Netmon versus Message Analyzer. Netmon is well-known tool used by IT peoples to troubleshoot problems daily.

Netmon capture Net frames, Net frame: contain header and payload

TCP basics:

Tcp session establishment:

clt: TCP syn –> srv    then    srv: Syn-Ack –>clt    then    clt: Ack –> srv

Gracefull closure:

clt: Fin –> srv       then       srv: Fin-Ack –>clt

srv: Fin –> clt       then       clt: Fin-Ack –> srv

Forced closure (fermeture brutale):

clt: tcp reset –> srv       THEN      srv: tcp reset –> clt

Notion de fenetre TCP (ou TCP RWIN): le client informe le serveur de la quantite de donnees a envoyer/recevoir. Il y a des BUFFER au niveau applicatif, au niveau de la carte reseau et du protocole TCP. Grosso modo, les pacquets sont decoupes en blocs et stockes d’abord du buffer de l’appl, et par la suite dans le buffer TCP. Il y a un Send Buffer TCP et un Receive Buffer TCP.

The TCP protocol calcule la taille de RWIN. Since Windows vista, the TCP buffer size can be adjusted (Windows scaling) par multiplication of de buffer 65535 – can be modified using NETSH !

The last netmon version is v3.4. At Microsoft, the evolution of netmon is Message Analyzer.

Netmon 3.4 download: http://www.microsoft.com/en-us/download/details.aspx?id=4865

Message Analyzer download: http://www.microsoft.com/en-us/download/details.aspx?id=40308

For netmon, there are addins: downloadable at http://nmexperts.codeplex.com/

NMDECRYPT : http://nmdecrypt.codeplex.com/

TCP Analyzer : http://research.microsoft.com/en-us/projects/tcpanalyzer/

TOP USERS : http://nmtopusers.codeplex.com/

TOP PROTOCOLS : http://nmtopprotocols.codeplex.com/

NMSimpleSearch : http://archive.msdn.microsoft.com/NmSimpleSearch

Visual Round Trip Analyzer : http://www.microsoft.com/en-us/download/details.aspx?id=21462

I come back to Netmon,

Netmon uses a capture drive called nmcap

Netmon uses by default a “Parser profile = default”, if your want more details about application protocoles swith to “parser profile = Windows”

Use “color rules”

Add colums: “Time offset”, “Destination port”, “Source port”

Use “filters”:

Adresses and ports :
IPv4.Address == 10.0.0.1
IPv4.SourceAddress == 10.0.0.1
IPv4.DestinationAddress == 10.0.0.150
TCP.PORT == 3389
IPv4.address == 192.168.1.25 AND Tcp.port!=3389          ; en clair affiche moi le traffic ou apparait l’IP 192.168.1.25 mais pas TCP3389 (bruit du à RDP)
 

To find text:
ContainsBin(FrameData, ASCII, “SavillText”)

Analyzing SMB or SMB2: http://www.snia.org/sites/default/files2/sdc_archives/2009_presentations/wednesday/PaulLong_TShootSMBwithNM3-rev.pdf

Exclusions :
! (RDP)
! (ipv4.address == 10.0.0.1)
! (tcp.port == 3389)

Operators :
AND
OR

“Intellisense” :
TCP. (…)

TCP.Property.tcpRetransmits == 1
TCP.Flags.SYN == 1
TCP.Flags.RESET == 1

Right click : “Add to Display Filter”

Protocole filters:
SMB,SMB2,RDP,DCOM,MSRPC,KerberosV5,Ldap,DNS,DFSR,DFS

Response time:

In order to filter on the difference in time, you can use FrameVariable.TimeDelta property. This value represents the time from the last physical frame in the trace. One side effect of this is that you can’t filter the time delta that results between two filtered frames or two frames in a specific conversation. Leading to perhaps more confusion, the time delta column you see is updated based on the filtered information.

The following filter will find any frame with a time delta greater than 1 second: FrameVariable.TimeDelta > 10000000

http://blogs.technet.com/b/netmon/archive/2010/02/24/measuring-response-times.aspx