Network applications inevitably send data, known as packets, across a network interface. Though some third-party tools, such as WireShark, may offer a different experience, Microsoft Network Monitor has an easy-to-use interface and works very well.
Microsoft originally offered the Microsoft Network Monitor which was subsequently succeeded by the Microsoft Message Analyzer application. Unfortunately, Microsoft has discontinued the Microsoft Message Analyzer and removed its download links. Therefore, only the older Microsoft Network Monitor is available. In this article, we are going to see how to capture and inspect packets using the latest available version of Microsoft Network Monitor.
Capturing packets using Microsoft Network Monitor
First, install Microsoft Network Monitor, which can be downloaded here. Once installed, launch Microsoft Network Monitor and click on New Capture.
To begin monitoring, click on the Start button. This will instantly start the capture and you will see “conversations” starting to show up on the left-hand side. Microsoft Network Monitor will attempt to group a series of related packet transmissions into a “conversation” for easier viewing.
If you find that you get an error message saying no adapters are bound, then you should run Microsoft Network Monitor as an Administrator. Additionally, if you have just installed this, you may need to reboot.
As an example of the “conversation” view, the below processes were all grouped together to show the network traffic originating from each one.
Expanding any one of the plus signs will show you the specific set of “conversations” that the network monitor may have captured and grouped underneath a process.
Filtering packet traffic
With the sheer quantity of network traffic that normally crosses the line, it is often necessary to filter out the data to just show the necessary traffic. One example of using a filter, is the DnsAllNameQuery, under the DNS section of Standard Filters. After selecting this filter, and clicking on Apply, only DNS queries will be shown.
Creating filters, or modifying the built-in filters, is flexible and easy. Within the Display Filter field, there are several ways to construct filters. By entering in a Protocol Name and following that by a . (period), you will see an auto-complete of possible field values to compare. Using the standard comparison operator of ==, we can see if certain values are equal. We can even create multi-expressions using logic operators such as and and or. An example of what this looks like is below.
DNS.QuestionCount AND DNS.ARecord.TimeToLive == 14
There are a few methods as well that are available, such as contains() and UINT8(). Using the contains method below to filter out DNS records contain the text "google.com" and a
DNS.QuestionCount AND DNS.ARecord.TimeToLive == 14 AND DNS.QRecord.QuestionName.contains("google.com")
Practical filter examples
Some practical examples, beyond what the default built-in ones are, go a long way to helping you understand how to get to just the useful data you need.
Filtering by port number
It is often easiest to filter by a specific port, such as 8080 or 8443, as shown below.
// Filter by TCP Port Number tcp.port == 80 OR Payloadheader.LowerProtocol.port == 80 tcp.port == 443 OR Payloadheader.LowerProtocol.port == 443
TCP frames that have been fragmented are reassembled and inserted into a new frame in the trace that contains a special header named, Payloadheader. By looking for both, we can make sure we are collecting the entire stream.
Find SSL negotiation frames
Despite not being able to decrypt SSL traffic, it can be important to find out what SSL connection attempts have been made. As shown below, this filter will display those attempts.
// Filter by SSL Handshake TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0x1
Find TCP retransmits and SYN retransmits
To troubleshoot file upload and download problems, you can look to see if many retransmissions are occurring that could be impacting performance.
Property.TCPRetransmit == 1 || Property.TCPSynRetransmit == 1
Make sure you have conversations turned on. This filter depends on that functionality.
Microsoft Network Monitor thrives in troubleshooting
Though Microsoft has opted to discontinue or deprecate their internally created tools, those tools still thrive. There are plenty of others, such as WireShark, but Microsoft Network Monitor still makes it quite easy to parse and understand the packet information that is captured. With a simple interface encapsulating advanced functionality, using Microsoft Network Monitor is a powerful tool for troubleshooting.