Monitoring network activity

Network monitoring typically consists of observing server resource utilization and measuring overall network traffic. With System Monitor you can handle both of these activities, although for in-depth traffic analysis, you should use Network Monitor.

Start by tracking the counters that are described in the topic Setting up a monitoring configuration to observe resource usage on your server. To concentrate on network-related resource usage, add the counters that correspond to the various layers of your network configuration. Abnormal network counter values often indicate problems with a server's memory, processor, or disks. For that reason, the best approach to monitoring a server is to watch network counters in conjunction with Processor\% Processor Time, PhysicalDisk\% Disk Time, and Memory\Pages/sec.

For example, if a dramatic increase in Pages/sec is accompanied by a decrease in Bytes Total/sec handled by a server, the computer is probably running short of physical memory for network operations. Most network resources, including network adapters and protocol software, use nonpaged memory. If a computer is paging excessively, it could be because most of its physical memory has been allocated to network activities, leaving a small amount of memory for processes that use paged memory. To verify this situation, check the computer's system event log for entries indicating that it has run out of paged or nonpaged memory.


Observing throughput across network layers

Investigating network performance includes monitoring activity at different network layers:

Data-link layer. This includes the network adapter. Use the Network Interface object counters:

Bytes total/sec

Bytes sent/sec

Bytes received/sec.


If you are using media-sense network adapters, displays an icon in the taskbar if the adapter becomes disconnected from the network medium. Because the driver supporting the adapter continues to run even when it is not processing traffic, the driver causes the continued use of system resources and drains performance. Therefore, it is important to attend to disconnected adapters immediately after the system detects them. As soon as you see the icon, check the adapter connection. Reconnect the adapter if appropriate; otherwise disable or remove the adapter to avoid the waste of resources associated with this condition.

Network layer. Use the IP object counters:

Datagrams Forwarded/sec

Datagrams Received/sec


Datagrams Sent/sec.

Transport layer. Varies with network protocol in use. For TCP/IP, use the TCP object counters:

Segments Received/sec

Segments Retransmitted/sec


Segments Sent/sec.

If the retransmission rate is high, there may be a hardware problem.

The ICMP and UDP object counters are also provided and are useful for more extensive monitoring of TCP/IP network transmissions. The ICMP performance object consists of counters that measure the rates at which Internet Control Message Protocol (ICMP) messages are sent and received by using the ICMP protocol. It also includes counters that monitor ICMP protocol errors.The UDP performance object consists of counters that measure the rates at which User Data Protocol (UDP) datagrams are sent and received using the UDP. It includes counters that monitor UDP errors.

If you are using the NWLink protocol, three objects are available: NWLink IPX and NWLink NetBIOS for computers communicating over the IPX protocol; and NWLink SPX for computers connecting over the SPX protocol. Note that frame-related counters for these objects report only zeroes.

Presentation/program layer. Use the Server object counters if you are monitoring a server, or the Redirector object counters if you are monitoring a user's client computer. (Some program-layer processes, such as Web servers, may have their own object counters, which you would use for monitoring transmissions across this layer.)

The Redirector object counters collect data about requests transmitted by the Workstation service; the Server object counters collect data about requests received and interpreted by the Server service.

At a minimum, include the Bytes total/sec counter for both the Redirector object (for client computers that you monitor) and the Server object (for server computers).

Each of these objects provides several other counters you may want to monitor if you suspect problems with either the Workstation or Server services:

Redirector\Current Commands

Redirector\Network Errors/sec

Redirector\Reads Denied/sec

Redirector\Writes Denied/sec

Redirector\Server Sessions Hung

Server\Sessions Errored Out

Server\Work Item Shortages

Server\Pool Paged Peak

Server\Nonpaged Pool Failures

If the Work Item Shortages counter value is increasing, consider changing the registry values for InitWorkItems or MaxWorkItems under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer.

The Sessions Errored Out counter reports automatic disconnections along with errored-out sessions. To get a more accurate value for errored-out sessions, obtain the value for Sessions Timed Out and reduce the Sessions Errored Out value by that amount. See Resources for more information.

Monitoring overall network traffic

If network traffic exceeds local area network (LAN) capacity, performance typically suffers across the network. To prevent this situation, it is important to monitor network-wide traffic levels, particularly on larger networks with bridges and routers. To monitor network traffic, please install the Network Monitor.

For information about Network Monitor, see Network Monitor Help

Related Topics

If you enable Network Monitor, you can use network-related objects with System Monitor to analyze overall network performance. For information on monitoring overall network traffic, see Monitoring overall network traffic

The operating system automatically sets a default limit for allocable nonpaged pool memory. This default value is approximately 80 percent of installed memory. If the system reaches this limit as a result of network activity, problems can result. To change this limit, modify the registry under:


For information about modifying the registry, see Registry Editor Help


Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies