Capture Network Traffic with Microsoft Network Monitor
Microsoft Network Monitor is a deprecated network traffic capture and packet analyzer tool. It allows capturing, viewing, and analyzing network data and deciphering network protocols. It can troubleshoot network problems and applications on the network.
Perform the installation using the downloaded file.
Open “Microsoft Network Monitor 3.4” and run as “administrator”
Select the ethernet you want to capture by ticking it . If you have multiple ethernets, don’t select all ethernets. Choose only ethernets that you will capture network traffic from .
Getting Started Capture Network Traffic
To capture network traffic, click the “New Capture” button and then click the “Start” button.
You will see the traffic through the ethernet network you captured in the “Frame Summary” section.
To focus more on analyzing the network, you can add filters. You can filter network traffic based on running applications, destination, port number and so on. For how to write and examples you can see at the end of this article.
Filter on an address in either direction, source, or destination.
IPv4.Address==192.168.1.1
IPv4.SourceAddress
Represents the source address and is useful for filtering for traffic from a specific source.
IPv4.SourceAddress==192.168.1.1
IPv4.DestinationAddress
Represents the destination address and is useful for filtering for traffic to a specific destination.
IPv4.DestinationAddress==192.168.2.2
IPv4.PayloadLength
The entire length of the IP payload.
IPv4.PayloadLength == 0
Destination
Contains the topmost protocol’s source address. So if IPv4 is the last protocol with an address, property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI.
Destination==”192.168.2.2″
Source
Similar to Destination
Source.Contains(“192.”)
IPPayloadLength
Represents the IP Payload Size in bytes
IPPayloadLength > 1000
Network Monitor Conversation Filtering
Field/ Property
Description
Example
ProcessName
The process associated with the current frame. This is collected when Network Monitor 3.4 is used to capture a trace. If using NMCAP, you need to add the /CaptureProcesses.
ProcessName.Contains(“iexpl”)
ProcessID
The process ID associated with the current frame. This is collected when Network Monitor 3.4 is used to capture a trace. If using NMCAP, you need to add the /CaptureProcesses.
ProcessID == 1234
Network Monitor Wireless Filtering
Field/ Property
Description
Example
Wifi.Address
Filter on an address in either direction, source, or destination.
Ethernet.Address==0x123456AABBCC
wifi.Management.SA
Represents the source address and is useful for filtering for traffic from a specific source.
wifi.Management.sA==0x123456AABBCC
wifi.Management.DA
Represents the destination address and is useful for filtering for traffic to a specific destination.
wifi.Management.DA==0x123456AABBCC
WiFi.MetaData.PhyType
The Physical Layer Type value. Each value represents a different layer. These are described in the WiFiPhyType table in wireless.npl. 4=a, 5=b, 6=g, and 7=n.
WiFi.MetaData.PhyType == 0x6
property.WiFiDestination
Contains the top most protocols source address. So if Wi-Fi is the last protocol with an address, property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI.
WiFiDestination == 0xFFFFFFFFFFFF
property.WifiChannel
Wireless Channel
property.WifiChannel==14
property.WiFiSource
Similar to Destination
WiFiSource == 0xFFFFFFFFFFFF
Destination
Contains the top most protocols source address. So if Wi-Fi is the last protocol with an address, property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI.
