Microsoft Network Monitor

I recently received one of Microsoft's periodic download notification emails and one item in particular caught my eye as I had never heard of it before. It was a download of Microsoft's Network Monitor.

Now I've been dealing with networking in and out of work for many years and have always used Wireshark and will most likely continue to do so.  However, I will definitely be looking into Network Monitor more and would not be surprised if it became my tool of choice in some situations.

Process List in Network Monitor

The first thing that jumped out at me when I brought ran Network Monitor to capture data was that it it showed the processes that were generating network traffic on my machine.  Simply clicking on a process will filter the network traffic so that only the traffic associated with that process is shown. This is one feature that Wireshark doesn't have and I can see it coming in handy.

This simple point and click interface to filter the traffic is great, but there is quite of bit of power behind it that needs to be explored. After spending a few poking around with it I found that the right click menu provided an option to Copy Conversation Filter to Clipboard.

After doing this I was able to paste the filter into Network Monitor's Display Filter frame and filter the traffic that way.  If you are thinking of giving the application a try, I recommend you give this a try as if provide a quick glimpse into what you can do with filter.

At first glance the text that you end up with is pretty ugly, but after a moment I was able understand it  and realized I didn't have to care about most of it. A large part of the filter text is to filter the traffic so only traffic for my machine is displayed, while just a simple boolean expression specified the process of interest.

    (Conversation.ProcessName == "System" and Conversation.ProcessId == 0) and
    (FrameVariable.MediaType == 0 || FrameVariable.MediaType == 7 ||
     FrameVariable.MediaType == 8 || FrameVariable.MediaType == 9 ||
     SourceHardwareAddress == 0x001E4FAF4573 || DestinationHardwareAddress == 0x001E4FAF4573 ||
     SourceHardwareAddress == 0xEE6C20524153 || DestinationHardwareAddress == 0xEE6C20524153)

As a matter of fact stripping the filter down so that it was just (Conversation.ProcessName == "System" and Conversation.ProcessId == 0) yielded the same results. From there I reduced the filter further and just filtered on (Conversation.ProcessName == "System"), this showed me the network from all the System processes as there was more than one.  My final tweak of the filter was to reverse the logic to, (Conversation.ProcessName <> "System"), this filter showed all the network traffic that did not originate from System.

That is as far as I've gotten with the tool so far, but I know there is much more that it can do using Parsers and Experts. If you are at all curious about your network traffic this can be a useful tool and while getting going is pretty simple, there are a lot of powerful features built into it.

Well that's it for now, I plan to dig into it more and hopefully I can find the time to share what I learn with you. For those of you that give it a try, I'd enjoy hearing any tips or comments you can provide.