Troubleshooting the TMG Firewall with Network Monitor (Part 2)

By /

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our ISAserver.org Real Time Article newsletter.

If you would like to read the first part in this article series please go to Troubleshooting the TMG Firewall with Network Monitor (Part 1).

Introduction

Experience is probably the number one key to success when reading Network Monitor captures. You can study up on Network Monitor know it – in theory – inside and out but if you don’t have the experience, it’s still going to be hard to find the information you need. Of course, this is true for just about everything you learn in life, so Network Monitor isn’t too different. You’re on the first step of a long journey, but it is well worth the investment of time and effort.

In addition to understanding how Network Monitor works, you also need to have a good understanding of the protocols that you’re interested in monitoring. Network Monitor will pick up the information you want to know, but if you don’t know what to look for, that information won’t help you too much. There are a number of good books on TCP/IP and application protocols. There are also some good training resources out there that can explain how to read network captures in general. For example, Laura Chappell runs the WireShark University at http://www.wiresharktraining.com/, which has a good reputation. While her training is focused on WireShark, the same principles apply to Network Monitor.

The capture process

If you’ve never used Network Monitor before, or if it’s been a while and you don’t remember all the in’s and out’s, there are a few things you need to know about the capture process in order to get started:

  • Network traffic is divided into units called Internet Protocol packets.
  • Packets contain data representing one or more protocols (a packet is a layer 3 entity).
  • Protocols in these packets are interpreted by protocol “parsers.”
  • Parsers can call other parsers so that relationships between multiple protocols can be determined.

When you run a network capture session, Network Monitor moves network information through its parser engine and then calls related protocol parsers as each protocol in the capture is identified. The result of this action is then displayed to you in the Frame Summary pane of the Network Monitor application window as shown in the figure below.

Image
Figure 1

The left pane of the Network Monitor console shows a summary of the network traffic identified by the Network Monitor parsers. Network Monitor’s default settings limit the display to the lowest layer protocol. However, in the figure above the application process name and process ID are displayed because I enabled these options.

Each session is assigned a unique number to help you filter the capture so that only the protocols you are interested in are displayed. You can see the number just to right of the protocol session (or “conversation”). For example, in the figure below you can see ConvID = 4 under IEXPLORE.EXE

You can click the plus sign to expand the protocol conversation to display the lower-level protocols, each of which can be expanded if it contains a higher-layer protocol. If you select one of the conversations in the left pane, the Frame Summary pane is updated to show only those packets that are related to that protocol and conversation. Figure 2 illustrates this relationship for one of the conversations.

Image
Figure 2

Network Monitor will organize the conversation list in the left pane of the console so that the relationship between applications and the protocols that are used by that application are easy to see. Keep in mind that Network Monitor conversation identifiers are assigned as each parser tells the parser engine to create a conversation. Because higher-layer protocols are called by lower-layer protocols, the conversation value represents the total number of conversations Network Monitor has identified up to that point in the capture, not the conversation count for a particular protocol. In other words, HTTP conversation 10 represents the tenth conversation Network Monitor was instructed to build, not the tenth HTTP conversation Network Monitor identified, as seen in the figure above.

In most cases, you’ll want to filter the data surfaced by Network Monitor so that it only shows the information you want. If you already know what you want to see, such as a specific protocol, or a specific source and destination IP address, that makes things a lot easier. However, if you’re troubleshooting an obscure problem, it gets a bit more difficult, since you’re not sure what is causing the problem. This is where experience is important. As you gain experience, you’ll have a good idea of what looks like normal traffic, what looks like abnormal traffic, and what looks like traffic you’ve never seen before – which could be normal or abnormal.

Getting started with NetMon

Let’s take a look at some basic things you can do with Network Monitor. First, open Network Monitor and it will take you to the Start Page tab, as seen in the figure below. Notice the Select Networks section in the lower left portion of the console. Make sure to put a checkmark in the checkbox next to the NIC from which you want to capture information. In this example, you can see that I’ve put a checkmark in the Local Area Connection checkbox. On a TMG firewall, you’ll likely want to look at information from multiple NICs, so you’d put a checkmark next to each of the NICs.

Image
Figure 3

We want to create a new capture, so click the New Capture button. When you click the New Capture button, you’ll see something like the figure below. The left pane shows the network sessions or conversations that are being held by processes running on the computer. The Display Filter section allows you to filter the contents of the capture, and we’ll see how you can do this after we run the capture.

In the Frame Summary section, you have the following controls:

  • Find – you can use this to find specific strings in the capture.
  • Next Frame/Previous Frame – you can use the up and down arrows to go to the next and previous frames.
  • Autoscroll – you can use the autoscroll button to automatically scroll the contents of the capture so that you can see the frames moving through the list in real time. On a TMG firewall this isn’t of much use because there is so much traffic, but if you’re in a test lab, and you’re checking out communications between virtual machines, you might find this option useful.
  • Color Rules – you can assign different colors to frames or protocols of interest.
  • Aliases – you can assign aliases to IP addresses to make identifying servers easier in the capture results.
  • Columns – you can choose which columns will appear in the Frame Summary section. There are default columns selected by the Network Monitor team, but there are many more for you to choose from.

In this example, we’ll turn on the Autoscroll feature because it’s fun to watch the frames move through in real time. Now click the Start button to run the capture and let it run for about 5 minutes. Open your browser and go to some web sites. Open other network enabled application on your machine. Try to generate as much variety in the traffic as you can so that you can see a nice mix of network traffic.

Image
Figure 4

After the 5 minutes are over, click the Stop button. At the end of the capture, you’ll see that you have a lot of frames. If you look at the bottom of the console, you’ll see the number of frames that were captured, as seen in the figure below.

Image
Figure 5

Suppose you’re interested in all DNS frames because you suspect that you’re having a problem with name resolution in your environment. You can filter the capture to show only DNS related frames by enter DNS in the Display Filter section and then clicking Apply. You’ll get something that looks like the figure below.

Image
Figure 6

Details and filtering

When you click on a frame, you can see the details of the specific frame in the Frame Details section. You can see the contents of the frame in the Hex Details section. In the Frame Details section, you can click the plus sign to see more detail for each protocol that is included in the frame, starting with the lowest level protocol (Ethernet) and working up to the highest level protocol, which in this case is DNS. If you’re learning about the details of protocols, this is a great way to get started – look at each of the protocols in the “stack” of protocols and look at the information that is returned for each protocol. Then you can look up the protocol in a web search to learn more about each of these sections.

Suppose you’re interested in two different protocols. You can enter both of them into the Display Filter. Maybe you’re interested in both DNS and HTTP. In that case, you can enter DNS or HTTP in the Display Filter pane and then click Apply. Now you’ll see all the frames that have either DNS or HTTP as part of the frame.

There are a number of filters that the Network Monitor team has provided for you that you can use right out of the box. If you click the Load Filter down arrow, you’ll see a list of the filters that you can use “as is” or with some slight modification. There are comments included with each of the filters so that you will know which information you’ll need to add to the filter to get the information you want. Try out each of them to get familiar with the Network Monitor syntax. I’ve found this to be the fastest way to figure out how to create my own filters.

I also suggest that you read the helpful information that is included in the How Do I list, which you will see in the upper right of the Network Monitor console. This help text is very good and it will get you where you want to go faster.

Summary

Network Monitor is a powerful and flexible network analysis tool that you can download from Microsoft at no cost. In this three-part series, we went over the basics of Network Monitor so that you can get started with the tool. You can use the sample filters to get started and read the How Do I text to get up and running as quickly as possible. You’ll find that in a very short time you’ll get very good with the tool and will want to learn more. In Part 3, we will wrap up this article series by showing you some examples of how to apply what you’ve learned to TMG troubleshooting. –Deb.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our ISAserver.org Real Time Article newsletter.

If you would like to read the first part in this article series please go to Troubleshooting the TMG Firewall with Network Monitor (Part 1).

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top