Microsoft Network Monitor

From NoskeWiki
Jump to: navigation, search

About

Microsoft Network Monitor is a free packer sniffer which allows you to capture, view and analyzing traffic over your network. It can be used to troubleshoot network problems, but in my case I used this program in 2009 to help find out who in my house was using up all our download quota! I found the program quite good, but would be very interested if there is something better out there, considering all I wanted to do was tally the number of packets my housemates were receiving from outside the network.


How it works

A packet sniffer is a program (or sometimes a piece of hardware) which intercepts and logs all traffic passing through your network. How it works: In most cases, all the computers in your home or small business will be connected to the internet through a single switch or router (connected to the internet via a modem), and this will "broadcasts" any traffic it receives to every computer! This means that every piece of information send to from your computer is actually send out to every computer, but only the computer that it is addressed to will actually process the information. A packet sniffer however will read EVERY packet.

Getting Started

Start Capturing and Create Aliases

  • Download and install Microsoft Network Monitor (you'll probably want "NM33_x86.exe"). The program should immediately recognize your network card (ticked in the "Selected Networks" window) and you can begin.
  • Click New Capture and then Start up the top. What you will soon see is a stream of frames appear in the "Frame Summary"" window. The trick is making sense of these frames!
    • NOTE: If you see nothing appear do open a browser and do a Google search - and you should notice several entries appear immediately.
  • In the Display Filter window click Aliases and then New to add a new Alias. Each computer in your network is given its own IP address (eg: 192.168.0.45).
    • You can find your IP address by clicking Start > Run then type "cmd" then enter "ipconfig/alll" into the command prompt. After you hit enter you will see your "IP address". "Default Gateway" is the IP address of the router through with you connect to the internet. "Physical Address" is your unique "MAC address".
    • WARNING: IP addresses tend to change when you restart your computer, and so a better solution is to use MAC addresses. Every network card and network device (eg: router) in the world has a unique MAC address. You can enter this in as: 00-1F-C6-3E-4F-2D (use dashes to seperate the characters).
    • TIP: If you have your own router you can usually connect to it typing its IP address into a browser and entering the username and password, and then it should have an entry there somewhere to see a DHCP table listing computer name, IP address and Mac address for each computer on your local network.... saving you from running "ipconfig" on each person's computer.


  • After entering addresses, click Save (in the Aliases window) to save them, then click Set as Default and Apply.
  • Hit Stop and Start and after a while it should show people's name/Alias instead of Source and Destination IP addresses. Select any packet and you will be able to see more information in the Frame Details window. Unfortunately thousands upon thousands of packets will appear, and so you need to know how to filter this a bit!


Filter the output

  • To show only traffic to your address, click on the "Display Filter" tab and enter:
IPv4.Address == 192.168.0.45
  • Hit "Apply" - and it will show you only packets send to or from your IP address. At the very bottom you will see the number of packets "displayed". Now hit "Remove", to stop using this filter.
  • Unfortunately, the biggest problem with this program is that most packets are only a few kB, so, depending on who's doing what on the network, this list can get massively long!
  • Your probably not interested in internal traffic (eg: when one of your housemates is someone is copy a file or waching a movie off your computer), so you can filter this out by clicking the "Capture Filter" tab and entering this:
// ALL EXTERNAL TRAFFIC:
!(IPv4.Address >= 192.168.0.1 and IPv4.Address <= 192.168.0.255)

or for incoming traffic only:

// ALL INCOMING TRAFFIC:
(IPv4.SourceAddress == 192.168.0.45
or IPv4.SourceAddress == 192.168.0.1
or IPv4.SourceAddress == 192.168.0.2)	// enter everyone you're interested in here
and
!(IPv4.DestinationAddress == 192.168.0.45
or IPv4.DestinationAddress == 192.168.0.1
or IPv4.DestinationAddress == 192.168.0.2)	// and again here
  • The syntax Microsoft Network Manager uses is pretty powerful, and you can specify MAC addresses as (Ethernet.Address == 00-1F-C6-3E-4F-2D), BUT unfortunately you can't use wildcards (eg: 192.168.0.*).
  • At this stage you might want to save your filter (in the Capture Filter tab) and then save your capture. By right clicking the "Capture 1" tab at the top it will ask you if you want to save. You can then exit.


More Advanced Features

With so much information in each packet (protocol etc) there is a lot of analysis on can perform, but unfortunately I haven't taken the program much further. On fairly cool feature however, is that you can add "color filter" (a bit like "conditional formatting" in Excel) under Filter >> Color Filter. Use the following to highlight traffic to/from your address as green (subsituting in your own MAC address):

Ethernet.Address == 00-1F-C6-3E-4F-2D

It seems to me one of this programs big limitations however, is that it doesn't have any obvious way to simply record how many frames are being sent to each address without accumulating numerous MB of frame information.


See Also


Links