How to capture and inspect network packets in Windows

Network applications inevitably send data, known as packets, across a network interface. Though some third-party tools, such as WireShark, may offer a different experience, Microsoft Network Monitor has an easy-to-use interface and works very well.

Microsoft originally offered the Microsoft Network Monitor which was subsequently succeeded by the Microsoft Message Analyzer application. Unfortunately, Microsoft has discontinued the Microsoft Message Analyzer and removed its download links. Therefore, only the older Microsoft Network Monitor is available. In this article, we are going to see how to capture and inspect packets using the latest available version of Microsoft Network Monitor.

Capturing packets using Microsoft Network Monitor

First, install Microsoft Network Monitor, which can be downloaded here. Once installed, launch Microsoft Network Monitor and click on New Capture.

Viewing the Microsoft Network Monitor start page
Viewing the Start Page

To begin monitoring, click on the Start button. This will instantly start the capture and you will see “conversations” starting to show up on the left-hand side. Microsoft Network Monitor will attempt to group a series of related packet transmissions into a “conversation” for easier viewing.

Viewing a Microsoft Network Monitor New Capture screen before it has started capturing
Viewing a New Capture screen before it has started capturing

If you find that you get an error message saying no adapters are bound, then you should run Microsoft Network Monitor as an Administrator. Additionally, if you have just installed this, you may need to reboot.

As an example of the “conversation” view, the below processes were all grouped together to show the network traffic originating from each one.

Viewing Network Conversations
Viewing Network Conversations

Expanding any one of the plus signs will show you the specific set of “conversations” that the network monitor may have captured and grouped underneath a process.

Filtering packet traffic

With the sheer quantity of network traffic that normally crosses the line, it is often necessary to filter out the data to just show the necessary traffic. One example of using a filter, is the DnsAllNameQuery, under the DNS section of Standard Filters. After selecting this filter, and clicking on Apply, only DNS queries will be shown.

Viewing the DnsAllNameQuery Filter
Viewing the DnsAllNameQuery Filter

Building filters

Creating filters, or modifying the built-in filters, is flexible and easy. Within the Display Filter field, there are several ways to construct filters. By entering in a Protocol Name and following that by a . (period), you will see an auto-complete of possible field values to compare. Using the standard comparison operator of ==, we can see if certain values are equal. We can even create multi-expressions using logic operators such as and and or. An example of what this looks like is below.

DNS.QuestionCount AND
DNS.ARecord.TimeToLive == 14

There are a few methods as well that are available, such as contains() and UINT8(). Using the contains method below to filter out DNS records contain the text “google.com” and a TimeToLive of 14.

DNS.QuestionCount AND
DNS.ARecord.TimeToLive == 14 AND
DNS.QRecord.QuestionName.contains("google.com")

Practical filter examples

Some practical examples, beyond what the default built-in ones are, go a long way to helping you understand how to get to just the useful data you need.

Filtering by port number

It is often easiest to filter by a specific port, such as 8080 or 8443, as shown below.

// Filter by TCP Port Number
tcp.port == 80 OR Payloadheader.LowerProtocol.port == 80
tcp.port == 443 OR Payloadheader.LowerProtocol.port == 443

TCP frames that have been fragmented are reassembled and inserted into a new frame in the trace that contains a special header named, Payloadheader. By looking for both, we can make sure we are collecting the entire stream.

Find SSL negotiation frames

Despite not being able to decrypt SSL traffic, it can be important to find out what SSL connection attempts have been made. As shown below, this filter will display those attempts.

// Filter by SSL Handshake
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0x1

Find TCP retransmits and SYN retransmits

To troubleshoot file upload and download problems, you can look to see if many retransmissions are occurring that could be impacting performance.

Property.TCPRetransmit == 1 || Property.TCPSynRetransmit == 1

Make sure you have conversations turned on. This filter depends on that functionality.

Microsoft Network Monitor thrives in troubleshooting

Though Microsoft has opted to discontinue or deprecate their internally created tools, those tools still thrive. There are plenty of others, such as WireShark, but Microsoft Network Monitor still makes it quite easy to parse and understand the packet information that is captured. With a simple interface encapsulating advanced functionality, using Microsoft Network Monitor is a powerful tool for troubleshooting.

Similar Blog Posts
Business | December 2, 2024
Business | November 12, 2024
Technical | October 25, 2024
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.
OK