Network Monitoring with Network Monitor 3.4 (Part 1)

If you would like to be notified of when Ricky M. Magalhaes releases the next part in this article series please sign up to our WindowSecurity.com Real Time Aritcle Update newsletter.

Introduction

This article we will describe network monitor 3.4 and its usefulness in troubleshooting as well as in traffic analysis. Network traffic analysis is becoming increasingly important as network protocol stacks fold into web routable and NATable protocols. Network Monitor is a protocol analyser and a frame capture tool that helps in detecting such encapsulation and is a vital tool in any network admin and security admins toolbox.

What do we do now?

If you are concerned about transmission of sensitive data or encapsulated payload you will need to know more about your network. Tools like IPS, IDS and firewalls are only as effective as their configuration. In many cases do not describe or depict packet level detail you may need to know. There are free and paid packet sniffing tools but this article has focused on a great tool that is free, readily available and that I have been working with for many years with Microsoft.

I first was introduced to this tool by the ISA Microsoft architects when it was given to me as a present to help resolve a complex firewall problem in beta over six years ago. Since then it has matured into a great troubleshooting tool, it helps network and security admins understand the applications, ports, protocols on windows machines.

What is a Protocol Analyser?

It’s an application or piece of hardware that captures the network traffic and processes this data translates it and outputs it in a human readable format.

About This Tool

Hardware specifications: Network Monitor 3.4 prerequisites a 1GZ processor or greater, 1 Gigabyte of RAM or greater, and 60 Mb of hard disk storage for captures.

It can be installed on X86 and 64bit platforms including Itainum chipsets running windows XP and above.

Once you have downloaded and installed the application from the Microsoft website, you are ready to capture.

You can select the interfaces that you want to listen to traffic on. I always like to keep this to a minimum at first to ensure that I do not get overwhelmed with all the traffic that is flowing through the machine. Later you can change this setting and add the other interfaces if you need to.

One of the great features of the product is the ability to track traffic and associate it to a running process, so that an admin can quickly identify the application that is talking on the machine and the type of traffic that is being sent, without having to trawl through tons of traffic blindly.


Figure 1:
The above depicts a skype conversation.

You can filter the traffic one conversation at a time. This can be seen in the Figure above by the conversation ID (ConvID) 468. Once expanded the frames contained in the conversation can be inspected. I like to think of these frames as sentences that have been said during conversation.

It is possible to colour code the traffic with filters, so that the source traffic is in one colour and the return traffic is another so that you can tell who said what.

You also have the capability to set NM3.4 to capture traffic in a VPN tunnel. This can be useful when troubleshooting VPNs.   

The great thing about this tool is the data is live, so as the data is captured you can see it being populated in the console. This data can be stored in a file and sent to someone else, if you need to share the output for analysis. You can also select a range of frames live. These selected frames can be stored and sent to the other party for analysis instead of sending them the whole capture. I found this to be very useful. You can be certain of the traffic the other party is inspecting, and they will not have to trawl through tons of frames to know what traffic you are referring to.

The data can be copied directly to excel, for analysis and graphing, the same applies to word, and tables can be created quickly for case detail. This makes the data manageable and easier to present.

Creating a basic colour filter

Creating filters can be simple. A quick filter to create is an association between a particular process and a colour. For example you may want to see all IE traffic in your real-time view as blue and your Firefox traffic as red. All you need to do is expand the process in the network conversations tree window on the left and drill to the traffic in the frame summary on the right, right click the frame (over the process column), click add “process name” as colour rule, set the colour and all traffic will appear blue for the IE process.


Figure 2: Remember to click on the process name column


Figure 3:
Select the colour to associate the IE process with, then click OK and OK again…


Figure 4:
In the real-time all traffic view you will see something like the above traffic flow.

This makes it much easier to identify traffic when the packets are flying in and out at speed, and helps in colour coding important traffic.

Command Line Utility

Path C:\Program Files\Microsoft Network Monitor 3>

This tool can be used in a command line utility and is called NMcap.exe, it is installed in the OS path. This mode is great for high performance capture and useful when scripting the tool and commands.

Simple commands like nmcap * /capture /file test_capture.cap will capture all the traffic from all interfaces and store the capture in a file called test_capture.cap in the path its run from. Filters can also be applied to this command so that only relevant traffic is captured.

The command line utility has many uses, for example you can use this at a customer site and send the command to customer to copy and paste so that they can send you the output for remote analysis. Any filter that is used in the UI can be used with the command line utility, remember the quotation marks.

When using this tool it’s a good idea to set the size of the capture, firstly to keep the files manageable and also to ensure that that the captures don’t fill up the entire disk.

One of the useful parameters is the terminationwhencommand, this allows the admin to script the termination of the capture after a time period or after a key press event.

To get a list of parameters type in Nmcap.exe /help

Parsers

Parsers are provided for all windows protocols and for most common public protocols. There are more parsers available and you can quickly create your own. These files have a .npl extension and can be created an complied natively with the tool.

Why we need to know?

With the emergence of cloud solutions and web based services, protocol stacks keep, consolidating into ports like 80 and 443 these ports are already open on firewalls and not much configuration needs to change to get these tunnelling solutions to work.

These ports are not as safe as they seem, as undesirable traffic can be encapsulated and hidden within protocols that can be taxing to manage.

A good example of this is port 443. This port is open outbound on most firewalls, unless you use an application layer firewall or proxy there is no real way to perform deep packet inspection. This means that network admins are unsure of what the packet payload will be. The potential for malware to exploit this fact is real. Already we are seeing more malware that is leaving this knowledge. Moreover some application developers and administrators know this and use port 443 un-encapsulated, meaning this is not true https or SSL but rather the protocol in its native state which may mean that it is unencrypted and sensitive data could be exposed.

Summary

In this article, we focused on an overview and the capabilities of Network Monitor 3.4. Look out for my next article that will take you deeper into the application where you will be shown some advanced configuration of the tool and how you can use this tool to help you identify issues and potential problems on your network.

For more detailed information visit: http://blogs.technet.com/b/netmon/p/learn.aspx

If you would like to be notified of when Ricky M. Magalhaes releases the next part in this article series please sign up to our WindowSecurity.com Real Time Aritcle Update newsletter.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top