Vista Network Monitor Capture TCP/IP frames filter data

The Vista Network Monitor

The Vista Network Monitor is a utility which captures TCP/IP packets. Then its GUI reveals the frames source and destination addresses along with detailed information stored in the datagram header.

The Secret of Network Monitoring

The secret of success with the Vista Network Monitor is that you must have a clear purpose; you need a real problem to solve. If you just toy with Network Monitor you will soon get bewildered with all the data captured, and give up.

However, as soon as you have a mission, your desire to succeed will ensure that you home in on just the facts you need. Then as you solve the problem, so you become a minor expert on Network Monitor.

The classic mistake is thinking that Network Monitor is built-in to the Vista operating system and you activate it via the ‘Features’ or ‘Windows Components’. In fact, the secret of installing the Vista Network Monitor 3.3 is to download this free utility from Microsoft’s site.

What’s New in Network Monitor 3.3

Ability to capture on WWAN and Tunnel interfaces on Win7.
Critical fixes to NM3.3 to operate correctly with Hyper-V.
Right-click-add-to-alias. Right-click a frame in the Frame Summary window with an IPv4, IPv6, or MAC address to add that address as a new alias.

What was New in Network Monitor 3.2

Network Conversations is a new feature which segregates related frames and displays them in groups.
Process tracking works by categorizing packets based on the ID of the process. Check for rogue processes, also learn about ‘good’ processes.
Improved GUI. Try resizing the windows, also drag and drop windows to achieve a clearer interface.

Guy Recommends: SolarWinds Free Wake-On-LAN Utility

Encouraging computers to sleep when they’re not in use is a great idea – until you are away from your desk and need a file on that remote sleeping machine!

WOL also has business uses for example, rousing machines so that they can have update patches applied. My real reason for recommending you download this free tool is because it’s so much fun sending those ‘Magic Packets’. Give WOL a try – it’s free.

Download your free copy of SolarWinds Wake-On-LAN

Typical Tasks for the Vista Network Monitor

Troubleshooting connectivity problems.
Let us imagine that you cannot contact a server. If you capture the appropriate frames with the Network Monitor, you may discover from the destination address that your machine is trying to connect does not exist.

Calculating server response times.
Each packet has time /date information, thus you can measure response times for conversations between your computer and other machines on the network. If necessary you could initiate a conversation with a ping command.

TCP re-transmissions.
A large number of TCP re-transmissions could indicate an faulty wire (or wireless) connection.

Your first task is to find, and then research the P-Mode button. The ‘P’ stands for promiscuous capture.

Data Capture

In order to capture data, you should install both the Network Monitor and its driver on the local computer. The Network Monitor driver enables the Netmon executable to receive and display frames from your network card.

Once netmon.exe has captured the frames from the network card, its parsers analyze the raw and display the information in the GUI. As a result you can read the all the information carried within the packets, including unencrypted passwords and other sensitive information.

Filters Make the Difference Between Success and Failure

Filters, especially capture filters, make all the difference between seeing manageable data in the monitor, or viewing a mass of meaningless numbers. For example, create a filter which captures only http traffic.

Filter menu, Capture Filter –> Load Filter – Standard Filters. Scroll down to: HttpWebpageSearch.

Check the Capture Options

Before you begin, it’s worth checking the ‘Options’ in your Vista network monitor.

Tools Menu –> Options –> Capture

Temporary capture file: Size (of Buffer)
Folder Location for the buffer
Capture only first bytes of a frame. A useful setting to improve performance.

As the monitor driver (agent) receives network packets so it stores them in a temporary buffer.

Next the Vista Network Monitor compares the frames in the buffer with the capture filter. Any frames which match the capture filter are shown in the GUI. The rest of the frames are discarded.

Start with Standard Filters

Begin by at the Filter menu, click on the Capture Filter –> Load Filter – Standard Filters. Now make your selection, for instance IPv4Addresses.

You will soon learn of how the filter works, but does take a tries to obtain the results that you want. Just ‘playing’ can result in confusion, what helps is a clear mission, for example you just want to capture IPv4 addresses.

Type your Filter in the dialog box

Once you have tested some of the Standard Filters, I suggest you try using the IntelliSense of the Capture Filter box. Begin by typing a period (.) also called the full stop. Now you should see the top level names. Type ‘p’ and IntelliSense kicks in again and displays Protocol.

You could repeat the method and thus append TCP. The result should look like: .Protocol.TCP.

An Alternative Filter Method

Another way of creating filters is to work from a frame that you have already captured. Focus on the Frame Summary screen, then right-click an interesting entry. Next select: ‘Add Source to Display Filter’ from the drop-down menu. The knack is to select the ‘Source’ column for your click, filtering on the ‘Time Offset’ column does not make sense.

Save Captures

Save your capture to a file simply by clicking ‘Save As’ on the toolbar. A good option when you save is to select only those frames which match your filter criteria. Naturally you can revisit previous captures by using the Open Capture dialog box.

Copy Frames

At first the prospect of copying frames did not seem very useful. The benefit comes when you copy a bunch of frames into Excel and then employ the spreadsheet’s math functions on the numeric fields. For example, calculating average response times.

Other uses of Copy include pasting the data into an email, and thus alerting other people of of rogue processes the network.

Quick Capture Statistics

When capturing, the Vista Network Monitor shows stats in the status bar at the bottom of the window:

Displayed: The number of frames in the Frame Summary window.
Dropped: The number of dropped frames.
Captured: The total number of frames captured for a particular session.

Recommended: Solarwinds’ Permissions Analyzer – Free Active Directory Tool

I like thePermissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user’s access to a resource. Give this permissions monitor a try – it’s free!

Download SolarWinds’ Free Permissions Analyser – Active Directory Tool

Enable Network Conversations

Isolating conversations is a new feature of the Microsoft Network Monitor 3.3. This feature groups captures, and thus you can see more easily what is happening. The key point is to select the conversation from the tree on the left of the Network Monitor GUI, you can expand the tree to see individual processes.

Using this technique you could research unknown processes; one day you may discover that a rogue program that has infected your network.

Advanced Topic – How Network Monitor Parses Headers

The Vista Network Monitor relies on two processes, firstly, capturing network frames. Secondly, a parsing engine which analyses the raw bytes of data and displays the results in a GUI. Network Parser

Once you have mastered the basics of capturing and filtering the network traffic, you may wish to investigate a whole new world of parsers. On the one hand parsers teach you how packet collection works ‘under the covers’, on the other hand, parsers are the gateway to a new level of controlling the way raw data is displayed in the monitor. See here for a useful network traffic monitor.

Getting Started
Click the ‘Parsers’ tab next to the Start Page.

Begin with an overview of all the available parsers. As you gain in confidence and experience, you could try modifying and saving the new Parsers. However, to my mind being an expert at creating parsers is a different and higher level skill from troubleshooting data.

7 Tips for the Vista Network Monitor

Set ‘Frame Truncation’ to reduce your buffer size improve collection performance (Tools Menu, Options).
Lookout for context sensitive menu variations.
Copy and paste frames of your capture into Excel, then calculate totals.
Try creating an Alias for IP addresses.
Check out the Filters –> Color Filters.
Get out of jail ‘Restore’
View menu –> ‘Window’ –> ‘Restore Default Layout’.
It’s worth checking the version number of the Network Monitor in the Control Panel. Go to Programs and Features, right-click on the Columns, choose ‘More’ and add the ‘Version’ tab.

The Vista Network Monitor has a Command-line Tool Called Nmcap.exe

If you prefer the command-line, you can control the Network Monitor via the Nmcap executable.

For example: nmcap /network * /capture /file guycap.cap

You can even use the same filters at the command line as seen in the Capture Filter GUI. Once you have created your filter in the GUI you could copy and paste it into the Nmcap command-line. The command-line syntax is /Frame ‘Your Filter’.

If you like this page then please share it with your friends

The Vista Network Monitor

The Vista Network Monitor

Topics for the Vista Network Monitor