NetMapII, Network Protocol Analyzer. On-Line Documentation

On-Line Documentation

This page provides a brief overview of NetMapII. Full documentation will be added in the near future. For now, this documentation and the readme file included in the NetMapII zip file should allow you to begin using NetMapII.

Brief History NetMapII was originally created by Me (Ken Smith) as a method of analyzing my Ethernet network (which was a Novell NetWare network). At the time, I was the Vice President of Marketing for a company called AESP. AESP was a relatively small company (around 3 million dollars annual sales) so the title Vice President of Marketing is a bit misleading. I had responsibility for Marketing, Research and Development, Product Management, Tech Support, MIS, on and on. Eventually we grew to a 16 million dollar publicly traded company, but at the time, I had just upgraded our network to handle around 50 users and our network performance was very slow. Having worked as a programmer for companies like Ungermann-Bass, IBM, Siemens in the 1980s, I was well aware of network protocol analyzers, but could not afford what was available at the time (Sniffer, NetMon, etc.). I convinced my boss we could not only use a protocol analyzer, but could also sell it once it was developed. In 1991, NetMapII was born. The name came from a previous product which we were selling at the time, NetMap, which was an AppleTalk network protocol analyzer. I based NetMapII on the packet driver interface (popularized by Crynware) and created a zooming windows type interface (all text based) and began coding away. The entire program is written in 8086 assembler (this is why its so fast and so small). We originally sold the program for $500 but after about 2 years it was obvious it cost more to support than what we made, so we discontinued selling it. Eventually I left AESP, and asked my old boss if I could take NetMapII with me. He agreed, and so I sat on it for awhile. Recently, consulting for several companies in the South Florida area, I noticed one of the biggest problems they had was windows 95 network errors. I downloaded several windows based, supposedly free, protocol analyzers, only to discover they were so badly crippled (only 30 seconds of capture, limited filtering, etc) they were basically unusable. So one day, I went home dug out my old NetMapII code, and started using it. To my suprise, my fellow programmers used it productively. Since I am not interested in starting a software company (I am currently very happily employed by a BIOS ROM manufacturer), I decided to give NetMapII away for free, in the hope that others will pick up the ball and run with it. In the near future I intend to publish the interface (once I can find it) for the protocol decode section of the program so protocols not currently supported may be easily added by any C or Assembly programmer. I have a complete set of documentation for NetMapII (IE a users guide and internal structure information) but can not currently locate it (its on tape somewhere) and when I find it I will add it to the web page. NetMapII is entirely free and shareable. I do this because of the packet drivers which I based NetMapII on. They were given to me with no strings attached, and this is my contribution to that community and to all programmers in general. So download it (it should only take about 1 minute), unzip it, and hopefully it can help you with whatever ails you. Good Luck !

NetMapII Overview First, what NetMapII is and isn't. NetMapII is a MAC based (media access control) network protocol anayzer that allows you to view network traffic (kind of like a network microscope), capture packets, filter based on nearly any criteria, generate traffic and in general, analyze what is going on on your local area network. NetMapII does this by putting the ethernet adapter in promiscous mode which allows it to see all packets on the network. NetMapII allows you to view previously captured packets in a variety of formats (including Novell IPX/SPX, IEEE802.2, IEEE802.3, etc.). You may also save captured packets to disk so you can do anything you want with them (like display them in a format more suitable to your needs, etc.). NetMapII is based on the packet driver interface and will support any network adapter which has a packet driver available for it (including pocket adapters which plug into the parallel printer port, and PCMCIA adapters). NetMapII is a software program so it does not allow you to do hardware based things like Time Domain Reflection, forced media errors, termination verification, etc. NetMapII is a DOS based program so it will not run under Windows or even a Windows 95 DOS box. To use NetMapII with Windows 95, you must shut down and restart in MSDOS mode, but then it will work fine. I know of no major bugs in NetMapII, it has never crashed a system on me, and can keep up with Ethernet speeds up to 10mbs. It can generate traffic up to 10mbs and will run on a lowly 286 (though not recomended). A 486DX66 or better will be all NetMapII needs to realize its full potential. NetMapII only requires about 128K of RAM. In fact anything more will not be used.

Getting Started NetMapII comes in a zip file which includes all of the programs necessary to begin analyzing your network, including a NE2000 (or compatible) packet driver. I have over 100 packet drivers for various cards (3COM, Western Digital, etc) but have not included them on the web site since there are better places to get these (probably newer versions than I have anyway), however, if it becomes necessary, I will add these to the web site in the future. When you unzip NetMapII you will see two versions of the program, NMIIB and NMIIC. These are used for monochrome and color systems respectively (yes NetMapII will work on a MGA, CGA, VGA, etc.). This makes it easy to dedicate a cheap system to NetMapII which is probably a good idea if you plan on seriously using it to analyze your network. To use NetMapII, you will first need to know the IRQ and Address settings of your NE2000. The NE2000 (or other adapter) packet driver must be loaded first. The following two commands will run NetMapII on a standard VGA type system ....

NE2000 0x63 0x05 0x300
NMIIC 0x63

The first line invokes the ne2000 packet driver. The first of the 3 parameters tells the packet driver which software interrupt to use to communicate with NetMapII (in this example 0x63 is used as the interface between NetMapII and the packet driver). You may use any software interrupt you like, I just happen to have good luck with 0x63 (IE it doesn't conflict with any other software I use).

The second parameter passed to the ne2000 packet driver is the hardware interrupt used by the ne2000 ethernet adapter. In this example, the NIC is configured for hardware interrupt 05. If your adapter uses a different hardware interrupt (you can usually see this in the Windows 95 resource settings page for the ne2000 adapter), then you would replace the 05, with the appropriate hardware interrupt number. If you don't know what hardware interrupt your network adapter uses then you need to find out because the packet driver will not work if this value is supplied incorrectly.

The final parameter passed to the ne2000 packet driver is the hardware address used by the network adapter. In this example, the ne2000 is located (or using) address 0x300 (by the way, don't forget to preceed the hex parameter with the 0x prefix, all of the parameters are provided as hex numbers).

Once you have executed the packet driver, it should respond with a message which reports its network address (something like 0e 0d 1f 23 45 98 or some other number). If the network address which is reported by the packet driver is all 0s or all ffs (like ff ff ff ff ff ff) then the packet driver is not working properly (probably a bad value for the IRQ or IO Address). There is no need to go any further until this problem is remedied. NetMapII will not work if the packet driver is not installed properly !

Assuming you got the packet driver to install properly, you are now ready to load NetMapII. Remember, if you are using an old monochrome monitor adapter you must enter the command NMIIB 0xyy, if you are using a cga, vga, or any other monitor type, then enter the command NMIIC 0xyy (where yy is the same as the first parameter supplied to the packet driver [see above 0x63]).

Just to review, assuming you are using a ne2000 adapter which is configured to use IRQ 11 and IO Address 360 hex, on a standard vga system, the following two commands (entered from the DOS command prompt) will run NetMapII ...

ne2000 0x63 0x0b 0x360
nmiic 0x63

Using NetMapII Once loaded NetMapII will zoom open a main menu window. Use the arrow keys to highlight an option, then press the enter key to select the highlighted option. Typically, the first thing you will do is view network activity (if you didn't move the selection bar, just press the enter key). This screen will show you all of the packets flying across your network in real time near the top of the screen. The bottom of the screen will display a histogram (or real time bar graph) which shows the system performance. The histogram is originally set up to display a bar once every second (although this can be changed by you later if you wish). The top of each bar has a number which represents the megabits (mbs) per second for that seconds activity, the bottom of each bar shows the packets per second (or pps) for that seconds activity. The histogram will scroll to the left over time. To exit this screen, press the escape key. For additional information (or help) press the F1 key. Note the F1 key is the help key, and when you are on any screen, pressing the F1 key will display a help window for that screen.

Assuming you did not change anything yet, the system is originally configured to capture all packets it sees on the network, and to wrap when the capture buffer (128 total packets may be saved at one time) is full. If you press the escape key, and then select option two from the main menu (view captured packets option), you will see a window which shows each packet in raw hex format. Pressing the up or down arrow keys will scroll the packet data up or down. Pressing the Page Up or Page Down keys will move you through the captured packets.

If you press the F2-F4 keys you will see the packets decoded into various formats (like Novell IPX/SPX format for example). Remember, pressing the F1 key at any time will zoom open a help window for that screen. Also, while on the decode screens you may use the Page Up and Page Down keys to move to the next/previous packet. Keys F5-F9 are available for other protocol decodes but as I mentioned earlier, I don't remember the exact method of adding these custom view screens. As soon as I find the documentation I will make it available. For now you will have to save the packets to disk and display them yourself if the 3 or 4 decodes available are not sufficient for your needs (sorry).

The usage of the function keys is universal throughout the program. What I mean by this is on any screen, pressing the escape key will back you out to the previous screen, and pressing the F1 key will display a help window for the current screen.

The real power of NetMapII lies in its advanced filtering capabilities. When you select the filter option off the main menu you will see a series of filters which you may provide for filtering packets based on source and/or destination addresses. For example, if you only want to see traffic to or from the workstation (or server) with a node address (or ethernet address) of 01:02:03:04:05:06 then enter a filter with a source OR destination of 01:02:03:04:05:06. Do not enter the filter as source AND destination of 01:02:03:04:05:06 or you will only see (and capture) packets from the workstation to itself (probably not very usefull).

Pressing the page down key (I believe, just check the bottom line of the screen to make sure) will bring you to a second filter screen where you may filter packets based on bit-fields within the source/destination address and/or the length of a packet. Pressing the page down (or page up, I forget) key from this screen will bring you to yet another filtering screen, the custom filter screen. Here you may filter packets on any byte/word value within the packet. Remember, the filters will affect not only the packets displayed and histogram on the view network activity screen, they will also determine which packets are captured.

I will add more on-line documentation in the near future, but for now, I hope this helps you get started using NetMapII for network analysis. There are several key options (like traffic generation, statistics) which I have not yet covered. They will be added soon. For now, if you have any specific questions, comments feel free to e-mail me and I will get back to you as soon as I can.

Oh, by the way, thanks for Crynware's Packet Drivers and Thanks to GeoCities for the free web site, for making this possible.

Download NetMapII Now

Return to the NetMapII Homepage

You may email me at keztoo@oocities.com or keztoo@yahoo.com