Microsoft Network Monitor is a deprecated network traffic capture and packet analyzer tool. It allows capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot network problems and applications on the network
Select the ethernet you want to capture by ticking it . If you have multiple ethernets, don’t select all ethernets, choose only ethernets that you will capture network traffic from .
Getting Started Capture Network Traffic
To start capturing network traffic, click the “New Capture” button and then click the “Start” button.
You will see the traffic through the ethernet network that you captured in the “Frame Summary” section.
To focus more on analyzing the network, you can add filters. You can filter network traffic based on running applications, destination, port number and so on. For how to write and examples you can see at the end of this article.
Filter on an address in either direction, source or destination.
IPv4.Address==192.168.1.1
IPv4.SourceAddress
Represents the source address and is useful for filtering for traffic from a specific source.
IPv4.SourceAddress==192.168.1.1
IPv4.DestinationAddress
Represents the destination address and is useful for filtering for traffic to a specific destination.
IPv4.DestinationAddress==192.168.2.2
IPv4.PayloadLength
The entire length of the IP payload.
IPv4.PayloadLength == 0
Destination
Contains the topmost protocols source address. So if IPv4 is the last protocol with an address, Property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI.
Destination==”192.168.2.2″
Source
Similar to Destination
Source.Contains(“192.”)
IPPayloadLength
Represents the IP Payload Size in bytes
IPPayloadLength > 1000
Network Monitor Conversation Filtering
Field/ Property
Description
Example
ProcessName
The process associated with the current frame. This is collected when Network Monitor 3.4 is used to capture a trace. If using NMCAP, you need to add the /CaptureProcesses.
ProcessName.Contains(“iexpl”)
ProcessID
The process ID associated with the current frame. This is collected when Network Monitor 3.4 is used to capture a trace. If using NMCAP, you need to add the /CaptureProcesses.
ProcessID == 1234
Network Monitor Wireless Filtering
Field/ Property
Description
Example
Wifi.Address
Filter on an address in either direction, source or destination.
Ethernet.Address==0x123456AABBCC
wifi.Management.SA
Represents the source address and is useful for filtering for traffic from a specific source.
wifi.Management.sA==0x123456AABBCC
wifi.Management.DA
Represents the destination address and is useful for filtering for traffic to a specific destination.
wifi.Management.DA==0x123456AABBCC
WiFi.MetaData.PhyType
The Physical Layer Type value. Each value represents a different layer. These are described in the WiFiPhyType table in wireless.npl. 4=a, 5=b, 6=g, and 7=n.
WiFi.MetaData.PhyType == 0x6
property.WiFiDestination
Contains the top most protocols source address. So if WiFi is the last protocol with an address, Property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI.
WiFiDestination == 0xFFFFFFFFFFFF
property.WifiChannel
Wireless Channel
property.WifiChannel==14
property.WiFiSource
Similar to Destination
WiFiSource == 0xFFFFFFFFFFFF
Destination
Contains the top most protocols source address. So if WiFi is the last protocol with an address, Property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI.
Destination.Contains(“123456”)
Source
Similar to Destination
Source.Contains(“123456”)
Network Monitor TCP Filtering
Field/ Property
Description
Example
TCP.Port
Filters on the Source or Destination port. Used to find traffic based on port which is often associated with an application.
TCP.Port==80
TCP.Flags.Reset
Can be used to test and see if the reset flag is set.
TCP.Flags.Reset==1
TCP.Window
Window Size of the current TCP frame, but ignoring the scale factor. See Property.TCPWindowSize below.
TCP.Window == 0
TCPRetransmit
A property that is set when a TCP retransmit is found. Retransmits are often an indication of a network infrastructure problem and network congestion.
Property.TCPRetransmit == 1
TCPPayloadLength
Represents the TCP Payload Size.
TCPPayloadLength == 0
TCPCheckSumStatus
This is a string that represents if the checksum is valid or not. This could be “Good” or “Bad”.
TCPCheckSumStatus != “Good”
TCPDescription
A property to show the TCP Description for the current frame as opposed to the top most protocol description. This is useful as a frame summary column. You can also use it to search for specific retransmitted frames by searching for the text in the TCP summary, as the example shows.
TCPDescription.Contains(“#472”)
TCPAckNumber
The current frame’s Acknowledgement Number
TCPAckNumber==1234
TCPSeqNumber
The current frame’s Sequence Number
TCPSeqNumber==1234
TCPSeqeunceRange
The TCP Sequence range, as a string, which is the current seq number to the current seq plus the length of the TCP payload.
TCPSequenceRange.Contains(“1234”)
TCPShortAckNumber
A WORD representation of the Ack number to make it easy to compare and remember.
TCPShortAckNumber==1000
TCPShortSeqNumber
A WORD representation of the Seq number to make it easy to compare and remember.
TCPShortSeqNumber==1000
TCPFlags
A string representation of the various TCP flags for the frame: CWR, ECE, Urgent, Ack, Push, Reset, Syn, Fin.
TCPFlags.Contains(“R”)
TCPWindowSize
The Window Size for the current frame including the scaling factor if the 3 way handshake is available in the same trace.
