Tag Archive: netmon

Full article:


Topic #1: What is the purpose of this tool as opposed to other tools available?

This certainly should be the first question. This tool is focused toward delivering an easy to understand approach to obtaining network captures on remote machines utilizing PowerShell and PowerShell Remoting.

I often encounter scenarios where utilizing an application such as Message Analyzer, NETMON, or Wireshark to conduct network captures is not an option. Much of the time this is due to security restrictions which make it very difficult to get approval to utilize these tools on the network. Alternatively, it could be due to the fact that the issue is with an end user workstation who might be located thousands of miles from you and loading a network capture utility on that end point makes ZERO sense, much less trying to walk an end user through using it. Now before we go too much further, both Message Analyzer and Wireshark can help on these fronts. So if those are available to you, I’d recommend you look into them, but of course only after you’ve read my entire post.

Topic #2: Where can I get this tool?





When installing Netmon service on a Windows 7 PC you recieve the error:
“filters currently installed on the system have reached the limit”

Windows 7 has a default limit set to 8. You are able to manually increase this limit to 14:

To resolve this problem, you will need to adjust the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\

  1. Click Start , click Run , type regedit , and then click OK .
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\
  3. In the right pane, right-click MaxNumFilters, and then click Modify
  4. Change the value to “14”, and click to select the Decimal option, and then click OK.
  5. Close the Registry Editor

If this value is already set to 14 you may need to uninstall some of the other network filter drivers.

No reboot required.

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/

Message analyzer operating guide: http://technet.microsoft.com/en-us/library/jj649776.aspx

As you might guess from the name, Message Analyzer is much more than a network sniffer or packet tracing tool.  Key capabilities include:

  • Integrated “live” event and message capture at various system levels and endpoints (client and server remotely !)
  • Parsing and validation of protocol messages and sequences
  • Automatic parsing of event messages described by ETW manifests
  • Summarized grid display – top level is  “operations”, (requests matched with responses)
  • User controlled “on the fly” grouping by message attributes
  • Ability to browse for logs of different types (.cap, .etl, .txt) and import them together
  • Automatic re-assembly and ability to render payloads
  • Ability to import text logs, parsing them into key element/value pairs
  • Support for “Trace Scenarios” (one or more message providers, filters, and views)

Basic network capture methods: https://blogs.technet.microsoft.com/askpfeplat/2016/12/27/basic-network-capture-methods/

Netmon versus Message Analyzer. Netmon is well-known tool used by IT peoples to troubleshoot problems daily.

Netmon capture Net frames, Net frame: contain header and payload

TCP basics:

Tcp session establishment:

clt: TCP syn –> srv    then    srv: Syn-Ack –>clt    then    clt: Ack –> srv

Gracefull closure:

clt: Fin –> srv       then       srv: Fin-Ack –>clt

srv: Fin –> clt       then       clt: Fin-Ack –> srv

Forced closure (fermeture brutale):

clt: tcp reset –> srv       THEN      srv: tcp reset –> clt

Notion de fenetre TCP (ou TCP RWIN): le client informe le serveur de la quantite de donnees a envoyer/recevoir. Il y a des BUFFER au niveau applicatif, au niveau de la carte reseau et du protocole TCP. Grosso modo, les pacquets sont decoupes en blocs et stockes d’abord du buffer de l’appl, et par la suite dans le buffer TCP. Il y a un Send Buffer TCP et un Receive Buffer TCP.

The TCP protocol calcule la taille de RWIN. Since Windows vista, the TCP buffer size can be adjusted (Windows scaling) par multiplication of de buffer 65535 – can be modified using NETSH !

The last netmon version is v3.4. At Microsoft, the evolution of netmon is Message Analyzer.

Netmon 3.4 download: http://www.microsoft.com/en-us/download/details.aspx?id=4865

Message Analyzer download: http://www.microsoft.com/en-us/download/details.aspx?id=40308

For netmon, there are addins: downloadable at http://nmexperts.codeplex.com/

NMDECRYPT : http://nmdecrypt.codeplex.com/

TCP Analyzer : http://research.microsoft.com/en-us/projects/tcpanalyzer/

TOP USERS : http://nmtopusers.codeplex.com/

TOP PROTOCOLS : http://nmtopprotocols.codeplex.com/

NMSimpleSearch : http://archive.msdn.microsoft.com/NmSimpleSearch

Visual Round Trip Analyzer : http://www.microsoft.com/en-us/download/details.aspx?id=21462

I come back to Netmon,

Netmon uses a capture drive called nmcap

Netmon uses by default a “Parser profile = default”, if your want more details about application protocoles swith to “parser profile = Windows”

Use “color rules”

Add colums: “Time offset”, “Destination port”, “Source port”

Use “filters”:

Adresses and ports :
IPv4.Address ==
IPv4.SourceAddress ==
IPv4.DestinationAddress ==
TCP.PORT == 3389
IPv4.address == AND Tcp.port!=3389          ; en clair affiche moi le traffic ou apparait l’IP mais pas TCP3389 (bruit du à RDP)

To find text:
ContainsBin(FrameData, ASCII, “SavillText”)

Analyzing SMB or SMB2: http://www.snia.org/sites/default/files2/sdc_archives/2009_presentations/wednesday/PaulLong_TShootSMBwithNM3-rev.pdf

Exclusions :
! (RDP)
! (ipv4.address ==
! (tcp.port == 3389)

Operators :

“Intellisense” :
TCP. (…)

TCP.Property.tcpRetransmits == 1
TCP.Flags.SYN == 1
TCP.Flags.RESET == 1

Right click : “Add to Display Filter”

Protocole filters:

Response time:

In order to filter on the difference in time, you can use FrameVariable.TimeDelta property. This value represents the time from the last physical frame in the trace. One side effect of this is that you can’t filter the time delta that results between two filtered frames or two frames in a specific conversation. Leading to perhaps more confusion, the time delta column you see is updated based on the filtered information.

The following filter will find any frame with a time delta greater than 1 second: FrameVariable.TimeDelta > 10000000



A very brief summary of how the protocol works: There is an “endpoint mapper” that runs on TCP port 135.
You can bind to that port on a remote computer anonymously and enumerate all the various RPC services
available on that computer.  The services may be using named pipes or TCP/IP.  Named pipes will use port 445.
The services that are using TCP are each dynamically allocated their own TCP ports,
which are drawn from a pool of port numbers. This pool of port numbers is by default 1024-5000 on XP/2003
and below, and 49152-65535 on Vista/2008 and above. (The ephemeral port range.)

You can customize that port range that RPC will use if you wish, like so:

reg add HKLM\SOFTWARE\Microsoft\Rpc\Internet /v Ports /t REG_MULTI_SZ /f /d 5200-10200
reg add HKLM\SOFTWARE\Microsoft\Rpc\Internet /v PortsInternetAvailable /t REG_SZ /f /d Y
reg add HKLM\SOFTWARE\Microsoft\Rpc\Internet /v UseInternetPorts /t REG_SZ /f /d Y

netsh int ipv4 set dynamicport tcp start=5200 num=10200
netsh int ipv4 set dynamicport udp start=5200 num=10200
netsh int ipv6 set dynamicport tcp start=5200 num=10200
netsh int ipv6 set dynamicport udp start=5200 num=10200

I found this very interesting article about how to troubleshoot RPC communications:





rpcdump (from old windows service pack)

test-server  ; powershell script here: https://gallery.technet.microsoft.com/scriptcenter/Powershell-Test-Server-e0cdea9a

test-rpc       ; powershell script here:

rpc-ping     ; powershell script here: http://www.zerrouki.com/rpc-ping/

portqry -n computer -e 135

netmon 3.4