Microsoft Network Monitor is a deprecated network traffic capture and packet analyzer tool. It allows capturing, viewing, and analyzing network data and deciphering network protocols. It can troubleshoot network problems and applications on the network.
Table of Contents
Other Interesting Articles
How to use Network Monitor
- Download Microsoft Network Monitor
- Perform the installation using the downloaded file.
- Open “Microsoft Network Monitor 3.4” and run as “administrator”
- Select the ethernet you want to capture by ticking it . If you have multiple ethernets, don't select all ethernets. Choose only ethernets that you will capture network traffic from .
Getting Started Capture Network Traffic
- To capture network traffic, click the “New Capture” button and then click the “Start” button.
- You will see the traffic through the ethernet network you captured in the “Frame Summary” section.
- To focus more on analyzing the network, you can add filters. You can filter network traffic based on running applications, destination, port number and so on. For how to write and examples you can see at the end of this article.
Network Monitor Filtering
Network Monitor IPv4 Filtering
|IPv4.Address||Filter on an address in either direction, source, or destination.||IPv4.Address==192.168.1.1|
|IPv4.SourceAddress||Represents the source address and is useful for filtering for traffic from a specific source.||IPv4.SourceAddress==192.168.1.1|
|IPv4.DestinationAddress||Represents the destination address and is useful for filtering for traffic to a specific destination.||IPv4.DestinationAddress==192.168.2.2|
|IPv4.PayloadLength||The entire length of the IP payload.||IPv4.PayloadLength == 0|
|Destination||Contains the topmost protocol's source address. So if IPv4 is the last protocol with an address, property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI.||Destination==”192.168.2.2″|
|Source||Similar to Destination||Source.Contains(“192.”)|
|IPPayloadLength||Represents the IP Payload Size in bytes||IPPayloadLength > 1000|
Network Monitor Conversation Filtering
|ProcessName||The process associated with the current frame. This is collected when Network Monitor 3.4 is used to capture a trace. If using NMCAP, you need to add the /CaptureProcesses.||ProcessName.Contains(“iexpl”)|
|ProcessID||The process ID associated with the current frame. This is collected when Network Monitor 3.4 is used to capture a trace. If using NMCAP, you need to add the /CaptureProcesses.||ProcessID == 1234|
|Wifi.Address||Filter on an address in either direction, source, or destination.||Ethernet.Address==0x123456AABBCC|
|wifi.Management.SA||Represents the source address and is useful for filtering for traffic from a specific source.||wifi.Management.sA==0x123456AABBCC|
|wifi.Management.DA||Represents the destination address and is useful for filtering for traffic to a specific destination.||wifi.Management.DA==0x123456AABBCC|
|WiFi.MetaData.PhyType||The Physical Layer Type value. Each value represents a different layer. These are described in the WiFiPhyType table in wireless.npl. 4=a, 5=b, 6=g, and 7=n.||WiFi.MetaData.PhyType == 0x6|
|property.WiFiDestination||Contains the top most protocols source address. So if Wi-Fi is the last protocol with an address, property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI.||WiFiDestination == 0xFFFFFFFFFFFF|
|property.WiFiSource||Similar to Destination||WiFiSource == 0xFFFFFFFFFFFF|
|Destination||Contains the top most protocols source address. So if Wi-Fi is the last protocol with an address, property. Destination will contain the string representation of that address. This is the same property used to populate the Source column in the UI.||Destination.Contains(“123456”)|
|Source||Similar to Destination||Source.Contains(“123456”)|
Network Monitor TCP Filtering
|TCP.Port||Filters on the Source or Destination port. Used to find traffic based on port, which is often associated with an application.||TCP.Port==80|
|TCP.Flags.Reset||Can test and see if the reset flag is set.||TCP.Flags.Reset==1|
|TCP.Window||Window Size of the current TCP frame, but ignoring the scale factor. See Property.TCPWindowSize below.||TCP.Window == 0|
|TCPRetransmit||A property that is set when a TCP retransmit is found. Retransmits indicate a network infrastructure problem and network congestion.||Property.TCPRetransmit == 1|
|TCPPayloadLength||Represents the TCP Payload Size.||TCPPayloadLength == 0|
|TCPCheckSumStatus||This is a string that represents if the checksum is valid or not. This could be “Good” or “Bad”.||TCPCheckSumStatus != “Good”|
|TCPDescription||A property to show the TCP Description for the current frame as opposed to the top most protocol description. This is useful as a frame summary column. You can also use it to search for specific retransmitted frames by searching for the text in the TCP summary, as the example shows.||TCPDescription.Contains(“#472”)|
|TCPAckNumber||The current frame's Acknowledgement Number||TCPAckNumber==1234|
|TCPSeqNumber||The current frame's Sequence Number||TCPSeqNumber==1234|
|TCPSeqeunceRange||The TCP Sequence range, as a string, which is the current seq number to the current seq plus the length of the TCP payload.||TCPSequenceRange.Contains(“1234”)|
|TCPShortAckNumber||A WORD representation of the Ack number to make it easy to compare and remember.||TCPShortAckNumber==1000|
|TCPShortSeqNumber||A WORD representation of the Seq number to make it easy to compare and remember.||TCPShortSeqNumber==1000|
|TCPFlags||A string representation of the various TCP flags for the frame: CWR, ECE, Urgent, Ack, Push, Reset, Syn, Fin.||TCPFlags.Contains(“R”)|
|TCPWindowSize||The Window Size for the current frame, including the scaling factor if the 3-way handshake is available in the same trace.||TCPWindowSize==0|