytes transmitted and received can be broken down into Datagram Bytes and Frame Bytes. The Frame Bytes counter includes datagram and session traffic.

The NetBEUI Resource counter. The NetBEUI Resource counter shows NetBEUI system resource use. You can monitor the Times Exhausted counter to identify network problems. This counter shows the number of times the system used network resource buffers. In the Times Exhausted counter, you can monitor the instances of Links, Connections, Addresses, and Address Files. These counters are cumulative. Increasing values tell you the system is approaching its resource limit. You must modify your Registry settings to correct this problem. (For information about modifying Registry settings, see Paula Sharick, "Registry Secrets," October 1995; Christa Anderson, "Care and Feeding of the Registry," December 1996; and Mark Russinovich, "Inside the Windows NT Registry," April 1997.)

Other counters. Additional NetBEUI counters include Frames Rejected/sec, Failures Adapter, and Failures Resource Local. The Frames Rejected/sec counter tallies frames that the computer rejected because of errors and that must be resent. The ratio of Frames Rejected to Frames Received should be fairly low, but the number of frames rejected might not be zero, because network collisions can necessitate resending. The Failures Adapter counter shows the number of dropped connections because of an adapter failure (you want the count to be zero). This cumulative counter shows the total since the Performance Monitor session started. You wouldn't routinely monitor this counter, but it's useful for checking network card malfunction. On a server, the Failures Resource Local counter shows the number of attempted connections that have failed because of the local computer's low resource availability. This cumulative counter displays zero unless the server can't handle the system's demands.

TCP/IP has an odd feature: Even if you have TCP/IP installed, you must load the Simple Network Management Protocol (SNMP) Service to see the TCP/IP counters. Go to Control Panel, Network. Select the Services tab, and add the SNMP Service, as Screen 3 shows. You must then restart your computer.

After your restart your computer, you'll see several new counters, including TCP, IP, Network Interface, Internet Control Message Protocol (ICMP), and User Datagram Protocol (UDP). When you load the SNMP Service, your system installs essential DLLs that enable the counters.

SNMP supplies network-management information, but you don't need the service unless your organization is running third-party SNMP management software, such as HP OpenView. If you don't need SNMP, remove it to save resources. The TCP/IP counters remain when you remove the SNMP Service.

TCP. The Segments/sec counter tells you the total number of TCP segments your computer has sent and received. Segments Retransmitted/sec shows the number of segments your computer must resend because of errors. This value isn't always zero, because network collisions can occur, but it should be only a fraction of the Segments Sent/sec. Screen 4 shows some TCP and IP/UDP counters.

IP/UDP. The IP Datagrams/sec counter shows the amount of TCP/IP network traffic, which is sent as datagrams. Datagrams are typically broadcasts. To reduce broadcast traffic, you need to know which services and processes use datagrams. The IP protocol splits the data into fragments that the receiving computer reassembles. The Fragment Re-assembly Failures counter might be telling you the receiving computer is having trouble putting the fragments back in order. Transmission errors and timeouts can cause this problem. The UDP counters measure datagrams at the transport layer, whereas the IP counters measure datagrams at the network layer. The Datagrams Outbound Discarded and Datagrams Received Discarded counters tell you how many datagrams your system is discarding even without transmission errors. An increase in these counters indicates insufficient network buffer space.

Network Interface
Screen 5 shows two Network Interface card instances, but the computer has only one card. The first instance is a loopback path, which is the local path through the protocol driver and network card. You'll want to check the second instance, which shows data your computer sent out onto the network. You can use this network card to measure total bytes and packets sent and received to analyze your system's throughput.

You might think the Current Bandwidth counter would monitor any network interface, but this counter shows theoretical rather than actual bandwidth. Similarly, you might think the Output Queue Length counter would show bottlenecked data requests. However, the network card doesn't handle transmission requests, so this counter is always zero. Instead, the network device interface specification (NDIS) software handles transmission requests.

The best counters to monitor for network card problems are Packets Outbound Errors and Packets Received Errors. Compare the Packets Outbound Discarded and Packets Received Discarded counters with the total packet throughput to see the number of error-free packets the system is dropping. The system might drop packets to free buffer space, so an increase in these counters tells you the network buffers are too small.

Network Segment
To add Network Segment counters, you must install the Network Monitor Agent. (Go to Control Panel, Network, Services.) When you monitor Network Segment counters in Performance Monitor, the network card is in promiscuous mode. The network card typically rejects network traffic intended for other network cards, but in promiscuous mode the network card accepts this traffic and passes it to the computer for analysis. This activity drains the resources of the computer you're analyzing, so you'll want to limit Network Segment monitoring.

Monitoring the Network Segment counters increases CPU use. As these counters process network traffic, they use additional system resources. A reasonable limit for an Ethernet network is %Network Use less than 30 percent. A higher value means you need to speed up the network or reduce the amount of traffic.

You can use the %Broadcast Frames and %Multicast Frames counters to view the percentages of broadcast and multicast traffic. Network cards pass broadcast and multicast frames to a higher-level software component before they act on or discard them. This extra activity results in additional CPU use. In Screen 6, you see a spike in broadcast traffic after a file transfer. As the requesting computer connects to find the server computer's network address, it generates broadcast traffic. Frame traffic increases as the server transfers the files.

You can easily overlook the Server object, because this counter is sometimes considered a service rather than a network object. The Server service sends resources over the network to clients, so how it responds to data requests is important to system performance. A fast network is useless if it connects you to a slow server.

On a domain controller, you need to monitor the Logon Total and Logons/sec counters. Logon Total is a cumulative counter that shows the number of logons since you booted the server (not the number since you started Performance Monitor). You can use the Logons/sec counter to ensure the system is adding users efficiently during peak logon traffic.

If your system primarily functions as a domain controller rather than a file and print server, you can tune it to optimize logon performance. From Control Panel, Network, Services, open the Properties dialog box for the Server service. Select Maximize Throughput for Network Applications, as Screen 7 shows, and click OK.

Resources and Recommendations
The Microsoft Windows NT Server 4.0 Resource Kit is the best reference for Performance Monitor. (The server resource kit CD-ROM also includes the workstation resource kit text.) The Microsoft Windows NT 3.51 Resource Kit has an excellent chapter called "Detecting Network Bottlenecks" that isn't in the 4.0 kit, so you'll want to refer to that version if you still have it. Microsoft's current TechNet CD-ROM contains several useful performance tuning articles. TechNet also explains Performance Monitor counters in detail. Try searches such as NetBEUI Object and IP Object.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.