A Guide to Network Monitor 3.1

Network Monitor (and other sniffers) is a tool that provides insight to what really happens on a
network, it will display the raw data that is sent over a network. By viewing this data, a system administrator
or a network administrator can gain insight as to what is happening in the background – on the network.

This insight is significant when troubleshooting a problem that is network related, especially when the
software involved does not provide any indication of the problem that is plaguing it.
It is odd that yet the majority of people I know have a tendency to shy away from sniffers if they don’t have
in-depth networking knowledge. In my opinion, intricate knowledge of a protocol is beneficial yet when
troubleshooting an issues most system/network administrator’s will gain valuable information by using a sniffer.

Recently, I had to troubleshoot an FTP session that just seemed to freeze (no error messages could be found).
By using Network Monitor and analyzing the FTP sessions I was able to identify the issue by examining an
error message inside the protocol that was not relayed by the software.


Network Monitor History and Basics

Up until the release of Network Monitor 3.0, the tool had two versions:

  1. Bundled with a Microsoft server operating system – NM was not installed by default and could only
    capture data that was sent from it or was addressed to it (this also included broadcast traffic).
  2. SMS version – The major advantage this version has is it’s ability to capture all data that the system
    “hears” (a.k.a promiscuous mode).

Network Monitor 3.0 is no longer bundled with Windows 2008(at the time of writing this post), it  can be downloaded at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&DisplayLang=en


Functional overview

After installing NM3, the user is greeted with the “Start Page”:
image

There are several interesting points worth mentioning here:

  1. The page is divided into three parts:
    1. The top left part has two buttons that enable the creation of capture or the viewing of a capture file.
      The third point of interest here is the checkbox before the sentence saying “Enable Conversations” (disabled
      by default).
      Conversations are a new and interesting feature, once enabled, NM3 will try to provide the user with filters based
      on network conversation between two hosts for a specific purpose (a DNS query). More on this subject later.
    2. On the bottom left the user can choose which network interface will be used for capturing the data and wether
      the NIC will be used in p-mode (promiscuous mode) or not(capturing only traffic destined to it or coming from it and
      broadcasts).
    3. The right half provides general information about NM3.
  2. Tabs- NM3 allows the user to initiate several captures and view them simultaneously by using tabs. Each tab is a different
    capture. As you can see in the screenshot above,I have three captures, two active and one inactive (lights represent the
    status).
  3. Parsers tab- The parsers tab provides a glimpse to the inner workings of NMS3. Each protocol that is “identified” by NM3,
    Thus displayed with the correct fields, is defined by a parser. If a specific protocol has no parser it’s information will be
    be displayed by NM3 as raw data.


Creating a data capture tab

Once you are ready to use NM3 you should create a data capture tab by pressing the button appropriately called “Create a
new capture tab…”. Once the button is pressed a new tab is created but no data is captured yet.
image

The capture tab has the following points of interest:

  1. Left window (Network Conversation) – The conversation window, provides details about specific conversations
    and enables the filtering of data based on those conversations.
  2. Top right (Filters and Masks) – Provides the user with the ability to define filters and to mask information by
    defining aliases.
  3. Middle right (Frame Summary) – Provides the capture information formatted in a structure where each frame is a line.
    This is intended to be a summary of the frame. The columns to be displayed can be configured to the level of specific
    fields inside specific protocols.
  4. Bottom left (Frame Details) – The details of a specific frame, or in other words each field of the protocols captured inside
    a specific frame(based on the structure that the parser dictates).
  5. Bottom right (Hex Details) – The raw data as captured.


Capturing data

After all the theory and explanations lets get into it. I will start by capturing data and then explaining how each window can
be used in order to understand the capture.
I will create the following data:

  1. A DNS query (www.microsoft.com)
  2. Ping a remote system (10.0.0.2) (DC01)
  3. My systems IP address is 10.0.0.4 (CORE)

After creating the capture tab to start capturing data all that needs to be done is to press the green play button the toolbar.
Once NM3 started capturing I initiated the traffic and the result I received can be seen in the following screenshot:
image


Conversations

After looking at the previous screenshot, needle in a hay stack comes to mind… So to find the traffic we are
looking for we have to start filtering. This can be done using several methods, the simplest is to use conversations.
As mentioned earlier conversations are classifications of captured data into coherent pieces of information.
Think about being in a room full of people that are talking to each other, it would be relatively hard to understand the
conversations they are conducting if you tried to listen to every conversation simultaneously. In this case it would be beneficial
if you could isolate each conversation and listen to it separately.
That is exactly what NM3 conversations do for you.

The conversations window is built around an inverted tree, this tree has two branches:

  1. My Traffic- Shows only traffic either initiated by the local system or intended to it.
  2. Other traffic – If p-mode is enabled this will show other conversations on the network (based on the physical
    environment you are connected to you may need port mirroring enabled on the switch).

Under each branch, each conversation between a pair of computers is given a specific conversation ID. Each conversation
can branch out to a more specific conversations on specific subjects (IP>UDP>DNS). Lets take a look at our example:

image

As you can see the under “My Traffic” there are several conversations. The one that interest us is the one with the ID of
4. This conversation is between our system (10.0.0.4) and a remote system (10.0.0.2) using IPv4. Inside this conversation
several specific conversations exist. One of them was created by our DNS query for ‘www.microsoft.com’.
When we look at the sub-conversation with the ID of 12 (or 4:12) and then further drill down to 13 (4:12:13) we find our
query and the reply to it (this is evident from looking at the ‘Frame Summary’ and ‘Frame Details’ Windows.

 

Using Filters

Filters are a more flexible method for focusing you view on a specific part of the captured traffic. With filters,you can limit
the information that is presented to you at a very granular level – you can choose to filter your view based upon any field
inside a specific protocol parsed by NM3. 

There are two types of filters in NM3:

  1. Display Filters – By defining such a filter, only the data that matches the filter will be displayed.
  2. Capture Filters – By defining such a filter, only the data that matches the filter will be captured

To allow the filtering mechanism maximum flexibility the process of defining filters has become a bit more complex.
Do not be alarmed though, once the basics are learned it is relatively very simple to use them. The three main methods
for creating filters are:

  1. Standard Filters
  2. Right Click Filtering
  3. Manual


Standard Filters

Standard filters are predefined filters which can be customized to fit your needs. You can choose these predefined
filters by pushing the button with the yellow folder and green arrow. Then you can choose from the standard filters.
Once you have chosen a specific filter, it is placed in the filter windows and you can edit it (the ‘//’ prefix is used
for comments).
Once you have customized the filter you can verify it’s syntax by pressing on the button that says ‘verify’. If the
syntax is correct you will receive a green checkmark at the left of the screen.
At this stage you are ready to apply the filter by pressing the ‘Apply’ button.

In the following example I will filter the capture to display only information originating from 194.90.1.5:

image image image

                                                 image  

Right Click Filtering

Right click filtering is (in my opinion) the simplest method. Once you have your capture, you can right click a specific
piece of information upon which you wish to base your filter,choose ‘Copy Cell as Filter’ and then paste it into the filter
window.

In the following example I will try to achieve the same results we have achieved in the previous example.

image image image

Note that even though the syntax differs, the results are the same. In other words there are several ways to reach
a specific result.


Manual (or using Intelisense)

You can configure filters manually simply by writing them. The interesting part here is the ability to use Intelisense.
Intellisense enables you to start a specific phrase and have the system offer you with alternatives.
To start Intellisense you can start by entering a period (.). Once you are done you will be offered with possible verbs.
To follow up our previous examples, choose ‘Protocol’, then period again, choose IPv4, period, SourceAddress,then
the equal mark (twice) and the IP address. Apply the filter.

image image


Building a complex filter (or defining several conditions)

In order to fine tune a specific filter, you can combine several conditions in a specific filter using the AND (&&) and OR (||)
logical operators. As an example, lets try to find the traffic originating from 10.0.0.2 (DC01) that is DNS related.

image

To further complicate matters we would like to use our previous filter but we would also like to identify ICMP traffic originating
from 10.0.0.2 (DC01).

image

If you are paying attention, you must have noticed that the previous screenshot is incorrect. The screenshot show traffic that
originates from additional hosts (we wanted to see DNS and ICMP traffic originating from 10.0.0.2 only).
If we look at the filter we have built we should be able to identify our error:

.Protocol.IPv4.SourceAddress==10.0.0.2 AND .Protocol.DNS OR .Protocol.ICMP

When evaluating the condition, the result achieved is one of a system with the address of 10.0.0.2 using DNS or any system
using ICMP.

To be able to receive the result we are looking for we can use parentheses in the following manner:

.Protocol.IPv4.SourceAddress==10.0.0.2 AND (.Protocol.DNS OR .Protocol.ICMP)

image


An additional example of flexibility, if we would like to identify “Echo Request” traffic originating from a specific address we can build
a filter based on the ICMP protocol field ‘Type':
image

 

Conclusions

This post is not intended to be an all inclusive document about NM3. I have tried to described the features that are used most
frequently. There are additional options (saving filters, defining aliases, wireless and using additional filtering verbs) that might come handy
and you might want to explore.

The huge advantage of being able to use NM3 or a similar tool is that you have the ability to see beyond standard error messages (that
may or may not exist). As mentioned earlier, knowledge of protocol structure is and function is very beneficial but it is not a must (seeing
an error is seeing an error).

When you tackle a problem, using NM3 you may be able to identify it’s root by using the following principles:

  1. Identify the failing process
  2. Start capturing traffic with NM3
  3. Initiate the failing process
  4. After ample time stop the capture
  5. Filter the output and search the results for meaningful information

Windows Vista SP1 (Beta)

After tons of speculation it seems that it is finally on the way. According to a post on the Windows
Vista blog,SP1 will be released in a Beta version in a few days.
The posy also mentions that the service pack will be released in the first quarter of 2008.

Microsoft Windows Genuine Advantage (WGA) servers seem down

News of this has been popping up all around the Net. In addition to that I also received
a few e-mail about it from fellow MVPs. It seems that Microsoft is aware of the issue and
tech support say that it might be down for a couple of days(?!?!).

The problem is that if you attempt to update your system(Vista), it will go into reduced functionality
mode as it seems to be pirated.

Engadget

Boing Boing

 

Personally I haven’t felt it yet…

iPhone software unlock

Many people were disappointed by the fact that the iPhone could only be used with one
carrier,not only did this limit US owners to a specific carrier it also made it virtually impossible
for anyone outside the US to use the iPhone (think about the cost…).

A crack (or unlock) was inevitable. A hardware unlock surfaced a few days ago, yet it wasn’t
for the faint hearted.

Yesterday (or so it seems) the first report of a software unlock finally surfaced on the Engadget
blog.

A few hours later a second unlock was reported.

 

Z-time to play…
;)