Overview of NetMon by Yuri Diogenes
This article was original posted by Yuri Diogenes on https://blogs.technet.com/latam in Spanish.
Overview of Network Monitor 3 Beta 2
1. Summary
Microsoft is releasing the Beta 2 version of the Network Monitor 3 and we would like to show you some powerful features of this new version that will help you to analyze the packets that are passing though your network. Here are some key features of this new version:
· Completely new user interface that gives you more flexibility to work with captures
· Now you can see the frames while capturing data in real time
· Simultaneous capture on multiple network adapters
· Multiple simultaneous capture sessions
· Network conversations and a tree view displaying frames by conversation
· A new script-based protocol parser language, and script-based parsers
· Support for Vista, Windows XP and Windows Server 2003
· Support for 32bit and 64bit platforms
· New filtering panel with the capability to manually write the filters.
The next session will give you practice examples of some of new features described above.
2. New way to view things
The Network Monitor 3 was completely redesigned to provide the user a better experience while capturing and analyzing network traffic. Now with only one click you can select the network that you want to bind during the capture. With the new design you can see on the same window the filters, the frame summary, frame details and the Hex details.
· Capturing: To start a new capture on Network Monitor 3 you just need to click on the “Create a new capture tab” button. This will create a new tab which contains five panels. On the toolbar you have the play button that starts the capture.
· Real time results: When you starts the capture you can see the traffic in real time on the Frame Summary panel and on the status bar you can see the amount of frames that were capture. On the frame summary panel you also can see that during the capture time the netmon will temporally save the frames in a temp file. To stop the capture click on the stop button on the toolbar. After click on the stop button you can see that the traffic light on the tab became red just to emphasize that you are not capture anything at this point.
· Isolating Frames: On the frame summary window you can select the frames that you want to view separately and then right click on it and chose the option “View selected frame(s) in a new Window”. Another way to aggregate frames in separate files is using the feature call “Buffer Manager”.
3. Filtering
Probably one of the most powerful features on this new version is the way that we can create filters to better analyze the data. The flexibility and interaction that this feature provides are key elements that can save you time during the troubleshooting.
Here we have an example of this filter:
In this example we are filtering all TCP packets using port 8080 where the destination IP address is 192.168.0.3. Although you can manually write your filter the Network Monitor 3 interface already have some pre-defined filters to use for common situations. You can apply this pre-defined filter using the “Load Filter” button, besides the save button in the display filter window.
You can also customize your filter based on the pre-defined filters, you can load the pre-defined filter and manually change the content writing what you want. Another good feature that comes with the filter panel is the IntelliSense that contains the data fields supported by each structure/protocol. The example below shows this feature:
In this example the protocol DNS has the supported data fields that are displayed on this dropdown window. You can select one based on what you want to filter on. Before apply the filter using the “Apply Filter” button you also can verify if the command and syntax that you wrote are correct, to do this you just need to click on the “Verify Filter” button. This option will validate if the filter is correct or not and it will underline the operator or function that was not correct written.
For more filter examples you can use the option “How Do I” on the toolbar and select the option “Use Filters”. The documentation that comes with the product is also very helpful. On the Help folder underneath Network Monitor Folder you have some DOC files with examples of filters that you can use it.
4. Command line version
Sometimes the online analyzes is not what you really want, because sometimes you are troubleshooting an issue that doesn’t happen all the time, however you want to start a capture when one determine thing happens on the network. For this kind of scenario you can use the command line version of the Network Monitor 3, which is the command nmcap.exe.
Let’s see an example of this feature:
- You want to capture the data when the DNS QRecord Question Name contains the value mainisa.ctest.com, the file size should not be bigger than 6MB and the capture needs to stop after two minutes:
nmcap /network * /capture contains(dns.qrecord.questionname,'mainisa.ctest.com') /file dns.cap:6M /stopwhen /timeafter 2 min
This is a good way to keep monitoring the traffic when something that you want to see happens, besides that you are limiting the size of the file, which is good because you don’t need to worry about create a big file that will be hard to read it. You can find more examples using the command: nmcap /examples.
6. Where can I get it?
The Network Monitor 3 Beta 2 is available for customers to evaluate it, follow the steps below to download it:
1. Go to https://connect.microsoft.com
2. Sign in with your passport account
3. Choose "Available Connections" on the left
4. Choose "Apply" for Network Monitor 3.0 (once you've finished with the application, the selection appears in your "My Participation" page)
5. Go to the Downloads page (On the left side), and select the appropriate build 32 or 64 bit build.
We hope that you have a great experience with this new version, your evaluation and feedback are really important to us keep improving this product.
Yuri Diogenes
Support Engineer – Latin America Team – Platforms
Microsoft
Comments
Anonymous
January 01, 2003
Great product. I believe this one will make not so tech type start using NetMon tools. I have a question regarding subject. All adapters except one are configured. It happened naturally during installation. However there is one missing. It is a PCMCIA Kyocera card I user to connect using 3G technology. On the list of networks is shows this: 1x-EVDO (This network adapter is not configured to capture.) Status: This network adapter is not configured to capture. (0x00000483) IPv4 Address: 200.120.140.25 IPv6 Address: None Hardware Address: 00-14-15-00-66-00 Linkspeed: 0 bps Media Type: PPP State: None If I select it, and start a capture I get a message: Unable to start a capture. Please make sure that you have a selected network adapter bound to the Netmon driver. How do I bound and enable it?Anonymous
January 01, 2003
Thanks for providing that picture above how to do a simple TCP.Port == 80 capture. :-) I think this blog is interesting, and hope there will be more basic topics how to deal with Netmon filters. I've been using tcpdump a while on MacOS X (http://www.tcpdump.org), but it's rule definitions are completely different in syntax and semantic.Anonymous
January 01, 2003
Please also look at the blog entry http://blogs.technet.com/netmon/archive/2006/10/17/into-to-filtering-with-network-monitor-3-0.aspx This has some more information on filtering with NM3. Hopefully this will help as well. Afterwards, please let me know if there are other parts of filtering which you need clarity on. Thanks, PaulAnonymous
January 01, 2003
thanks