Network Monitor

EventCap Revisited Using NMAPI

You may remember a blog where we talked about automating a capture so that it stops when a particular event shows up in the Windows Event Log. (http://blogs.technet.com/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx). Now that we have the API for NM3.2, we are going to revisit this tool and rewrite it as an expert. Furthermore, the code for the tool is available as a project on http://www.CodePlex.com/NM3EventCap.

The Problem We Are Solving

Often you need to gather a trace, up until a certain event occurs in the event log. Back in the day, we had a tool called EventCap which allowed you to do this. But since it was based on Netmon2.x, it is limited to older OS’s. The NM3.2 API gives us access to the capture engine, so as long as you have NM3.2 installed, this program now gives you this capability in one executable!

Examples

The basic example is you supply a capture file and event number to wait for. In this case we’ll want to stop when PowerShell is run, which is event message 400. We’ll save the capture file to t1.cap.

    NM3EventCap t1.cap 400

The cool thing with the API is that you get access to all the various capturing formats for free. So you can do chained files and different size circular captures. It’s just a matter of exposing those in your code. So for instance to make this a chained capture with a 200 MB size, you would execute:

    NM3EventCap t1.cap 400 –b 200 –c

The Source Code

I’m not going to go into much detail here as you can look at the source code on http://www.codeplex.com/NM3EventCap/SourceControl/ListDownloadableCommits.aspx, but here the basics.

The CPrgExeState class reads the parameters, initializes the capture file and sets up the Network Monitor 3.2 engine. It opens the capture engine, initializes the capture file, and loads the NPL parser. This class also provides methods to start and stop the capture. Look at PrgExeState::InitCapture to see how to initialize the capture engine. CPrgExeState::StartCapture and CPrgExeState::StopCapture show you how to start and stop the capture engine. To understand how we created the capture file, look at CPrgExeState::CreateCap.

The rest of the code is to control the access to the event log error message (the CEventMonWbem class). This is out of scope of Network Monitor, but these interfaces are documented on MSDN if you want more information.

The CodePlex Connection

CodePlex will be the location where further examples are posted. At some point we’ll create a portal that will be used to centralize Network Monitor 3 API related projects. The goal is to create a set of useful tools for capturing and analyzing network traffic. So if there are networking folks out there with ideas that can be turned into simple experts and network tools please create a project and let us know.

Customizing the User Interface

Perhaps it’s already known, but I’m going to let the cat out of the bag. You can move your windows around and re-dock them in different places within the capture tab window. Our UI developer may flip out because he’s told me before this isn’t supported. He tells me there is a chance your layout may not be saved or you’ll end up in a state that you’ll have to reset. Also, if you upgrade, expect your window layout to also be reset. Just read that as a disclaimer and let’s mix things up in the UI.

Press Shift While Moving a Window

Shift is the key to making the window placement easy! [Dern puns] If you hold the shift key, and grab onto a window title, you will see a shaded area that previews how the window will dock. You can dock as a TAB when the shaded area fills the entire window area. Or you can split the window up/down or side to side. If you release the Shift button while dragging, and then release the window, the result is a floating window. This might be useful, except it’s limited to the confines of the parent capture tab. For me, docking is the way to go.

Recovering From “Disaster”

If you make a mistake or as the disclaimer mentions something strange happens, have no fear! There’s a way to recover easily. Just simply go to the View menu->Window and click “Restore Default Layout”. This will restore the original Network Monitor layout. Then feel free to try a completely new customized layout.

Paul’s Favorite Setup

My main requirement is to have plenty of space for the frame summary. I want to have as many columns as I could and as much width for the information, in particular the description. While I use the Hex display probably more than most users, I don’t need it front and center. So here are the steps to show you how I accomplish my favorite setup.

First, I move the Hex details in the Display Filter section as another TAB. After this step, it looks like this.

Next I move the Hex Details/Filters/Alias/Select Networks Tab section to the middle.

Then I move the Conversation Tree so it’s on the left side of the Frame Details.

Finally I put the Hex Details/Filters/Alias/Select Networks Tab section above the Frame Details. I end up with the following layout.

I prefer this setup because it gives me maximum column width for the Frame Summary. Also I have plenty of width for my Frame Details, which I can extend vertically by shrinking the Frame Summary window length.

Column Rearrangement

I’m not going to stop there. I also feel I can optimize the column layout. This is a supported change and it’s easy to move columns around by dragging and dropping. You can also right click the headings and choose “Choose Columns…” for more customization. But for my general setup, I will simply move the columns already there.

With the addition of the Find Conversation Feature, I no longer need the ConvID column. So I move it to the right of the description. I also find the Protocol Column is always repeated in the description, so I will also move this to the right of the description. With this change, my resulting setup looks like this below.

Now that I’m happy with this setup, I will save my column setup by right clicking and selecting “Save Column Layout”. The window layout will be saved once I exit.

A Custom Fit

While changing the Window layout isn’t a “supported” scenario, it does work well enough that I believe it’s safe to change. And if you do have to reset your window layout, it’s not that difficult to rearrange again. Each window in the Capture Tab Window is movable so I’m sure you can find a layout which best suits your needs.

Open Source Parsers for Network Monitor 3.2

With the release of NM3.2, we revamped the parser management so that we can support parser upgrades. So I’m pleased to announce that we just released a new version of the parsers on http://www.codeplex.com/nmparsers. As new parsers become available or the current parsers become extended or improved, you’ll be able to get the latest version.

The Plan

Our plan is to release a new set parsers every month. The updates will be based on your feedback and bug/issue reports that are filed on the site. It may take us a bit of time to completely convert our development over to CodePlex. In the meantime there may be fixes for bugs that have been filed internally. But soon you’ll see the parser files updated live along with a matching MSI installer each month. We have already released a new MSI with the current parser changes. Just look at the Release tab off of our CodePlex site and choose the MSI package that matches your installed Network Monitor OS version.

Eventually, we will document and expose the code for MSI creation so that you can create packages for your own parser sets. Also, we are planning to provide documentation for how to test parsers so that you can understand how we test internally for regressions and compatibility.

How does CodePlex work?

CodePlex is an Open Source Community. People can sign in and provide various roles for filing bugs, developing code, and coordinating projects. Anybody can file bugs in on CodePlex, so you are all welcome to contribute in that regard.

Currently, our CodePlex project’s developer and coordinator roles are being handled by the same MS folks who have been doing this job internally. But there is no reason these roles can’t be open up to public as well.  Interested parties who are committed can be positioned to assume responsibility for a subset of parsers. Eventually as our community grows, there may be bigger external partners which may want to release their own sets of parser packages. In these cases we can communicate with them about providing links to their CodePlex development sites from ours.

You can also get the source code to a specific NPL from the Source Code tab if you can’t wait for the next tested MSI release. Integration may require you to get dependant parser files and you will also have to copy the files manually. Please ask for help if you run into an issue. The Discussions section of CodePlex would be a perfect place to do this.

FAQ

Q: Why are the parser packages Processor dependant?

A: While the parsers themselves are not Processor dependent, currently the Network Monitor MSI installer contains registry locations based on the processor type. So to start, we made different MSI versions to keep things easier for our development. In the future we’ll be looking at combining everything into one package that works for all processors.

Q: How can I tell which parser package version I have?

A: If you enable the Version column under “Program and Features” in the Vista control panel, you can find the version number next to the “Microsoft Network Monitor: Microsoft Parsers” entry. It is also available in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Netmon3\ParserPackages\Microsoft Parsers, you will see a registry key called Version. This will tell you the version of the parser package in question.

Q: Why is the version number 3.3 and not 3.2?

A: These parsers are from the future! They are coinciding with the release of our internal builds which have already been labeled 3.3. Therefore the new versions of our parsers are labeled 3.3 as well. Don’t worry though as we will continue to ensure through testing that they are still compatible with Network Monitor 3.2.

Q: Do I have to Exit NM3 to install?

A: You don’t have to Exit NM3, but you will have to rebuild the parsers. Rebuilding the parsers often requires you to reload any capture files you have loaded. So while you don’t have to exit NM3, a restart may still be required for things to parse correctly. The easiest way to get the changes is to simply restart NM3 after you’ve installed the package. This will cause a rebuild to occur automatically.

Q: How do I contribute a parser to the project?

A: You can contact us by filing an issue on CodePlex. Look at http://www.CodePlex.com/NMParsers/Wiki/View.aspx?title=Parser%20Development&referringTitle=Getting%20Started for more information. Also, feel free to request parsers that are missing in our current package.

We understand that having accurate and up-to-date parsers is the most important aspect of a protocol analyzer. By releasing the parsers on CodePlex you can now keep up-to-date without having to wait for another release of Network Monitor. And perhaps with the help of the community we will get contributions for other parsers.

Intro to the Network Monitor API

I’ve recently played with a new tool here at MS, which analyzes HTTP traffic and provides performance information so that you can better tune your web servers and applications. I also have seen an internal SMB expert that summarizes SMB traffic, for instance open files and connects. These types of experts provide a protocol specific view of network data that is tailored to a specific protocol. The NMAPI provides a powerful way to access our parsing and capturing engine directly. This gives you a lot of flexibility to analyze network traffic in ways you can only imagine. I want to give a quick overview of how the API works so that you can harness the power of the NMAPI.

VRTA – Visual Round Trip Analyzer

Before I dig into the API, let me show you an example of what the API can accomplish for you. It is available here:

http://www.microsoft.com/downloads/details.aspx?familyid=119F3477-DCED-41E3-A0E7-D8B5CAE893A3&displaylang=en

This tool was recently released and allows you to visualize HTTP traffic so that you can diagnose performance of your HTTP server or Browser.

I won’t go into all the details, but the information displayed will let you understand performance based on the throughput as well as the number of parallel request made to understand how your browser or server is performing. It will also display the graphic images and traffic specifics as you hover over various sections of the graph. There are also overall statistics and a cool Analysis section which attempts to score your traffic based on some common rules of thumb.

What Does the API Allow?

I like to divide the API into 3 areas, though they tend to overlap some. They are Capturing, Parsing, and Capture File access. So let me start by explaining what each can do.

Capturing: You have most of the same capabilities as you do in the UI. You can Start/Stop/Pause the capture engine on any of the network interfaces. The API lets you enumerate the available adapters and setup a unique callback for each one, if you want. Each time a frame arrives, the callback is sent the raw frame which you can then evaluate or simply save to a capture file.

Parsing: With access to the parsing engine, you can inspect any data field that is parsed. You can reassemble data on the fly to quickly parse for a few fields or enumerate through them all. You also have the same UI filtering language available to you in the API. You can define a filter as part of your frame parser and then evaluate that filter, very quickly, on each frame.

Capture File Access: The API also allows you to read and write capture files using the Netmon 2.1 file format for NM3.2.

Where is the SDK?

Almost everything is included when you install NM3.2. This includes NetMonSDK.CHM which describes each of the API and contains examples as well. The only other requirement is that you need to install the WDK. This is because we reference the NDIS headers for each adapter, which is one of the functions the API provides.

For more information on setting up your environment, see the section called Network Monitor API Overview in the CHM file. This can be accessed from the help menu in NM3.2.

How Does Capturing Work with the API?

The API uses a callback to define where you want frames to go when they are received by the engine. So you simply have to enumerate the available interfaces, and define where you want that callback to go. You can use the same callback for all adapters, if you prefer.

So, in the example below, I iterate though all the adapters. In this case I use the same callback for each adapter. Once I’ve set these up, I can call StartCapture, and the callback will be called as each frame arrives.

NmOpenCaptureEngine(&myCaptureEngine);

ULONG AdpCount;
NmGetAdapterCount(myCaptureEngine, &AdpCount);

int NumAdpts = 0;

for(DWORD n=0; n< AdpCount;n ++){
    ret = NmConfigAdapter(myCaptureEngine, n, myFrameIndication, NULL, NmReturnRemainFrames);
    if(ret != ERROR_SUCCESS)
    {
        wprintf(L"Error configuration adapter %d, 0x%X\n", n, ret);
    } else {
        NumAdpts++;
    }
}

In your callback, you can simply save all the frames by using NmAddFrame with a capture file handle you created using NmCreateCaptureFile.

void __stdcall 
MyFrameIndication(HANDLE hCapEng, ULONG ulAdaptIdx, PVOID pContext, HANDLE hRawFrame)
{
    HANDLE capFile = (HANDLE)pContext;
    NmAddFrame(capFile, hRawFrame);
}

How Does Parsing Work with the API?

The main task at hand is getting a raw frame and breaking it apart so that you can reference the fields it contains. In the API this is the job of the FrameParser. This object, which is just a windows HANDLE, is applied to a raw frame. The result of this action, using NmParseFrame(…), is a ParsedFrame object. With this object you can access all the fields and apply filters.

So for instance, you would normally get a raw frame from your frame Callback or directly from a capture file. In this example, we’ll use a capture file.

    NmGetFrame(myCaptureFile, 5, &myRawFrame);

    NmParseFrame(myFrameParser, myRawFrame, 0, 0, &myParsedFrame, NULL);

The resulting myParsedFrame object can now be used in calls like NmGetFieldxxx(…) to retrieve the fields value, full name, offset, size, and other meta data. If you look in the documentation you can see all the NmGetField type API calls.

How to I Create a Frame Parser Object?

To create a FrameParser you start with a set of NPL files, which describes how frames are parsed. Using the NmLoadNplParser, you can load these NPLs to retrieve the NPLParser object. If there are errors while building the parser, you can get these reported to you via another callback.

With the NPLParser object, you can now create a FrameParserConfiguration object. This interim object is needed because this is how you configure the parser to add fields and filters. You can also configure how you want reassembly and conversations to work. When you add fields with NmAddField, you are limited to seeing only those fields when you parse a frame. This limited scope provides the best performance.

But if you instead want to enumerate all fields, simply don’t add any fields in this step. In this case you can get a count of fields for the given parsed frame, NmGetFieldCount. Then you just iterate through all the fields where the count is the field ID.

Once the Frame Parser Configuration is finished, you can then generate the Frame Parser object you use to parse a raw frame. There is also no reason you can’t generate multiple frame parsers as well as frame parser configurations, perhaps for different types of frames.

Managed Code

While we haven’t created an official Managed wrapper, we have included a simple NetmonAPI.CS file which uses PInvoke to call the DLL directly. We hope to release a more proper wrapper externally at some point. Perhaps in the shorter term we can also start an open project which wraps the API.

Gotcha’s using the API

In this section I wanted to explain some problems you might encounter when using the API. At one point or another I’ve run into these issues. I want to pass them on to you.

Parsing is State Full: When you are using a FrameParser object, the object keeps track of state information. This means that if you parse raw frames from more than one frame source, like a capture file and live adapter, the state information might get confused. You should create multiple Frame Parsing objects in that case, one for each source of raw frames.

Number of Object Handles Limited: While this may seem obvious, the number of engine handles is limited, though this can be configured. But if you don’t correctly clean up unused handles by calling NmCloseHanlde, you may get an error stating ERROR_PARAMETER_QUOTA_EXCEEDED. Also, if you are creating multiple parsers or parsing multiple frames simultaneously, you may have to increase the quota using NmApiInitialize.

RPC_E_CHANGED_MODE Returned when opening engine: When you call NmOpenCaptureEngine you may receive this or another COM related error. This is because our capture engine on down level systems like Windows 2003 and Windows XP are single threaded. So you have some options here, but my best advice is to read the section title “Working with Managed and Multi-Threaded Code” in the help.

Different Results than the GUI: The GUI performs one full pass through a capture file when it loads. The first pass parses the entire capture file which builds global and conversations properties. When we display a section of frames in the frame summary, those are parsed again to get all the columns properties. And then when you click on a frame, we parse again to get all the Frame Details. In some cases this can cause you to get different information the second time you parse a frame. This is because global and conversation properties retain the last value set. If you are concerned about this difference, parse through the entire trace once.

Let Your Imagination Run Wild

The API opens up a huge world for analyzing network traffic in a completely automated fashion. From simple experts that provide top level information to complex applications that diagnose difficult network protocols, the API gives you unprecedented access to network protocol data. And within the next few months, we hope to create an Open Source community on http://www.codeplex.com where we will start posting some experts we’ve created internally.

Network Monitor 3.2 has arrived!

I’m so excited about this release I had to commandeer Paul’s blog for the day and write about it. My name is Tawanda Sibanda and I am the lead program manager for Network Monitor. The team put a lot of effort into this version, adding many of the requests we heard from our customers, while simultaneously fixing bugs and stabilizing the product. We hope you enjoy this release! Please feel free to leave feedback on Paul’s blog or participate in our Network Monitor survey

Now, let’s deep dive into some of the details of Network Monitor 3.2

Where are the bits?

Network Monitor 3.2 is available on Microsoft.com. The link is: http://www.microsoft.com/downloads/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&DisplayLang=en.

Network Monitor 3.2 will also be offered as an optional feature package in the next few weeks via Microsoft Update if you have a previous version of Network Monitor 3.x installed. To check for updates, click on Help>Check for Updates from the product menu (versions 3.1 and higher) or visit the site http://update.microsoft.com/Microsoftupdate.

So What’s New in Network Monitor 3.2?

• Process Tracking: Now you can identify rogue applications sending network data! View all the processes on your machine generating network traffic (process name and PID).  Use the conversation tree to view frames associated with each process.

• Capture engine re-architecture to improve capture rate in high-speed networks.   Network Monitor 3.2 drops significantly fewer frames that Network Monitor 3.1.
• Find conversations:  You asked for this. Many of our users found conversation tracking to be difficult to use as the view grew hard to manage, and it was difficult to correlate the frames they were seeing with the conversation nodes in the tree. Now, you can quickly isolate frames in the same network conversation.  Just right-click on a frame and select a conversation to track, and you will see all the frames in that conversation. View TCP streams, HTTP flows etc.

• Extensive parser set:  Parsers for over 300 protocols!  As before, the parsers are fully customizable.
• Better parser management:  By default only a subset of parsers are loaded.  You can load the full parser set by going to Tools>Options>Parser and choose Full vs. Stub implementations.
• CodePlex Ready:  In the upcoming months, we plan to place all our Windows parsers on the Microsoft open-source CodePlex site and allow the community to modify and contribute parsers.  You can find out more information on this here. This version of Network Monitor seamlessly integrates new parser packages.
• Network Monitor API: Create your own applications that capture, parse and analyze network traffic!
• More extensive documentation of the API and NPL.  Access the documentation from Help > NPL and API Documentation.
• IA64 builds.
• PCAP capture file support*.
• ContainsBin Plug-in:  Search frames for arbitrary byte sequences or strings.
• … and more.  See our Release Notes in the Help directory of the installation folder for a complete list of new features and known issues.

Enjoy!

*This feature includes software developed by the University of California, Berkeley and its contributors.
  This feature includes software developed by the Kungliga Tekniska Hogskolan and its contributors.
  This feature includes software developed by Yen Yen Lim and North Dakota State University.

Open Source Network Monitor Parsers

With the release of Network Monitor 3.2 we plan to do all of our parser development as an open source project on http://www.codeplex.com/NMParsers. We will be releasing parser packages for Microsoft Protocols on a regular schedule. All parser issues will be tracked, assigned, and fixed on CodePlex first. Then on a regular schedule, we will post a new installer package which will update your NM3.2 parsers.

Open Documentation = Open Parsers

In the beginning of this year we released the documentation of all the Windows Protocols on http://msdn.microsoft.com/en-us/library/cc216517.aspx. With NM3.2, we have also created parsers for most of the released protocol documentation. And as time passes, we will continue to update the released parsers as well as introduce new parsers.

3^rd Party Development Welcome

So now it’s your turn to contribute. If you see a problem with a parser or decide that there’s a better way to describe the data, you can file an Issue Report against the parser and track it through CodePlex. If the change is implemented, the next install of the Microsoft Parsers will contain your change. You will also have access to the latest version of the NPL if you want to integrate it manually.

Also, if there’s a parser you want to share with the community, you can share your parsers here as well. We will be providing information on how to build a parser package as well as providing guidance on how to test your parsers. And the main project page will be updated to list all available packages.

Stay Tuned

Since the parsers will release with NM3.2 as well, the first release of a parser only package will happen sometime soon after. We are currently shooting for a monthly release cycle. You should see the first parser package posted in October 2008. Stay tuned to that site for updates and announcements.

Broadcasts

We can categorize traffic into two general types; directed and broadcast traffic. In the most general sense, a broadcast is sent to anybody that wants to listen. What I’d like to talk about is how broadcasts work and what they are used for.

How broadcasts work

In general a broadcast is a special address. Different layers, in particular the hardware and network layers have specific addresses defined as broadcasts. So let’s look at each layer specifically.

Hardware Layer:

This layer is normally controlled completely by hardware. It defines how the electrical signals go across the wire and how to decide what traffic you network adapter should listen to. In reality network traffic is always broadcasted to everybody on the same segment. Switches and Routers will further determine how segments are defined and may block or allow this type of traffic.

Your network adapter is setup to “listen” for a hardware address that is assigned to it. This 6 byte address is usually hard coded by the network card manufacturer. A manufacturer is assigned a group of addresses and they make sure they are all unique when shipped. When your network adapter sees an electrical signal, it decodes the Ethernet header information and checks if it’s one of the addresses it’s listening for. If it matches, then it sends the packet to the OS for more processing.

Here’s an example of the Ethernet portion of a packet.

    - Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-06-5B-61-2E-7A]
     + MacAddress DestinationAddress: *BROADCAST [FF-FF-FF-FF-FF-FF]
     + MacAddress SourceAddress: Dell Computer Corp. 612E7A [00-06-5B-61-2E-7A]
       UINT16 EthernetType: Internet IP (IPv4), 2048(0x800)

You can see that the Source Address is comprised of 6 bytes, 00-06-5B-61-2E-7A. The first 3 bytes, 00-06-5B, indentify it as the Dell Computer Corp. The final 3 bytes are unique and set by the manufacturer.

In wireless, all traffic is inherently broadcast based. The air is the medium, ok not really air, but the idea is that everybody sees that traffic. But again once your wireless adapter sees the traffic; it will inspect the address and if it matches, it knows to send to the OS.

Broadcasts at this layer are special addresses that are industry defined. Each NIC is configured to listen to its personal address and any broadcast related traffic. For Ethernet, the broadcast is simply an Ethernet address of FF-FF-FF-FF-FF-FF.

So for instance, if we look at an ARP packet with NM3.2, you can see that the destination address is FF-FF-FF-FF-FF-FF, and there for while be listened to by any machine that receives the packet.

    Ethernet: Etype = ARP,DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-07-B3-29-F8-00]

Network Layer:

The network layer in the case of IPv4 and IPv6 also does the same thing. The only difference here is that it may also include information on how to route traffic. For instance an IP address will determine if traffic is local or not for outgoing traffic.

[See http://blogs.technet.com/netmon/archive/2007/07/20/intro-to-name-resolution.aspx for more info about routing.]

When incoming traffic arrives at the IP layer, it again checks the address to see if it’s something it should be listening for. IP addresses however are not hardcoded. They are assigned and a NIC can listen on multiple IP addresses if it wants.

At this layer the broadcast again is defined as a specific IP address. For IPv4, this could be 255.255.255.255. This can also be restricted to the current sub net, so for instance 192.168.1.255 for a class C network. (For more info on IPv4 classes see http://en.wikipedia.org/wiki/Classful_network).

Why have Broadcasts?

You may have already figured this out but broadcasts are used to send information that every machine on the same segment. For instance, when IPv4 needs to see if an address is already taken it will broadcast an ARP packet and ask if an address is available. In fact, you may have already seen that ARPs tend to always be broadcasts.

    Frame: Number = 41, Captured Frame Length = 60, MediaType = ETHERNET 
    + Ethernet: Etype = ARP,DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-07-B3-29-F8-00]
    + Arp: Request, 192.168.100.253 asks for 192.168.100.13
    

Broadcasts are also used to announce general things like their names to everybody. When NETBIOS starts up, it sends out an announcement to anybody who’s listening to see if this name has been used before. When the name is heard machines called browse masters listen to these names and record them. This allows you to see all the machines on your local network. Your machine may ask the browser for a complete list.

    + Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-1D-09-AB-5D-0A]
    + Ipv4: Src = 192.168.1.5, Dest = 192.168.1.255, Next Protocol = UDP, Packet ID = 3092, Total IP Length = 78
    + Udp: SrcPort = NETBIOS Name Service(137), DstPort = NETBIOS Name Service(137), Length = 58
    + Nbtns: Query Request for MachineX <0x00> Workstation Service

When a computer boots, often broadcasts are used to ask the DCHP server for an address. In fact each time you boot a machine without an IP address, it must use a broadcast to find and communicate with the DHCP server. The message below is discover request that is sent when a machine is looking to find its first IP address.

    + Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-60-08-01-D3-03]
    + Ipv4: Src = 0.0.0.0, Dest = 255.255.255.255, Next Protocol = UDP, Packet ID = 288, Total IP Length = 328
    + Udp: SrcPort = BOOTP client(68), DstPort = BOOTP server(67), Length = 308
    + Dhcp: Request, MsgType = DISCOVER, TransactionID = 0x83484743

Another application, and perhaps the first thing you had in mind when you heard the word broadcast, is sending audio or video data to minimize the network utilization. Rather than sending a separate feed to everybody, you can broadcast to a general address, and NICs can then be told to listen to these special broadcast addresses. This form of broadcast is also called multicasts.

What is P-Mode?

Your NIC has a special mode called Promiscuous. This mode allows your NIC to see all traffic regardless if it’s meant for your machine or not. However, P-Mode is not necessary to see broadcast traffic as your NIC is already listening for these. By default this mode is disabled for each NIC. Even if you don’t enable P-Mode you will still see traffic where your IP or Ethernet address is not involved. This is because of the broadcast traffic. So this is why to see traffic when you click on the “Other Traffic” node in the conversation tree.

Conclusion

Now hopefully you’ll be able to identify broadcast traffic and understand some reasons why this kind of traffic exist. There are many other reasons broadcasts are used and IPv6 uses something similar to IPv4. Perhaps with this knowledge you can inspect traffic and make sure broadcasts are going to the intended network segments as sometimes ill configured routers/switches can make for a noisier than necessary network.

NM3 TV – Video Help for using NM3

If a picture is worth a thousand words, than a video must be worth, …30fps * 1000 * …uh…ok…, like a whole lot. So this blog is going to be devoted to providing short help videos to help understand how to use the features of NM3.

My original intention was to provide a cool Silverlight interface with the video right here on this page. But given the crawl, walk, run mantra for developing NM3, I decided to take that same approach here.

Here’s the list of videos, though not all are available now. I will continue to update the page as I complete each video.

• NM3 Overview
• UI Overview Part 1 – Start Page and Parser Tab (Alt Links: YouTube)
• UI Overview Part 2 – Capture Tab (Alt Links: YouTube)
• Tool Options
• Capturing with the UI (Alt Links: YouTube)
• Capturing using NMCap (Alt Links: YouTube)
• Advanced NMCap usage
• Filtering (Alt Links: YouTube)
• Advanced Filtering
• Conversation Tree (Alt Links: YouTube)
• Reassembly (Alt Links: YouTube)
• Parsers Tab
• Simple NPL Modification
• Creating a new Parser (Alt Links: YouTube)
• NM API Overview
• Building an API Example

Hopefully this increases your effectiveness with NM3. Feel free to provide feedback about other topics you’d like to see covered.

The Swimming Pool and the Drain Pipe

With the introduction of Network Monitor 3.2, we have introduced a new feature that allows us to buffer frames so that packets are not dropped. While this is a wonderful improvement this new feature introduces some side effects that you may be interested in.

First there was just a Drain Pipe

Before NM3.2, we had only a Drain Pipe. The problem was that if you tried to cram enough network data through that pipe, it could overflow and drop packets. This was a problem we wanted to fix for NM3.2, so we built up a swimming pool around our drain pipe. As long as the pipe can drain the information quickly enough the swimming pool will never fill up. But if a burst of data comes in and the speed of the information overwhelms the drain pipe, the swimming pool can hold the data until the drain has time to process that information.

Why not a Liquid Plumber Instead?

Data could not be processed in the first place due to two halves of the same resource problem: the CPU and the Network Speed. The CPU speed amounts to the size of the drain pipe, and the Network Speed to the rate at which you are dumping in water. If your CPU can’t keep up, then it may not be able to process the frames quickly enough. And on the other side of the seesaw, if the rate of network data is too fast then you may have the same problem regardless of how fast your CPU is. So there can always be a bottle neck given a fast enough network data rate, or an over utilized CPU.

How Big is this Swimming Pool?

This is actually a very good question because as you may be asking, what if my whole disk fills up? Currently we’ve limited the size of the capture buffer to 20 Gigabytes. You can also change this value via the registry if you need to. That registry key is a DWORD and it located here:

HKCU\Software\Microsoft\Netmon3\Settings\Capture\RootChainCaptureSizeLimit

The value of the registry key is the maximum size of the capture buffer in MB. We will also honor the MinDiskQuotaPercentage which by default is set to stop when only 2% of the free disk space is left. When either limit it reached, the new incoming frames will be dropped.

Things that Effect Draining Speed

In general if you are capturing data with no filters the speed at which we can drain the swimming pool is the fastest. As soon as you apply a capture filter, we must inspect each packet and determine if it passes. The more complex the filter, the more time it takes to process each packet. Therefore this will affect the rate at which the pool can fill up. When you start capturing, you can look at the pending frame count and determine if it is rising. If it is, then you may be in a situation where your swimming pool will continue to fill up over time. Of course traffic is not always predictable, but you should be able to get confidence about your particular capturing scenario.

Capturing and Applying Filters

Another thing you may notice is that one you stop a capture, any pending data in the buffer will continue to be processed until its emptied. With NMCap we will continue to process frames until all pending frames are done. The same holds true when taking a capture with the API. In fact we have created two options to determine how you want StopCapture to react. You can now stop immediately or stop when the pending data is cleared out. When applying a capture filter we actually keep track of the packet as it enters the buffer, so that the filter is applied correctly in regards to when you applied it as opposed to when the packet is actually inspected.

Swimming Season is Open

The best thing about this new feature is that you can be confident that you have gathered all the frames from a network trace. In the rare case there are dropped frames, then the number of dropped frames will be displayed for you in the UI and when using NMCap.

A Great New Way to Give Us Feedback for Network Monitor 3.2

Scenario Voting is a web-based system that will provide you with a list of scenarios to try and then easily "vote" on your experience. Each vote reflects information such as your satisfaction with the scenario, its importance to you and any additional comments you might have. Additional information may be requested on a per scenario basis. This information will help the Network Monitor Product Team assess the current state of the scenarios we are supporting in the product. Benefits you will receive include learning about new scenarios supported by Network Monitor 3.2 and helping you structure your evaluation and testing.

A unique aspect of this survey is that you can choose scenarios you want to send us feedback about. If you are unfamiliar with a scenario, in some cases, there are hints to help you understand how to complete the scenario. This may also help you learn how to do things in Network Monitor that you may not be familiar with. And you can always return and complete or update scenarios at any time. So please take a minute to send us feedback.

http://input.microsoft.com

This survey requires that you’ve already joined our connection at http://connect.microsoft.com. But of course the NM3.2 beta also requires this, so this should not be a problem for anybody using NM3.2 already.

Network Monitor 3.2 Beta has released!!!

I’m excited to announce that the Network Monitor 3.2 Beta has released. There are some exiting new features listed below of which many I have already spoken about in this blog:

http://blogs.technet.com/netmon/archive/2007/12/28/santa-s-bag-was-full.aspx

One feature I didn’t mention is our new capture buffer to avoid dropping frames. After adding our drop frames counter, we found out under certain busy situations it would go above zero and we just couldn’t have that. We now buffer the frames before parsing and displaying them. While this does add some complexities to capturing, it insures that packets are more reliably captured which is obviously very important. I will blog about this feature specifically, but I wanted to call it out here.

Where are the bits?

As usual we are hosting our beta at http://connect.microsoft.com under the Network Monitor 3 Project. If you are already signed up, you should have it listed on the main page. If not, look for the project and join up with us to help us find bugs. There is also a web page forum front end to our newsgroup if you need to get support or ask general questions.

What’s New since Netmon 3.1

• Process Tracking: View all the processes on your machine generating network traffic (process name and PID).  Use the conversation tree to view frames associated with each process.

• Find conversations:  Quickly isolate frames in the same network conversation.  Isolate TCP streams, HTTP flows etc.

• PCAP capture file support
• Capture engine re-architecture to improve capture rate in high-speed networks.   Network Monitor 3.2 drops significantly fewer frames that NM3.1
• Extensive parser set:  Parsers for over 300 protocols!  Parsers for the protocols covered by the Windows Open Protocol Specifications (see http://msdn.microsoft.com/en-us/library/cc216517.aspx).
• NM API: Create your own applications that capture, parser and analyze network traffic!
• Better parser management:  By default only a subset of parsers are loaded.  You can load the full parser set by changing the parser search order in Tools>Options>Parser
• Support for frame truncation.  Go to Tools>Options and limit the number of bytes captured per frame to improve performance.
• More extensive documentation of the NPL which includes documentation on the new NMAPI.  Access the documentation from Help > NPL and API Documentation
• Enhanced filtering on items within NPL while loops or arrays.  You can specify an index into the array or while loop to filter on
• IA64 version now available.
• ContainsBin Plug-in:  Search frames for arbitrary byte sequences or strings. For example, ContainsBin(FrameData, ASCII, “msn”).
• More UI indications of conversation status, dropped frames and the number of frames in the capture buffer.

• … and more.  See our Release Notes in the NM3.2 installation directory for a complete list of new features and known issues with the Beta.

Enjoy!

The Network Monitor Team

An Evangelist in Las Vegas

A few weeks ago I visited the glitzy town of Las Vegas for the Interop Conference 2008. While I’m not much of a gambler, the lure of technology was more than enough to get me excited about the trip. Pack thousands of tech-heads in a luxurious hotel, present information about new technologies, and now you’ve got a hot time in the dessert.

Buzz Words: Unified Communication and Virtualization

I don’t know if they do word counts on submitted Power Point presentations, but if I had to guess, both UC (Unified Communications) and Virtualization would be at the top of the list. And both technologies have a direct impact on the future of Network Monitor.

In terms of Virtualization, there are many challenges. The host machine can now house dozens to hundreds of virtual servers which means the backbone connection to the host machine requires a quick link. This means a 1 gig or even 10 gig network connection may be the norm for these configurations.  Making sure we can support these environments from the host machine and hosted VMs is going to be an important scenario to understand and support properly. 

For Unified Communications, the range of devices expands as your phone/pc/video conference merges.  And as wireless environments with remote users becomes the norm, trouble-shooting connections for voice and video become incredibly important in this domain.  And finally, interoperability between multiple devices and infrastructures requires a tool that can easily determine where interoperability problems may exist.

Roaming the Exhibition Floor Jungle

The Interop Exhibition Floor is a microcosm of the hosting city, Las Vegas. Sounds from various booths ring out like slot machines and shows start on the hour as vendors attempt to garner your attention for longer periods of time. Booth babes and circus-like performances try to steal your eye away, in hopes of attracting you to their line of products. For me, however, I was curious about products that compete with or compliment Network Monitor.

What I found is that in general the protocol analyzer type tool that seems to be popular is more a of an aggregate tool that tells you where your network is sick. It may not tell you what the exact problem is, but it helps you monitor your network as a whole. I suppose that is where our tool would come in. Network Monitor is more targeted for solving specific problems and diving deep. Our conversation tree and soon to release process tracking creates a unique way to take a lot of data and filter down to a specific problem.

Soaking up the Technology

As I introspect over my trip I try to find connections between our product’s future and the current state of technology. I realize that as things continue to accelerate, the need for a way to drill down from the very large to the very specific is of vast importance. And while we can continue to do general things, it will be more and more important to provide technology specific tools to help troubleshoot the dizzying array of protocols, devices and network mediums. As we continue to reach forward in this regard, we should be able to use our community to understand and provide tools to help us all solve difficult networking problems.

We’re very excited about showing off the beta of NM 3.2. Watch for it on our site, (http://connect.microsoft.com), in about a month! If you register into our community we’ll send you a note when it’s ready.

SMB2 Parser for NM3.1

We have decided to release an SMB2 parser for Network Monitor 3.1 (released July 07) to hold people over untill the beta for Network Monitor 3.2 releases in early June.

Where can I get the SMB2 parser?

You can download SMB2.NPL parser, along with SPARSER.NPL, CER.NPL, FCCS.NPL, SCNA.NPL and SMB.NPL (all supporting parsers) on http://connect.microsoft.com under the Network Monitor 3 project. If you’ve already signed up you’ll see it as one of your active projects. If you need to sign up you will need to create a passport account and join our project. Once you are in on the Network Monitor 3 project, click on the Downloads link on the left. You will see SMB2 Parser as one of the selections.

How do I use the new SMB2 parser?

Look at the article on using the SSL parser (http://blogs.technet.com/netmon/archive/2007/10/23/new-ssl-public-parser-available-how-to-deal-with-new-parsers.aspx) in the sections “Where do I stick it?” and “Working with NPL Parser path”. The instructions for installing the SMB2 parsers are the same.

Happy SMB2 parsing!

Reassembly with NM3

Ever wonder how a network works? Maybe it just seemed so easy, and in your mind sending a file was just putting each byte on the wire to the receiving machine. That’s not too far from the truth but you’d be very selfish to think that the network was there for your bidding only. Since a network has to be shared between many users, strategies have been created to chop your file up and send it in chunks.

Like Packing for a Move

We’ve all done it before. We take all of the bits and pieces of junk we’ve collected over the years and are tasked with moving them from one location to another. We invite friends and relatives, and like ants, they arduously move each piece from house A to house B. If your house=file, and boxes=packets, then we’ve created an analogy for reassembly. If you are organized, you’ll label each box, 1 of 20, 2 of 20, and so on. When you get to the new location, you can put all your things back together using the labels you created and verify you received everything.

The architects of our Internet are not any cleverer. They’ve borrowed these same techniques to determine how a chopped up file can reach its destination and be reconstituted. As long as the data is sequenced, the other side should be able to put the pieces back together.

The Transport Layer

In networking we like to talk about layers. You may have heard terms like “Layer 3 switch” or the “Network Layer”. Well, the architects of our Internet are just like everybody else. They get easily confused if too much is going on. Transferring network data from one place to another is a difficult problem. And a common strategy used to solve difficult problems is to divide and concur. Each layer is responsible for different things, and the transport layer is the one we use to define how files get chopped up and rebuilt.

We’ll narrow our focus down to TCP for a bit. This is the workhorse transporter for most networking applications. There are others, such as SPX/IPX, but TCP is by far the most popular. And it turns out RCP, SMB and HTTP can also fragment data. SMB might chop your file up into 4K chunks, and then each of these chunks could be further fragmented by TCP.

Labeling Your Boxes

So in our analogy, labeling=sequencing. We could label each packet 1 of 20 and so on, and some protocols do use this strategy. But for TCP, we go a bit further and describe the number of bytes that are sent. We’ll say, for instance, that this packet contains Sequence 1000-2000. What we actually send is the first sequence number and the size, but this range can be derived from that data. When the other side gets the data, even if it’s out of order, it knows how to put the puzzle back together. Also, the receiving TCP will keep the sender up to date by acknowledging what it’s received so far. In the simplest scenario, the receiver ACKs the latest segment it received. If the sender gets an acknowledgment for sequence 2000, then that confirms the receiver has seen all data up to that point.

Using NM3 to Reassemble the Data

When we capture data from the network, we are capturing it before the data has been put back together. But this can make it difficult to read, as you might imagine. With NM3 we’ve created a way to reassemble the data, so that you can see the data as it is seen by the application layer (there’s one of those darn layers again, see http://en.wikipedia.org/wiki/OSI_model). So when you click on a web page and get a trace, you can see the entire packet as sent by the browser, rather than a bunch of fragments after TCP has gotten to them.

Data Before You Reassemble

So if you start a network trace and view a web page you’ll notice that the traffic that gets created shows HTTP and TCP. The HTTP packets are the headers sent/received by your web browser. But the TCP that is in between is also your browser traffic. The original HTTP packet was larger than would fit in single packet, so TCP has chopped it up for you.

In this example, you can see that the server has responded with a page. Frame 6 is a continuation of frame 5 and is where TCP has chunked up the data. Frame 7 is an acknowledgment so the server knows we are receiving data. And frame 8 is the final frame in the fragmented data.

Data After You reassemble

To reassemble with NM3.1, you go to the Frames menu and select “Reassemble All Frames”. In NM3.2 we’ve created a more prominent button on the tool bar so this should be easier to find. Once the reassembly is complete a new window opens and contains all the original frames PLUS new frames for each reassembled piece.

So frame 9 is the new frame we inserted. While the Description doesn’t look much different, the devil’s in the details. Quite literally we have to look at the frame details to see the difference.

Frame: Number: 9, Captured Frame Length = 4449, MediaType= PayloadHeader
+ PayloadHeader: Re-assembled Payload
+ Http: Response, HTTP/1.1, Status Code = 502, URL: http://239.255.255.250/

The major difference is that we don’t see Ethernet, IP, or TCP anymore. We’ve replaced the original network header with our own called PayloadHeader. This header contains info about the protocols that have been reassembled, as well as information we might need from those layers. We don’t show the original frame numbers, but you can enable some debug NPL to get this information if you need. Just look at Payload.NPL for more info.

If you were to open up HTTP Response in the details, you would also see that all the HTML and header information is in this one packet. This reassembling of the data makes is very easy to understand that data from the HTTP level.

Also realize that in cases where both HTTP and TCP are fragmenting data, there can be multiple levels of reassembly. In those cases you may see a PayloadHeader for each TCP fragmentation, and then another for the HTTP fragmentation.

Reassembly FAQ

Reassembly doesn’t seem to be working for me, why?

The reassembly feature does depend on two things. One, conversations have to be enabled. Make sure this option is enabled when you open a trace. Currently the option can be found on the start page. Two, you can only reassemble a saved trace. If you just started a trace, you’ll need to save and reopen it.

Why do all the original frames show up?

When NM3 does reassembly, new frames are added in. Rather than remove the original frames, we’ve decided to leave them in as they still provide information about the original TCP data. Also, if there’s a problem with reassembly, perhaps due to missing packets, you could use the data to figure out why it didn’t reassemble correctly.

Can I only see reassembled frames?

Well yes, you can filter on only those things that have been reassembled. As we mentioned above, we add a PayloadHeader, which is just a protocol we’ve devised. So you can filter out all reassembled data, but applying a filter of “PayloadHeader”. I actually create a color filter for this so they stick out.

What you can’t do, however, is see only data that has been reassembled and the data that was never originally fragmented. While we realized this would be useful, we haven’t exposed a way to make this possible. However, with the API and NM32, it would be possible to do this programmatically.

Why doesn’t the Reassembly window have a conversation tree?

When we originally designed reassembly, the conversation window wasn’t really integral to the product yet. The simple work around is to save the capture file and reopen.

Putting it All Together

Networks have devised ways to break apart data and rebuild them. But with protocol analyzers that capture this raw data, it’s sometimes difficult to follow. With the reassembly option in NM3 your network traffic is put back together making it easier to read. Add this ability with the new Process Tracking feature in the upcoming NM3.2 and finding the only the data you need will be easier than ever.

Santa’s Bag was Full

The Elves are working furiously on the next version of Network Monitor 3.2. But it seems that NM3.2 won’t be under the tree for Christmas for this season. In a few more months, however, we will have a new Beta available for public consumption. And you can’t blame Santa, his bag already stuffed with Xboxes and such. Room in his bag should be reserved for children’s gifts you know. So you will have something under the tree for Christmas we will give you a sneak preview of the new things we are working on.

Stocking Stuffers

The first thing you’ll notice with NM3.2 is that the UI has been tweaked a bit. We moved around some items to make them more visible like Reassembly and Find. We’ve, err I mean the Elves, created a Most Recently Used list on the Start Page to make opening previous captures a quick operation. We uncluttered the tool bar to get rid of some of the lesser used items. And we are still envision more changes for NM3.2, like single line filter boxes to go along with our multi-line filters, as well as a way to get rid of windows you don’t use as often. This streamed line UI should give you more real-estate and make discoverability of some lesser used, but powerful, features more prominent.

All I Want is to Open LibPCap/WinPCap Files

And now you’ll be able to with NM3.2. One of the advantages of the NM3 capture file format is that we can store data from multiple network interfaces in the same file. But that makes it impossible to save as a LibPCap format, with out splitting the traffic. But why should we limit you from opening LibPCap files? Now when you open a LibPCap file, we convert it in memory to our format and display it just like any other capture file. I’m sure this will please more than a few folks. At this point you can save it as a NM3 capture file if you wish.

Finding a Conversation in the Tree

No, not some lame version of the "12 Days of Christmas".  And I'm not referencing the Christmas tree, but rather the NM3 conversation tree. The conversation tree is very helpful for quickly narrowing down traffic, but I’m sure you have had more than one occasion to locate the current frame in the tree. A exciting new feature we now have is the ability to right click a frame and highlight that conversation in the tree. This in turn filters the traffic based on that conversation. The cool thing this is this is not limited to TCP conversations. You can filter on any conversation as displayed by the Conv ID column, like all traffic for that machine-to-machine conversation or just HTTP level traffic.

The Big Gifts

I’ve noticed that some kids will often save the biggest gifts for last. I guess the assumption is that the larger the gift the grander the surprise. Of course, you occasionally get the big box stuffed with socks and underwear from Grandma. No such disappointment here.

NM Application Interface

We get asked about Experts all the time. The availability of the API is a giant step in that direction. While it’s much more than just a way to create experts, it allows a simple programming interface to query and access data fields using our parsing engine. This means you can create applications where only your imagination is the limit. Not only can you look into the packet data, you can also control the NM capturing engine. So you can design programs to stop/start captures based on whatever events you have.

Let me give you an example of the applications I’ve already tinkered with. Perhaps at some point when the API is released, we can also release some of these examples.

TopUsers – Lists traffic based on IPv4, IPv6, MacAddresses, and show columns for bytes sent, frames sent, etc. Simply click on a column header to sort and find out who is the chattiest user on your network.

EventCap - Lets you capture data until a certain Event error appears in the Event Log. This gives you a simple way to capture traffic leading up to a failure logged in the Event Log.  Basically a one step version of the blog I wrote on this subject: (http://blogs.technet.com/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx)

FiltCap – Lets you query capture data using a simple SQL like command and export that data as a CSV (Comma Delimited File). No longer are you trapped by the limitations of what the UI can do. You can use your favorite tool to graph and analyze trace data.

Process Tracking

I’m often trouble shooting traffic from a specific application. I want to know why Internet Explorer isn’t working properly. Process tracking is a way to show data based on the application that is sending it. Our final design will create new Nodes in the conversation tree that show each process that is running and then allow you to filter on only that traffic when you click on that Node.

We’ll even save that data from the capturing machine so that given you’ve taken the trace with NM3.2, you’ll have all the data necessary to see the processes that were running at the time the capture was taken. Imagine how much faster you’ll be able to narrow down a specific problem with this new feature!

Now How Much Would You Pay…

While we are not done adding features, these are the major ones we have so far. We plan to release a Beta in the early part of next year (we think April time frame). And while we haven’t been able to add every feature people have asked for, and there’s been a bunch of them, we are hoping this next version has a little of everything for everyone.

Happy Holidays from the Network Monitor Team