Network Monitor is a
crucial tool that system administrators should have in their arsenal.
Network Monitor, now in its third version, has been overhauled to
support the new networking changes introduced with both Windows Server
2008 R2 and Windows 7. Network Monitor 3.3 includes several enhancements
for capturing network traffic and parsing the captured data for use in
troubleshooting, capacity analysis, and performance tuning. The next few
sections cover using Network Monitor to capture network traffic between
two computers, on a wireless connection, over remote access
connections; how to analyze captured data; and how to parse captured
data for analysis. Network Monitor 3.3, shown in Figure 3, can be downloaded from the System Tools section in the Microsoft Download Center at www.microsoft.com/downloads/.
Figure 3. The Network Monitor 3.3 interface.
The Network Monitor TechNet blog located at http://blogs.technet.com/netmon contains a wealth of information regarding Network Monitor, capturing, and analyzing data.
Network Monitor 3.3 is
available in ia64, x64, and x86 versions and can run on Windows Server
2008 R2, Windows Server 2008, Windows Server 2003, Windows 7, Windows
Vista, and Windows XP systems.
What’s New in Network Monitor 3.3
Network Monitor 3.3 expands on
the capabilities of the previous versions of Network Monitor by
including several more features and fixes for issues that were
discovered in the 3.x versions. Network Monitor 3.3 is very flexible and
can even stop a capture based on an event log entry in Event Viewer.
The previous versions of Network Monitor included the following:
An optimized interface that included network conversations and an expandable tree view of frames for the conversation(s)
A real-time display and updating of captures
The ability to capture traffic on multiple network cards simultaneously
The ability to run multiple capture sessions simultaneously
A script-based protocol parser language
Support for Windows Server 2008, Windows Vista, Windows XP, and Windows Server 2003 on 32- or 64-bit platforms
ability to capture wireless traffic, scan one or all wireless channels
supported by the network card, and view signal strength and transfer
speed of the connection
ability to trace traffic inside of a Windows Vista virtual private
network (VPN) tunnel by capturing remote access server (RAS) traffic
The ability to right-click in the Frame Summary pane and click Add to Filter
Support for the Windows Update service by periodically checking for updates to the Network Monitor program
A redesigned filter toolbar
A redesigned engine for supporting more protocol schemes
New public parsers like ip1394, ipcp, PPPoE, and more
Some of the new features in Network Monitor 3.3 include the following:
Support for Windows Server 2008 R2, Hyper-V, and Windows 7
The ability to capture WWAN and tunnel traffic on Window 7 computers
Support for both IPv4 and IPV6
Using Network Monitor 3.3
Before you can start using
the advanced features of Network Monitor, analyzing captured data, and
identifying potential issues and bottlenecks, a basic understanding of
Network Monitor and how it works is necessary.
To capture network traffic, install Network Monitor 3.3 and do the following:
Run Network Monitor (Start, All Programs, Microsoft Network Monitor 3.3, Microsoft Network Monitor 3.3).
Click the Create a New Capture Tab link in the left pane.
Click the Start button or press F5 to start capturing traffic.
To apply filters to a captured stream of information, do the following:
With a capture running and the tab selected, as shown in Figure 4, click the Filter menu in the menu bar at the top of the Network Monitor program.
Figure 4. Capturing and Configuring Filters in Network Monitor 3.3.
- To create a capture filter—
Click on Capture Filter, Load Filter, Standard Filters to select a
preconfigured filter that will capture traffic relative to a specific
item such as DNS.
- To create a display filter— Click
on Display Filter, Load Filter, Standard Filters to select a
preconfigured filter that will only display information relative to a
specific item such as DNS from captured data.
- To create a color filter— Click on Color Filter, Load Filter, Standard Filters to apply a color effect to specific items such as DNS.
a filter has been added, it must be applied. Filters can be applied by
clicking the Apply button in the Capture Filter pane, pressing the
Ctrl+Enter keys simultaneously, or clicking Apply in the Filter menu for
the added filter.
Apply the filter(s) by clicking the Filter menu at the top of the Network Monitor program.
To apply a capture filter, highlight Capture Filter, and click Apply Filter.
To apply a display filter, highlight Display Filter, and click Apply Filter.
add a color filter, click Color Filter, click Add, add an expression
(for example, RDP or 192.168.1.5), and format the font for your
preference. Click OK, and click OK again to apply the filter and close
the Color Filter window.
Alternatively, a capture or
display filter can be applied by right-clicking on an item in the Frame
Summary pane and selecting Add Cell to Display Filter, as shown in Figure 5. Figure 6 shows a sample capture with a DNS capture filter applied and all RDP packets color-coded in red using a color filter.
Figure 5. Choosing to add a cell to display filter.
Figure 6. Sample capture with red highlighted filtered data.
To remove a filter,
simply highlight the correct filter type from the Filter menu and select
Remove Filter, click the Remove button in the Capture Filter pane, or
press the Ctrl+Shift+Enter keys simultaneously.
Removing a filter does not remove it from the filter list. It just removes it from being applied.
Capturing Network Traffic Between Computers
As outlined previously,
Network Monitor 3.3 includes the ability to capture wireless, remote,
local area network (LAN), and wide area network (WAN) traffic using a
remote agent. In some cases, network administrators want to diagnose or
monitor a conversation between two computers. The steps necessary to
monitor traffic between two different computers are outlined in the
To capture network traffic between two different computers using IPv4 source and destination addresses, as shown in Figure 7, do the following:
In Network Monitor, click the Create a New Capture Tab button on the left.
Click the Filter menu, select Capture Filter, Load Filter, Standard Filters.
Select Addresses, and then IPv4 Addresses.
the filter to specify the IP addresses that should be filtered in the
Capture Filter window (for example, 192.168.0.100 and Any).
Click the Apply button in the Capture Filter pane.
Click the Start button on the main Network Monitor menu bar or press the F5 key to start the capture.
Figure 7. Network Monitor capture of network traffic between two IP addresses.
Parsing Captured Network Traffic Data
Parsing captured data
allows the information to be converted into a format that is more
legible to the naked eye. Parsing captured data makes analysis of the
captured data easier—in fact, it’s almost essential. The Network Monitor
parsing engine was completely rewritten to support the new
functionality of Network Monitor 3.3.
To modify parsing of captured data in Network Monitor 3.3, do the following:
With a capture running or loaded from a saved file, select the Parsers tab in Network Monitor, as shown in Figure 8.
Figure 8. Parsers tab of Network Monitor 3.3.
the appropriate parsing category and double-click on the desired parser
to load the parser code into the editor. Parsers use Network Monitor
Parser Language (NPL), a simple-to-use language. Help for NPL is
included in the Network Monitor 3.3 Help file.