About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
How To
Summary
How to use Network Monitor: Capture and Analyze Network Traffic on Windows
Objective
Get familiar with Netmon and learn how to use Network Monitor to capture and analyze network traffic in real-time.
Environment
Windows Server
Steps
This article shows how to use Network Monitor to capture and analyze network traffic in real-time and to dump traffic for later analysis.
This example will investigate mass email mailouts. How to track in real-time which process was initiating the SMTP sessions.
To find the source, we need to capture all outgoing traffic on standard SMTP ports 25, 587, and 465, and identify the process executable or script that is performing the mailings.
Download the Microsoft Network Monitor 3.4 installer (NM34_x64.exe) from the Microsoft website
winget install Microsoft.NetMon
Run Network Monitor as an administrator when the installation is complete. In the NetMon window, click New Capture.
By default, Network Monitor collects all traffic that passes through a computer’s network interfaces. The size of such a network dump can be significant if you are capturing network traffic over a long time. In our case, we can set filters to only capture outgoing network packets on one of the known SMTP ports.
Click the Capture Settings button. Here you can configure filters that describe what traffic NetMon should capture.
There are several filter templates for typical tasks in the Load Filter -> Standard Filters menu.
In our case, we need a TCP port number filter. Select TCP-> TCP ports.
The following template code is inserted into the Filter Editor window:
tcp.port == 80 OR Payloadheader.LowerProtocol.port == 80
Edit the template rule and add all three default SMTP port numbers:
(tcp.port == 25 OR Payloadheader.LowerProtocol.port == 25 OR
tcp.port == 587 OR Payloadheader.LowerProtocol.port == 587 OR
tcp.port == 465 OR Payloadheader.LowerProtocol.port == 465)
Note:
If your computer has more than one network interface, or if there are additional IP addresses (aliases) assigned to the adapter, you can add a filter by source IP address:
AND
(IPv4.SourceAddress == 192.168.18.111)
Network Monitor filters can be combined using brackets and OR / AND / NOT logical expressions, or you can use || , && , or ! instead.
Click the Apply button to save the filter.
Then go to Tools -> Options -> Parser profiles. Select Windows in the default parser profile (Set as active).
You are now ready to start capturing network traffic. Click the Start button on the toolbar.
Now you need to reproduce the problem, or if it happens randomly, just let NetMon run for a day/week.
Note that, depending on the capture filter settings, dumping network traffic over a long time will require a significant amount of RAM and disk space.
In our case, after some time, events corresponding to the filters applied appeared in the NetMon packet log. If you open the contents of the packets, you will see that an SMTP connection has been attempted.
Inside the network frames, you will see the detailed commands of the SMTP protocol, the authentication attempt, the address of the target SMTP server, and the email address to which the message was sent (example of SMTP commands in Telnet to send email with authentication).
The Process Name field displays the name of the process that initiated the network (SMTP) connection.
In this case, it is clear that the SMTP mailings are sent from the blat.exe console tool.
The network dump also contains information about my powershell.exe session.
This was used to check the availability of port 25 on the external server:
Test-NetConnection smtp.corpmail.com -port 25
Click the Stop button to stop capturing network traffic.
The resulting traffic dump can be saved as a *.CAP file for offline analysis.
You can add additional filters by IP or MAC destination/source address, different protocols, ports, and special filters to analyze the traffic of some popular protocols (SMB, HTTP, DNS).
Filters can be applied either to the captured traffic or to filter only the displayed data within the current session (Display Filter window).
For example, if you want to filter network frames, you can click on any of the values in the list of packets and then choose Add [something] to Display Filter.
In the screenshot, I have added a filtering rule by destination IP address. The following code has been added to the filter prompt:
Destination == "ip_adress"
Below are some examples of commonly used Network Monitor filters.
Filter by destination IP address:
IPv4.SourceAddress == 192.168.0.1
Filter by source or destination IP:
IPv4.Address == 192.168.0.1
Filter by TCP port number:
tcp.port == 443
OR
Payloadheader.LowerProtocol.port == 443
Port ranges can be specified:
(udp.Port>=10000 && udp.port<=19999)
Additional Information
In this article, we looked at how to capture and analyze network traffic in Windows using Microsoft Network Monitor. You can also use the built-in PktMon console command in Windows to dump traffic without having to install a Network Monitor on each computer. A dump taken with such a command line tool can be further analyzed on any computer with NetMon or Wireshark installed.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"","label":""},"Business Unit":{"code":"","label":""},"Product":{"code":"SSVSWA","label":"Integration for Windows Server"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
More support for:
Integration for Windows Server
Software version:
All Versions
Document number:
7179859
Modified date:
27 December 2024
UID
ibm17179859
Manage My Notification Subscriptions