Microsoft Network Monitor is a deprecated network traffic capture and packet analyzer tool. It allows capturing, viewing, and analyzing network data and deciphering network protocols. It can troubleshoot network problems and applications on the network.
How to use Network Monitor
- Download Microsoft Network Monitor
- Perform the installation using the downloaded file.
- Open “Microsoft Network Monitor 3.4” and run as “administrator”
- Select the ethernet you want to capture by ticking it . If you have multiple ethernets, don’t select all ethernets. Choose only ethernets that you will capture network traffic from .
Other Interesting Articles
Getting Started Capture Network Traffic
- To capture network traffic, click the “New Capture” button and then click the “Start” button.
- You will see the traffic through the ethernet network you captured in the “Frame Summary” section.
- To focus more on analyzing the network, you can add filters. You can filter network traffic based on running applications, destination, port number and so on. For how to write and examples you can see at the end of this article.
Network Monitor Filtering
Network Monitor IPv4 Filtering
| Field/ Property | Description | Example |
| IPv4.Address | Filter on an address in either direction, source, or destination. | IPv4.Address==192.168.1.1 |
| IPv4.SourceAddress | Represents the source address and is useful for filtering for traffic from a specific source. | IPv4.SourceAddress==192.168.1.1 |
| IPv4.DestinationAddress | Represents the destination address and is useful for filtering for traffic to a specific destination. | IPv4.DestinationAddress==192.168.2.2 |
| IPv4.PayloadLength | The entire length of the IP payload. | IPv4.PayloadLength == 0 |
| Destination | Contains the topmost protocol’s source address. So if IPv4 is the last protocol with an address, property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI. | Destination==”192.168.2.2″ |
| Source | Similar to Destination | Source.Contains(“192.”) |
| IPPayloadLength | Represents the IP Payload Size in bytes | IPPayloadLength > 1000 |
Network Monitor Conversation Filtering
| Field/ Property | Description | Example |
| ProcessName | The process associated with the current frame. This is collected when Network Monitor 3.4 is used to capture a trace. If using NMCAP, you need to add the /CaptureProcesses. | ProcessName.Contains(“iexpl”) |
| ProcessID | The process ID associated with the current frame. This is collected when Network Monitor 3.4 is used to capture a trace. If using NMCAP, you need to add the /CaptureProcesses. | ProcessID == 1234 |
Network Monitor Wireless Filtering
| Field/ Property | Description | Example |
| Wifi.Address | Filter on an address in either direction, source, or destination. | Ethernet.Address==0x123456AABBCC |
| wifi.Management.SA | Represents the source address and is useful for filtering for traffic from a specific source. | wifi.Management.sA==0x123456AABBCC |
| wifi.Management.DA | Represents the destination address and is useful for filtering for traffic to a specific destination. | wifi.Management.DA==0x123456AABBCC |
| WiFi.MetaData.PhyType | The Physical Layer Type value. Each value represents a different layer. These are described in the WiFiPhyType table in wireless.npl. 4=a, 5=b, 6=g, and 7=n. | WiFi.MetaData.PhyType == 0x6 |
| property.WiFiDestination | Contains the top most protocols source address. So if Wi-Fi is the last protocol with an address, property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI. | WiFiDestination == 0xFFFFFFFFFFFF |
| property.WifiChannel | Wireless Channel | property.WifiChannel==14 |
| property.WiFiSource | Similar to Destination | WiFiSource == 0xFFFFFFFFFFFF |
| Destination | Contains the top most protocols source address. So if Wi-Fi is the last protocol with an address, property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI. | Destination.Contains(“123456”) |
| Source | Similar to Destination | Source.Contains(“123456”) |
