Network Monitor

  • Expert to Decrypt TLS/SSL Traffic

    One of the most popular requests we've had is to provide a way to view encrypted traffic. The new Decryption expert aims to solve this problem for TLS/SSL traffic. Using the Decryption Expert The purpose of encrypting data in the first place is to hide...
  • Measuring Response Times

    It's often useful to understand how long it takes for a request to get responded to. This helps you gauge how well a client or server is keeping up. This type of measurement can also be done at different layers; however there are some tricks you'll have...
  • Annotated Traces for Windows System Behavior

    Microsoft publishes protocol documentation on MSDN that is intended to make it easier for others to develop interoperable implementations. “System Documents” provide overviews of system behavior for key systems such as Active Directory, File Sharing and...
  • SMB2 Data Fields and Properties

    Properties: Property.SMBFileIDPersistent - For SMB2, the file ID can be one of two types. This represents the Persistent type. Property.SMBFileIDColatile - For SMB2, the file ID can be one of two types. This represents the Volitle type. Property...
  • IPv4 Data Fields and Properties

    Fields: IPv4.Address - Useful for filtering on an address independent of the direction. IPV4.SourceAddress - Represents the source address and is useful for filtering for traffic from a specific source. IPV4.DestinationAddress - Represents the...
  • Capturing a Trace at Boot Up

    Capturing a trace during a boot is a common task that can be difficult to accomplish. In fact the most fool proof way to capture all traffic at boot is to capture the traffic from a 3rd party capturing machine in promiscuous mode. But this requires you...
  • No Frames Captured Due to Disk Quota

    In certain instances, you start a capture and no frames are captured. Or perhaps the UI suddenly stops displaying new frames. The display doesn't indicate any dropped frames and you've already verified that your selected adapter is the one that should...
  • When You Can't Save Frames From the UI

    You might have run into an occasion when doing a capture from the UI that you are unable to save your capture. You might receive a message like "Not enough storage is available to process this command". The UI tends eat up a lot of resources...
  • Adapters Are Missing After Upgrading to Windows 7

    If you have just upgraded to Windows 7, you might notice that you no longer see any adapters listed in your Select Networks selection. There is a very simple way to fix this problem. First run CMD as administrator. If you have not done this before, you...
  • Reassembling Packets with the Network Monitor API

    Network traffic by nature is fragmented. Limits of various network packet sizes force protocols to chop up data into multiple frames. When you capture data or read it from a trace with the API (NMAPI) you see only the fragments by default. But as the...
  • Network Monitor Videos on Channel 9

    We posted some videos to Channel 9   in the last 6 months or so, and I wanted to let everybody know about them. We have one set of video's that provide some insight into the Network Monitor API and process of creating experts. This series provides...
  • Using NMAPI to Access TCP Payload

    The TCP Payload often carries data that you want to access directly using the Network Monitor API. Below I will detail how to do this using a simple C++ example and the NMAPI. Why Not add a TCP.Payload Field? The TCP Payload can carry all types of payloads...
  • SMB Opportunistic Locking Behavior

    Behold the mysterious world of OpLocks (Opportunistic Locking). Often OpLocks will be disabled by a user or system administrator in order to help address a performance problem. And this practice might not always be the best course of action. Understanding...
  • Delayed Write Failure Trace Study

    In this "Trace Study”, we'll look at a case where the customer is seeing delayed write failures logged in the event log. Delayed write failures are reported when a file being written over the network is inaccessible for a time. Based on a trace taken...
  • Chained Captures and Stitching Them Back Together

    When you use NMCap to capture data you have an option to save the capture files as a chain. As the current capture file format has a limited size, this option allows you to continually capture the data in successive files. This also gives you some flexibility...
  • I Can't View My Windows Home Server at Home

    I have a friend who just received his Windows Home Server. Home Server allows you to access it remotely so you can share photos, Remote Desktop and backup documents. The provided documentation includes details on how to setup your router, open ports,...
  • SMB Data Fields and Properties

    Properties: Property.SMBFileID - The File ID for any kind of SMB request property.SMBFileID==0x4000 Property.SMBFileName - The file name for an SMB request. This might also represent state information so frame data does not have to exist for...
  • TCP Data Fields and Properties

    Fields: TCP.Port - Filters on the Source or Destination port. Used to find traffic based on port which is often associated with an application. TCP.Port==80 // filters on the default port for HTTP traffic. TCP.Flags.Reset - Can be used to...
  • TCP Analyzer Expert: Make Your Network Run Faster

    Performance problems suck...time! But years of "Where's Waldo" has trained our brains in preparation for this moment. The TCP Analyzer expert, available from our Experts Download Page[ http://go.microsoft.com/fwlink/?LinkID=133950] takes advantage...
  • Network Monitor Fields and Properties

    Collected here are a list of the most common data fields and properties. They are categorized by protocol. This list is helpful for getting an idea of the most common data fields and properties with descriptions of what they do. The list will continue...
  • Circling In Shark Waters

    Last week I attended Sharkfest 09 at Stanford CA and I had a wonderful time. It was great to talk to other network geeks like me to better understand this community and see how various tools can be used to illuminate the cloaked world that is your network...
  • Windows 7 and ISA Remote Windows Sockets Parsers Available

    If you don't already know, we have been updating the our parsers for Network Monitor on http://www.CodePlex.com/NMParsers every month. Most recently we have updated the Windows parser set to support Windows 7 protocol updates. In the June parser release...
  • Event Tracing for Windows and Network Monitor

    Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1...
  • Network Monitor Forum on TechNet

    We'd like to announce that we are opening a Network Monitor forum on TechNet . We also have forums hosted on Connect.Microsoft.com, but these are focused on our betas. We'll answer questions about filtering, using the Network Monitor API, writing parsers...
  • Top Users Expert for Network Monitor 3.3

    One of the major new features in Network Monitor 3.3 is the ability to run experts directly from the UI. And now NMTopUsers is available from our Experts Portal . Plus as it's a CodePlex project, we have opened the source code as well. It's a fairly simple...