Network Monitor (and other sniffers) is a tool that provides insight to what really happens on a
network, it will display the raw data that is sent over a network. By viewing this data, a system administrator
or a network administrator can gain insight as to what is happening in the background – on the network.
This insight is significant when troubleshooting a problem that is network related, especially when the
software involved does not provide any indication of the problem that is plaguing it.
It is odd that yet the majority of people I know have a tendency to shy away from sniffers if they don’t have
in-depth networking knowledge. In my opinion, intricate knowledge of a protocol is beneficial yet when
troubleshooting an issues most system/network administrator’s will gain valuable information by using a sniffer.
Recently, I had to troubleshoot an FTP session that just seemed to freeze (no error messages could be found).
By using Network Monitor and analyzing the FTP sessions I was able to identify the issue by examining an
error message inside the protocol that was not relayed by the software.
Network Monitor History and Basics
Up until the release of Network Monitor 3.0, the tool had two versions:
- Bundled with a Microsoft server operating system – NM was not installed by default and could only
capture data that was sent from it or was addressed to it (this also included broadcast traffic).
- SMS version – The major advantage this version has is it’s ability to capture all data that the system
“hears” (a.k.a promiscuous mode).
Network Monitor 3.0 is no longer bundled with Windows 2008(at the time of writing this post), it can be downloaded at:
After installing NM3, the user is greeted with the “Start Page”:
There are several interesting points worth mentioning here:
- The page is divided into three parts:
- The top left part has two buttons that enable the creation of capture or the viewing of a capture file.
The third point of interest here is the checkbox before the sentence saying “Enable Conversations” (disabled
Conversations are a new and interesting feature, once enabled, NM3 will try to provide the user with filters based
on network conversation between two hosts for a specific purpose (a DNS query). More on this subject later.
- On the bottom left the user can choose which network interface will be used for capturing the data and wether
the NIC will be used in p-mode (promiscuous mode) or not(capturing only traffic destined to it or coming from it and
- The right half provides general information about NM3.
- The top left part has two buttons that enable the creation of capture or the viewing of a capture file.
- Tabs- NM3 allows the user to initiate several captures and view them simultaneously by using tabs. Each tab is a different
capture. As you can see in the screenshot above,I have three captures, two active and one inactive (lights represent the
- Parsers tab- The parsers tab provides a glimpse to the inner workings of NMS3. Each protocol that is “identified” by NM3,
Thus displayed with the correct fields, is defined by a parser. If a specific protocol has no parser it’s information will be
be displayed by NM3 as raw data.
Creating a data capture tab
Once you are ready to use NM3 you should create a data capture tab by pressing the button appropriately called “Create a
new capture tab…”. Once the button is pressed a new tab is created but no data is captured yet.
The capture tab has the following points of interest:
- Left window (Network Conversation) – The conversation window, provides details about specific conversations
and enables the filtering of data based on those conversations.
- Top right (Filters and Masks) – Provides the user with the ability to define filters and to mask information by
- Middle right (Frame Summary) – Provides the capture information formatted in a structure where each frame is a line.
This is intended to be a summary of the frame. The columns to be displayed can be configured to the level of specific
fields inside specific protocols.
- Bottom left (Frame Details) – The details of a specific frame, or in other words each field of the protocols captured inside
a specific frame(based on the structure that the parser dictates).
- Bottom right (Hex Details) – The raw data as captured.
After all the theory and explanations lets get into it. I will start by capturing data and then explaining how each window can
be used in order to understand the capture.
I will create the following data:
- A DNS query (www.microsoft.com)
- Ping a remote system (10.0.0.2) (DC01)
- My systems IP address is 10.0.0.4 (CORE)
After creating the capture tab to start capturing data all that needs to be done is to press the green play button the toolbar.
Once NM3 started capturing I initiated the traffic and the result I received can be seen in the following screenshot:
After looking at the previous screenshot, needle in a hay stack comes to mind… So to find the traffic we are
looking for we have to start filtering. This can be done using several methods, the simplest is to use conversations.
As mentioned earlier conversations are classifications of captured data into coherent pieces of information.
Think about being in a room full of people that are talking to each other, it would be relatively hard to understand the
conversations they are conducting if you tried to listen to every conversation simultaneously. In this case it would be beneficial
if you could isolate each conversation and listen to it separately.
That is exactly what NM3 conversations do for you.
The conversations window is built around an inverted tree, this tree has two branches:
- My Traffic- Shows only traffic either initiated by the local system or intended to it.
- Other traffic – If p-mode is enabled this will show other conversations on the network (based on the physical
environment you are connected to you may need port mirroring enabled on the switch).
Under each branch, each conversation between a pair of computers is given a specific conversation ID. Each conversation
can branch out to a more specific conversations on specific subjects (IP>UDP>DNS). Lets take a look at our example:
As you can see the under “My Traffic” there are several conversations. The one that interest us is the one with the ID of
4. This conversation is between our system (10.0.0.4) and a remote system (10.0.0.2) using IPv4. Inside this conversation
several specific conversations exist. One of them was created by our DNS query for ‘www.microsoft.com’.
When we look at the sub-conversation with the ID of 12 (or 4:12) and then further drill down to 13 (4:12:13) we find our
query and the reply to it (this is evident from looking at the ‘Frame Summary’ and ‘Frame Details’ Windows.
Filters are a more flexible method for focusing you view on a specific part of the captured traffic. With filters,you can limit
the information that is presented to you at a very granular level – you can choose to filter your view based upon any field
inside a specific protocol parsed by NM3.
There are two types of filters in NM3:
- Display Filters – By defining such a filter, only the data that matches the filter will be displayed.
- Capture Filters – By defining such a filter, only the data that matches the filter will be captured.
To allow the filtering mechanism maximum flexibility the process of defining filters has become a bit more complex.
Do not be alarmed though, once the basics are learned it is relatively very simple to use them. The three main methods
for creating filters are:
- Standard Filters
- Right Click Filtering
Standard filters are predefined filters which can be customized to fit your needs. You can choose these predefined
filters by pushing the button with the yellow folder and green arrow. Then you can choose from the standard filters.
Once you have chosen a specific filter, it is placed in the filter windows and you can edit it (the ‘//’ prefix is used
Once you have customized the filter you can verify it’s syntax by pressing on the button that says ‘verify’. If the
syntax is correct you will receive a green checkmark at the left of the screen.
At this stage you are ready to apply the filter by pressing the ‘Apply’ button.
In the following example I will filter the capture to display only information originating from 220.127.116.11:
Right Click Filtering
Right click filtering is (in my opinion) the simplest method. Once you have your capture, you can right click a specific
piece of information upon which you wish to base your filter,choose ‘Copy Cell as Filter’ and then paste it into the filter
In the following example I will try to achieve the same results we have achieved in the previous example.
Note that even though the syntax differs, the results are the same. In other words there are several ways to reach
a specific result.
Manual (or using Intelisense)
You can configure filters manually simply by writing them. The interesting part here is the ability to use Intelisense.
Intellisense enables you to start a specific phrase and have the system offer you with alternatives.
To start Intellisense you can start by entering a period (.). Once you are done you will be offered with possible verbs.
To follow up our previous examples, choose ‘Protocol’, then period again, choose IPv4, period, SourceAddress,then
the equal mark (twice) and the IP address. Apply the filter.
Building a complex filter (or defining several conditions)
In order to fine tune a specific filter, you can combine several conditions in a specific filter using the AND (&&) and OR (||)
logical operators. As an example, lets try to find the traffic originating from 10.0.0.2 (DC01) that is DNS related.
To further complicate matters we would like to use our previous filter but we would also like to identify ICMP traffic originating
from 10.0.0.2 (DC01).
If you are paying attention, you must have noticed that the previous screenshot is incorrect. The screenshot show traffic that
originates from additional hosts (we wanted to see DNS and ICMP traffic originating from 10.0.0.2 only).
If we look at the filter we have built we should be able to identify our error:
.Protocol.IPv4.SourceAddress==10.0.0.2 AND .Protocol.DNS OR .Protocol.ICMP
When evaluating the condition, the result achieved is one of a system with the address of 10.0.0.2 using DNS or any system
To be able to receive the result we are looking for we can use parentheses in the following manner:
.Protocol.IPv4.SourceAddress==10.0.0.2 AND (.Protocol.DNS OR .Protocol.ICMP)
This post is not intended to be an all inclusive document about NM3. I have tried to described the features that are used most
frequently. There are additional options (saving filters, defining aliases, wireless and using additional filtering verbs) that might come handy
and you might want to explore.
The huge advantage of being able to use NM3 or a similar tool is that you have the ability to see beyond standard error messages (that
may or may not exist). As mentioned earlier, knowledge of protocol structure is and function is very beneficial but it is not a must (seeing
an error is seeing an error).
When you tackle a problem, using NM3 you may be able to identify it’s root by using the following principles:
- Identify the failing process
- Start capturing traffic with NM3
- Initiate the failing process
- After ample time stop the capture
- Filter the output and search the results for meaningful information