IBM Support

Using Network Monitor to Capture and Analyze Network Traffic on Windows Server

How To


Summary

How to use Network Monitor: Capture and Analyze Network Traffic on Windows

Objective

Get familiar with Netmon and learn how to use Network Monitor to capture and analyze network traffic in real-time.

Environment

Windows Server

Steps

This article shows how to use Network Monitor to capture and analyze network traffic in real-time and to dump traffic for later analysis.

This example will investigate mass email mailouts. How to track in real-time which process was initiating the SMTP sessions.

To find the source, we need to capture all outgoing traffic on standard SMTP ports 25, 587, and 465, and identify the process executable or script that is performing the mailings.

Download the Microsoft Network Monitor 3.4 installer (NM34_x64.exe) from the Microsoft website

winget install Microsoft.NetMon

image-20241226194325-1

Run Network Monitor as an administrator when the installation is complete. In the NetMon window, click New Capture.

By default, Network Monitor collects all traffic that passes through a computer’s network interfaces. The size of such a network dump can be significant if you are capturing network traffic over a long time. In our case, we can set filters to only capture outgoing network packets on one of the known SMTP ports.

Click the Capture Settings button. Here you can configure filters that describe what traffic NetMon should capture.

There are several filter templates for typical tasks in the Load Filter -> Standard Filters menu.

In our case, we need a TCP port number filter. Select TCP-> TCP ports.

image-20241226194353-2

The following template code is inserted into the Filter Editor window:

tcp.port == 80 OR Payloadheader.LowerProtocol.port == 80

Edit the template rule and add all three default SMTP port numbers:

(tcp.port == 25 OR Payloadheader.LowerProtocol.port == 25 OR
tcp.port == 587 OR Payloadheader.LowerProtocol.port == 587 OR
tcp.port == 465 OR Payloadheader.LowerProtocol.port == 465)

Note:

If your computer has more than one network interface, or if there are additional IP addresses (aliases) assigned to the adapter, you can add a filter by source IP address:

AND
(IPv4.SourceAddress == 192.168.18.111)

image-20241226194353-3

Network Monitor filters can be combined using brackets and OR / AND / NOT logical expressions, or you can use || , && , or ! instead.

Click the Apply button to save the filter.

Then go to Tools -> Options -> Parser profiles. Select Windows in the default parser profile (Set as active).

image-20241226194353-4

You are now ready to start capturing network traffic. Click the Start button on the toolbar.

image-20241226194353-5

Now you need to reproduce the problem, or if it happens randomly, just let NetMon run for a day/week.

Note that, depending on the capture filter settings, dumping network traffic over a long time will require a significant amount of RAM and disk space.

In our case, after some time, events corresponding to the filters applied appeared in the NetMon packet log. If you open the contents of the packets, you will see that an SMTP connection has been attempted.

Inside the network frames, you will see the detailed commands of the SMTP protocol, the authentication attempt, the address of the target SMTP server, and the email address to which the message was sent (example of SMTP commands in Telnet to send email with authentication).

image-20241226194353-6

The Process Name field displays the name of the process that initiated the network (SMTP) connection.

In this case, it is clear that the SMTP mailings are sent from the blat.exe console tool.

The network dump also contains information about my powershell.exe session.

This was used to check the availability of port 25 on the external server:

Test-NetConnection smtp.corpmail.com -port 25

Click the Stop button to stop capturing network traffic.

The resulting traffic dump can be saved as a *.CAP file for offline analysis.

You can add additional filters by IP or MAC destination/source address, different protocols, ports, and special filters to analyze the traffic of some popular protocols (SMB, HTTP, DNS).

Filters can be applied either to the captured traffic or to filter only the displayed data within the current session (Display Filter window).

For example, if you want to filter network frames, you can click on any of the values in the list of packets and then choose Add [something] to Display Filter.

image-20241226194353-7

In the screenshot, I have added a filtering rule by destination IP address. The following code has been added to the filter prompt:

Destination == "ip_adress"

image-20241226194353-8

Below are some examples of commonly used Network Monitor filters.

Filter by destination IP address:

IPv4.SourceAddress == 192.168.0.1

Filter by source or destination IP:

IPv4.Address == 192.168.0.1

Filter by TCP port number:

tcp.port == 443

OR
Payloadheader.LowerProtocol.port == 443

Port ranges can be specified:

(udp.Port>=10000 && udp.port<=19999)

Additional Information

In this article, we looked at how to capture and analyze network traffic in Windows using Microsoft Network Monitor. You can also use the built-in PktMon console command in Windows to dump traffic without having to install a Network Monitor on each computer. A dump taken with such a command line tool can be further analyzed on any computer with NetMon or Wireshark installed.

Document Location

Worldwide


[{"Type":"MASTER","Line of Business":{"code":"","label":""},"Business Unit":{"code":"","label":""},"Product":{"code":"SSVSWA","label":"Integration for Windows Server"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

More support for:
Integration for Windows Server

Software version:
All Versions

Document number:
7179859

Modified date:
27 December 2024

UID

ibm17179859

Manage My Notification Subscriptions