Logging detailed network activity on Windows Server 2008

loggingperformanceperformance-monitoringwindows-server-2008windows-server-2008-r2

One of my clients is experiencing internet delays and outages within their small network. They've verified with their cable company that the issue is not related to any cable company outages. The concern has been raised that either there's too much network activity for their one server to handle, or their website might be getting attacked. Due to this, we'd like to start logging their main server's network activity.

This server has the following responsibilities:

  • DNS
  • Web Server hosting a public site
  • Hosts a WCF service that their "admin" desktop application heavily interacts with
  • Runs SQL Server 2008, which the WCF server and public website interact with

Goal:
Ideally, I'd like to log network bandwidth used by the processes, as I feel this would give a good handle on what services/software is eating too much bandwidth. I started looking at the native Windows Performance Monitor tool, but I can't figure out how to log the data to a file, and I'm wondering if there's a better [free] logging tool that will give details about how much bandwidth a given process is using.

Questions:

  1. How do I log the activity seen from the Perfomance Monitor Tool (if possible)

  2. Is there a better logging tool that will log how much bandwidth a given process is using?

enter image description here

Best Answer

Presumably "internet (sic) delays and outages" is referring to problems with PCs accessing websites. Assuming that this server is acting as the DNS server for PCs its only material role in Internet access by PCs would be in name resolution.

The web server logs can give you some idea of the bandwidth being consumed by access to the website being hosted by this server computer. You certainly could user Performance Monitor but I think it's the wrong tool for the job in this case. Regarding using Performance Monitor, a Data Collector Set is what you're looking for.

I think you'd be better off examining ingress/egress traffic at the firewall to ascertain if bandwidth there is being exhausted, packets are being dropped by policy, etc. Something like ntop or a Netflow probe is going to give you a breakdown on that traffic. I'd argue that you need visibility into the traffic at the firewall before you start spending time breaking that traffic down at the host level.

I'd suspect a PC with malware, a failing switch, or an overloaded firewall before I'd suspect the web server.

Related Topic