Network Monitor

TCP Analyzer Expert: Make Your Network Run Faster

Performance problems suck...time! But years of "Where's Waldo" has trained our brains in preparation for this moment. The TCP Analyzer expert, available from our Experts Download Page[ http://go.microsoft.com/fwlink/?LinkID=133950] takes advantage of that training by graphically representing TCP traffic. By looking at normal traffic or comparing the presented picture graph to some known TCP issues you can easily diagnose performance problems.

With the TCP Analyzer Expert you can load a trace, use the conversation tree to locate a TCP stream, and run the expert. If you don't have anything selected, the expert will use the first TCP conversation in the trace. Once it's run it presents you with a UI which will allow you to graph the TCP traffic, Analyzer Round Trip Time, and do some high level diagnosis based on some known issues.

How to Analyze Traffic

Say you suspect a problem or want to analyze some traffic. The first thing you need to do is collect a trace using Network Monitor. TCP Analyzer can try to "guess" the general problem and describe the issue. But for this to work properly you will need to take the trace from the machine initiating the connection. Also it helps to have the entire TCP connection as the window size is negotiated during the TCP 3-way handshake.

Once you start a trace, you then reproduce the performance test and stop the capture. Then save the capture, as Experts can only be run on saved traces. Go back to the start page where you'll see the file you just saved in the recent capture list and open it up.

Finding the TCP Conversation

The next trick is locating which TCP stream you want to run the expert on. In this case I copied a file using explorer and I knew then name of the file I copied. So I created the following filter.

ContainsBin(FrameData, UTF16BE, "myfile")

It could have potentially been ASCII as well, but with SMB I knew it would probably occur as Unicode. BTW, UTF16BE stands for Unicode 16 Big Endian. These days Unicode has many flavors, but UTF16BE is the most common one for Windows machines.

This filter located a bunch of SMB frames which meant I was on the right track. I right clicked a frame, selected Find Conversation, and choose TCP. This locates all other frames in the same conversation which the TCP Analyzer will use to determine which stream to use when it runs. Remember, to see the full stream in Network Monitor, remove the display filter you used to find the frame originally.

Now with the correct conversation selected, I run the TCP Analyzer Expert form the Experts menu. This runs the expert, but in order to get a graph to show up I have to press the graphing button from the toolbar.

Since there is traffic flowing in both directions, you need to determine which you want to concentrate on. You can use the port or IP address to figure this part out. Once you make this determination click the graph. This will display the graph in the main window allowing to you zoom in/out with the mouse wheel and you can drag the main graph around as well to pan.

You can also analyze the Round Trip Time, which is the graph in the middle. However there are some restrictions that have to be met before any information will be available. We won't cover RTT in this blog, but you can see the help for the expert for more information.

Decoding the Graph

The Axis

The Y axis shows the sequence numbers for the given direction. These are defined by TCP when a session initializes. Each sequence number represents the number of bytes transmitted. So sequence 1000-2000 represents 1000 bytes.

The X axis is time and is measure in (ms). This matches the offset as displayed in Network Monitor.

Legend Details

On the time-sequence graphs there are various symbols which can occur. Here's a list of what they mean.

·  Receiver Window - Receiver is telling the sender it is currently willing to receive up to this point in the data stream.

·  Acknowledged - Receiver is telling the sender it has successfully received all the data up to this point in the data stream.

· Data - The point in the data stream the sender is currently sending.

· SYN - The SYNcronize packet sent at the start of the connection.

· FIN - The FINish packet sent at the end of the connection.

· Discontinuity - Any break in the data stream where the data in the indicated packet doesn't sequentially follow the data in the previous packet. Out-of-order, lost, or retransmitted packets can all cause discontinuities, as can gaps in the capture.

· Presumed Lost - A packet that was later retransmitted (if a sequential group of packets are all later retransmitted, only the first one will be indicated this way).

· Retransmission - A packet that is a retransmission of another packet in the capture.

Understanding Bandwidth-Delay Product

The speed at which you can send data in TCP is dependent on both the bandwidth of your network and the delay. The bandwidth is often referred to in terms like 10Mbps or 100Mbps, which is in bits per second. The delay is how long it takes for data to travel from one place to another and back. While this is related to the speed of light, other things like routers and the computers that are communicating can increase this delay as it takes time to process packets.

By multiplying bandwidth and delay together, we get the maximum amount of data that be "in flight" over one connection between two computers. As you'll see, whether this maximum is utilized depends on how well TCP is tuned. It's important to understand as the delay gets longer it becomes more important to fill the available window.

Pictures of Wrong Behavior

In TCP there are some typical problems that creep up over and over. Sometimes these are configuration issues with the client/server TCP stack or application. And in some cases, the problems can be easily fixed by adjusting the application or TCP window size. Of course, this may also be caused by your network which may require more drastic measures.

The best way to understand right from wrong is to base-line your network when it is working properly. This way you can look at the bandwidth numbers alone and understand if you have degraded. But in absence of this data, you can use the following pictures as a reference in order to identify some common problems.

Bandwidth Limited:

In this case you see that the sent data fills up the window as the data packets (blue X) approach the receive window (red X). The packets are sent at a regular interval, so the only thing limiting your through put is the available bandwidth. This is normally what you want to see as your throughput will always be limited by something.

Receiver Limited:

The packets fill the receiver window, but they go out in bursts as fresh acknowledgement packets arrive and open up the window. This burstiness is an indicator that the window is smaller than the delay-bandwidth product, and thus the protocol can't keep the data stream flowing smoothly.

Sender Limited:

This indicates that one end's window size is less than the bandwidth-delay product. However, unlike the receiver-limited case above, the data packets fall well short of filling the receiver's advertised window. This is a good indicator that the sender's window was the limiting factor. In some cases this is because the application doesn't fill the window completely. As this often does not show up under low latency, a developer might not detect this type of problem in testing.

Congested Limited:

The earlier data points (lower left) look like a bandwidth-limited connection, until two lost packets cause TCP to severely limit the sender's congestion window after recovering from the losses. Note that the last data points (upper right) show the data packets aren't filling the receiver's advertised window as TCP is limiting the sender to a smaller congestion window.

It's important to note that the pictures were created in test environments. Real word applications tend to be more conversational and you'll often have to narrow down the part of the picture you need to focus on. For instance when you start a file copy with explorer, there's a lot of traffic that goes back and forth as you browse for the folder, select the file and then finally drag and drop it on the destination folder. You'll have to learn how to differentiate the actually transfer part from the rest of the traffic.

Power of the Picture

TCP Analyzer does an awesome job of taking a lot of information and summarizing in a picture that can be used to give a good overview of your network’s performance. It can take practice to learn how to read as you understand these scenarios that were presented as well as others. But as you learn you'll find that this is a powerful tool in your tool belt.

Circling In Shark Waters

Last week I attended Sharkfest 09 at Stanford CA and I had a wonderful time. It was great to talk to other network geeks like me to better understand this community and see how various tools can be used to illuminate the cloaked world that is your network.

Each day started with a keynote and then there were 3 tracks: Developer, Basic, and Advanced. The Developer track focused on parser development and capturing. For the most part I stuck to the Basic/Advanced tracks, but I did attend the Developer session on creating parsers (or dissectors as they call them). This gave me some insight into alternate ways protocol parsers can be architected. It was also great to hear from the master brain, chief Wireshark architect, Gerald Combs.

The SSL session by Sake Blok was interesting because it exposed the details of a protocol I've had little experience with. It's obvious this is a very important skill moving forward as the world moves to protect its information on the wire. He also provides some cases to explain where things might go wrong.

I found the case study sessions the most useful for me. I love to see how different people attack a problem and what features of a tool they use to get the important information. Especially enlightening were the presentations by Hansang Bae and Laura Chappell.  In each case they tackled real world problems with real traces and provided details of how they troubleshoot network issues using a protocol analyzer. Laura was especially entertaining as she described her "Butt Ugly Color Filter" techniques and real world experiences with networking.

While there's no equivalent to being there in person, most of the presentations are available on http://www.cacetech.com/sharkfest.09/. Some of them include traces, which is great for learning on your own.

As I roamed beautiful Stanford, and roaming is what you do on such a vast campus, I thought about all the cool people I met and things I learned. I hope I will be there next year and encourage you to attend if you want to hone your networking skills. Whether you are a developer, beginner or advanced user there's always something to be learned.

Windows 7 and ISA Remote Windows Sockets Parsers Available

If you don't already know, we have been updating the our parsers for Network Monitor on http://www.CodePlex.com/NMParsers every month. Most recently we have updated the Windows parser set to support Windows 7 protocol updates. In the June parser release on CodePlex we have support for Remote Windows Sockets (RWS) protocol, which is used to proxy TCP and UDP traffic from Winsock applications. So now with the new parser set you can decode this traffic into the upper level protocols that ride on top of RWS.

These parsers rely on Network Monitor 3.3, so please upgrade first if you haven't already. Please visit NMParsers on CodePlex and download the last parser set so you can get the most up to date parsing experience. Enjoy!

Event Tracing for Windows and Network Monitor

Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded.

How ETW Works

The idea was to standardize tracing so that it could be turned on for any component with a consistent interface. Before ETW, it was common practice to place DEBUG statements that would output to the debugger. But this often required checked builds of the binaries, special registry entries, and super secret knowledge that sometimes required code access. Now the consumer/provider model with built in enumeration advances and standardizes logging.

Unfortunately, it's not all perfect. As the OS has evolved, so has the story for collecting the ETW data. But the great news is that in Windows 7, you can collect data by scenarios and even include the raw network traffic data, all using ETW tracing.

Subscribing to a Provider

ETW uses a subscription model. Subscribing tools provide a GUID or provider name to receive the logging from that component. Network Monitor is not a subscriber at this point, so we'll have to use other tools to gather the ETW data.

Various operating systems contain different ways of getting ETW traces, but one that seems to work on most Windows operating systems is Logman.exe (http://technet.microsoft.com/en-us/library/bb490956.aspx). When you run Logman, you supply a GUID which identifies a particular provider. To list the providers you can use the /query command.

]]logman query providers
Provider GUID
-------------------------------------------------------------------------------
.NET Common Language Runtime {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}
ACPI Driver Trace Provider {DAB01D4D-2D48-477D-B1C3-DAAD0CE6F06B}
Active Directory Domain Services: SAM {8E598056-8993-11D2-819E-0000F875A064}
Active Directory: Kerberos Client {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}
Active Directory: NetLogon {F33959B4-DBEC-11D2-895B-00C04F79AB69}
...
Microsoft-Windows-Winsock-AFD {E53C6823-7BB8-44BB-90DC-3F86090D48A6}
Microsoft-Windows-Winsock-WS2HELP {D5C25F9A-4D47-493E-9184-40DD397A004D}
...

see many providers listed, but we only provide ETW parsers for a subset of these. This is mainly because our focus for this feature is Windows 7 network troubleshooting. As we extend the parser set on http://www.codeplex.com/nmparsers, we will add new support for providers. In fact as we speak we are looking to publish an ETW parser for USB 2.0.

Capturing an ETW Trace with Logman

To capture ETW data, use Logman along with the GUID or provider name and some other parameters. Winsock is the layer that applications use to communicate over TCP. Let's capture all Winsock related ETW events.

logman start my_winsock_log -p Microsoft-Windows-Winsock-AFD -ets

We send it the start command and the name of our session and log file my_winsock_log. We pass it the name of the provider with -p. Alternatively, we could use the {GUID} instead. Finally we pass "-ets" which says to start logging now.

logman stop my_winsock_log -ets

This command will stop the logging, again based on the name you specified when you started. When this command completes you should have a my_winsock_log.etl file that we can be opened with Network Monitor 3.3 or 3.2.

Windows 7 Scenario based ETW Tracing

The story for ETW becomes much more interesting in the Windows 7 and Server2008 R2 world. While Logman still works, Netsh becomes the tool of choice for collecting ETW traces. Also incredibly useful is the addition of tracing by scenario and the ability to capture network traffic via NDIS with ETW tracing. But more on this a little later.

Netsh to Collect an ETW Trace.

Netsh used to be component centric with regards to tracing. But now tracing is a top level command that you can use to start and stop tracing. So here's an example that works like our previous Logman example.

]] netsh trace start provider=Microsoft-Windows-Winsock-AFD TraceFile=my_winsock_log2.etl

Trace configuration:

-------------------------------------------------------------------

Status: Running

Trace File: my_winsock_log2

Append: Off

Circular: On

Max Size: 250 MB

Report: Off

]] netsh trace stop

Correlating traces ... done

Generating data collection ... done

...

Netsh and Scenarios

Scenarios are things like "InternetClient" or "AddressAcquisition". A tracing scenario is defined as a collection of selected event providers. Providers are the individual components of the network protocol stack, such as WinSock, TCP/IP, Windows Filtering Platform and Firewall, Wireless LAN Services, or NDIS.

One of the primary goals for improved network tracing is to allow collection of all relevant information in one step, and then easily view all events associated with a specific action across the network stack. Network tracing provides a quick method for collecting information and diagnosing networking issues by logging events from all providers in the scenario, and then correlating these events by activity.  In other words, related events & network packets are grouped together for given activity across different components in the networking stack, from Winsock down to NDIS.

Let's look at a list of possibilities for Windows 7.

]] netsh trace show scenarios

Available scenarios (18):

-------------------------------------------------------------------

AddressAcquisition : Troubleshoot address acquisition-related issues

DirectAccess : Troubleshoot DirectAccess related issues

FileSharing : Troubleshoot common file and printer sharing problems

InternetClient : Diagnose web connectivity issues

InternetServer : Troubleshoot server-side web connectivity issues

L2SEC : Troubleshoot layer 2 authentication related issues

LAN : Troubleshoot wired LAN related issues

Layer2 : Troubleshoot layer 2 connectivity related issues

MBN : Troubleshoot mobile broadband related issues

NDIS : Troubleshoot network adapter related issues

NetConnection : Troubleshoot issues with network connections

P2P-Grouping : Troubleshoot Peer-to-Peer Grouping related issues

P2P-PNRP : Troubleshoot Peer Name Resolution Protocol (PNRP) related issues

RemoteAssistance : Troubleshoot Windows Remote Assistance related issues

RPC : Troubleshoot issues related to RPC framework

WCN : Troubleshoot Windows Connect Now related issues

WFP-IPsec : Troubleshoot Windows Filtering Platform and IPsec related issues

WLAN : Troubleshoot wireless LAN related issues

To enable a scenario and stop it you type the following commands:

netsh trace start scenario=InternetClient

netsh trace stop

Again, an ETW trace file is created but now there are multiple providers within the same trace file. This can help you correlate tracing from multiple places as the problem moves from one component to another.

Icing is "capture=yes"

One of the coolest parts of this new tracing in Windows 7 is that you can capture NDIS network traffic using Netsh. By enabling the capture parameter, you capture network traffic. Not only is this useful for correlating to other component events, but it provides another way to get a network capture.

Since Netsh is remote-able, you could also use this to start a capture on another machine! And using the persistent=yes parameter, you can enable logging during boot to troubleshoot those nagging start up issues.

By adding the capture=yes parameter to any scenario or specific provider collection, network traffic is captured, as well. To get a simple trace, use this command:

netsh trace start capture=yes

The resulting trace contains TCP, IPv4, Ethernet, ...etc. just like a trace taken from the network interface. However the data has extra headers on the front. If you have other provider information mixed in, and the latest parsers form http://www.CodePlex.com/nmparsers, a simple filter to show you just the network traffic is as follows:

NDISPacCap_MicrosoftWindowsNDISPacketCapture

We also update the standard filters on http://www.codeplex.com/nmparsers. As new requests and ideas for standard filters come up, we'll add to the current set.

Netsh Reference

Here's a small table to summarize the Netsh commands referenced:

Conversations and Built-in Standard Filters

We've extended the idea of conversations to ETW logs. The conversation tree is populated with activities and providers under that which will help you narrow down interesting traffic. We also provide some standard filters to help you do some basic searches. And as usual, we try to propagate the important information to top of the tree.

And finally the default columns that show up in Network Monitor 3.3 are different when you open an ETW trace. We add a "UT Process Name" column, which stands for Unified Tracing, which displays possibly the process name, as well as the process ID. This replaces the "Process Name" column that shows up when you open capture files.

Where to Go Next?

When assisted support or further troubleshooting is necessary, the improved network trace logs can enable developers and support professionals to quickly isolate network activities and view the combined event data and packet captures in a single file, grouped by a network task and the related network activity.

On MSDN there's a great reference that discusses Win7 troubleshooting with Event Tracing (http://go.microsoft.com/fwlink/?LinkID=145404). This resource explains in greater detail how to troubleshoot problems, create filters, and use conversations with ETW tracing and Network Monitor. And while it's Windows 7 specific, there is still some applicability to older operating systems. And Network Monitor can read any ETL file. While we don't necessarily have parsers for every provider, that doesn't mean a parser can't be written.

Network Monitor Forum on TechNet

We'd like to announce that we are opening a Network Monitor forum on TechNet. We also have forums hosted on Connect.Microsoft.com, but these are focused on our betas. We'll answer questions about filtering, using the Network Monitor API, writing parsers with NPL, the UI, reassembly, capturing, and anything else you want to discuss.

http://social.technet.microsoft.com/Forums/en/netmon

Please visit if you have a question.

Top Users Expert for Network Monitor 3.3

One of the major new features in Network Monitor 3.3 is the ability to run experts directly from the UI. And now NMTopUsers is available from our Experts Portal.  Plus as it's a CodePlex project, we have opened the source code as well. It's a fairly simple C# project which uses the NMAPI to access data from a trace. You can view and download the source code if you are interested in more details.

What Does NMTopUsers Do?

The problem we are trying to solve is a way to quickly identify the heaviest users of network traffic. For instance you might want to understand if there's a computer on your network that is hogging all the bandwidth. You might also want to identify a chatty machine which could be an indication that it has been infected with a virus or adware.

There are actually two experts in one here. The Endpoint version shows traffic for each machine address, IPv4, or IPv6 address on your network. The Conversation version, on the other hand, shows traffic based on a pair of machines, IPv4, or IPv6 addresses so you can understand the traffic involved between machines.

How Does NMTopUsers Work?

Once you've installed the expert by running the MSI, "Top Users by Endpoint" and/or "Top Users by Conversation" will appear in the experts menu. Once you run the expert a new window will show up and display a data grid. The data will depend on any display filters applied or conversation tree nodes you might have selected. The data grid contains a list of nodes or conversations and then statics on the frames and bytes that have been sent and/or received.

By default the data is sorted by Total Bytes. But you can click on any column header to sort by that column.

The Address Type drop-down lets you select which types of addresses you want to see. By default we only show IPv4 addresses, but you can add Machine addresses and IPv6 addresses as well.

The Tree View allows you to see the IPv4 and IPv6 address as they relate to the Machine addresses that they belong too. But as you can imagine this option is only available if you've enabled the Machine address type. Also if you've re-sorted on a different column in the Tree View, you can reset to the original order by using the Reset Tree button.

Finally you can create a Pie or Bar chart of the information. While sometimes this can be cluttered due to the number of addresses, it can give you a high level overview of the usage. Keep in mind that the Bar chart can't display if you have Machine Addresses selected and multiple IPv4 or IPv6 addresses for a single machine address. This is because the bar chart attempts to line up each IPv4/IPv6 address with its matching Machine address and this doesn't make sense with multiple IP addresses.

Give it a Run

Please go to the Experts Portal and download both Top Users for Conversations and Endpoint. Try it out!

Network Monitor 3.3 has arrived!

Guest blog by Tawanda Sibanda, Lead Program Manager for Network Monitor

Ladies and gentlemen … the Microsoft Network monitor team is excited to announce the release of Network Monitor 3.3. A record 7 months after version 3.2 this is our quickest release ever, but also one of our most functionality-rich. We have added some innovative features that will simplify your network troubleshooting needs. As always, we have also continued to fix bugs and improve the product in those little but important ways.

Let’s take a quick tour of Network Monitor 3.3.

Where are the bits?

Network Monitor 3.3 is available here http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f on Microsoft.com

Network Monitor 3.3 will also be offered as an optional feature package in the next few weeks via Microsoft Update if you have a previous version of Network Monitor 3.x installed. To check for updates, click on Help>Check for Updates from the product menu (versions 3.1 and higher) or visit the site http://update.microsoft.com/microsoftupdate

What’s New in Network Monitor 3.3

· Ability to capture WWAN (mobile broadband) and Tunnel traffic on Windows 7.

· Full Hyper-V support on Windows Server 2008

· Right-click-add-to-alias: Right-click a frame in the Frame Summary window with an IPv4, IPv6 or MAC address to add that address as a new alias. This is one of those little things that simplifies your work-flow.

· Right-click-go-to-definition: Have you ever wondered where and how the protocols fields you see in the Frame Details are defined in our in-built parsers? Wonder no more. Introducing right-click-go-to-definition: right-click a field in the Frame Details window and select Go To Data Field Definition or Go To Data Type Definition to see where the field is defined in the NPL parsers.

· Autoscroll: Another one of those little, but priceless things … auto-scroll. See the most recent traffic as it comes in. In a live capture, click the AutoScroll button on the main toolbar to have the Frame Summary window automatically scroll down to display the most recent frames as they come in. Click Autoscroll again to freeze the view in its present location.

· Core Parser Set: We heard your concerns about our parsing performance, and created an optimized Core parser set that only contains 32 protocol parsers for network layer and transport protocols (e.g., Ethernet, IP, and TCP). This parser set can increase your parsing performance by up to 200% depending on the data you are viewing. To enable the Core parser set, go to Tools > Options from the main menu, and click on the Parser tab. Click on the Common folder and click the stubs button to load stub parsers for this folder. Do the same thing for the Windows folder. Your final set up should be as follows:

· ETL Support: Network Monitor 3.3 can open and correlate information in ETL files generated by Network Tracing in Windows 7.

And now for the main event … two of our most exciting features that will revolutionize how you analyze your traces:

· Frame Commenting: Read all about this feature in our previous blog article. Briefly, Frame Commenting lets you attach comments to frames in a saved capture file. Select the Frame Comments tab in the lower-right window to add, view, edit, or delete comments. With this feature you can annotate a trace with your comments and observations and store that metadata directly with the capture file itself!

· Experts: Experts are stand-alone applications that analyze Network Monitor capture data. In Network Monitor 3.3 we provide a simple interface for registering experts with the product and invoking them on a saved capture file. We have made some initial experts available online at http://go.microsoft.com/fwlink/?LinkID=133950. Simply install the experts and run them directly from the UI on a capture file. Better yet, why not create your own expert! We provide a rich API that allows you to filter and parse capture data. We also have a sample SDK on the same experts portal to get you started on creating an installable expert that you can share with others. If you are interested in creating an expert we would love to hear from you. Leave a comment on the blog and Paul will get back to you.

Let us know what you think

We live for feedback, negative or positive. Go to http://go.microsoft.com/fwlink/?LinkID=142458 and let your opinion be heard. The survey requires you to log on with your Windows Live ID.

Enjoy!

Microsoft Network Monitor Team

Left->Right: Xumin Sun, Jin Feng, Darren Fisher, Jim Huang, Ralph Case, Michael Hawker, Paul Long, Saurabh Verma, Ashish Panday, Dave MacDonald, Ning Yang, Fred Wurden, Kathy Snow, Xin Shen, cow, Gi youl Kim, Sean Spratt, Lin Zhong, Tawanda Sibanda

Looking for Private Data with the Simple Search Expert

Guest Blog by Michael Hawker

A little earlier, we talked about the new Expert system available in Network Monitor 3.3. With our release on the horizon, we wanted to give you a little more insight into the usefulness of Experts and what they can do.

Presently, we only have the Simple Search Expert available, but more will be coming with our release. Simple Search lets you search within frames for ASCII like strings using a direct case-insensitive search or regular expressions. It can also search within the comment text of frames as well.

Simple Search provides a quick way to find what you’re looking for within a capture file without the need for filtering. The regular expression power also adds another level of depth not previously available to Network Monitor users. Let’s talk about how these features can help you.

Be sure to download the Network Monitor 3.3 Beta from Microsoft Connect as well as the NmSimpleSearch Expert

Data Exfiltration

Data Exfiltration is all about your personal data security. Is your personal information leaving your computer without your knowledge? Maybe you thought it was secure. The Simple Search Expert can help you find out.

Imagine you were a concerned online shopper or maybe you’re a website developer testing a new website. In either case, you want to know if your information is being securely transferred from your PC to the website’s server. If the information is sent in a visible fashion, anyone along the way could intercept it.

Bring up Network Monitor and your favorite web browser and search engine. Start capturing in Network Monitor and search for “myname@iwantyourdata.com”. Stop your capture and save it to a file. You can then use the start page to quickly open your saved capture. Now launch Simple Search from the Experts Menu. You can even use the right-click menu in the Frame Summary view to launch Experts too:

Some Experts will even be interested in the frame you’re right-clicking on. Simple Search doesn’t look at that information, but an Expert should document if it does or not.

Now, we can use the Simple Search Expert to see if our e-mail address was transferred in plain-text over the internet. We can either type in our e-mail address in the search box, or use the Common Regex menu and select E-mail Address:

This option will give us what looks like gobbledygook, but is in fact a complex regular expression for recognizing e-mail address. When we hit the search button, Simple Search will search through the file and tell us how many instances of an e-mail address it found and select the frame in Network Monitor.

You can click on the Hex Details button in Simple Search to display where the string was found in the data packet:

Now, you can use this technique to check your favorite online shopping sites to see if they transmit your e-mail address unencrypted when you login.

Frame commenting is here!

Often when a trace is passed around for analysis, the people involved discuss the behavior observed in out-of-band channels, such as email, attached documents, etc. How primitive! Wouldn’t it be nice if you could just “mark up” or “annotate” the trace with your comments and observations, so that they are stored with the data itself? Well, now with Network Monitor 3.3 (currently a beta) you can!

In the example shown here, I created a word document, pasted in some contents from the netmon trace and from MS-DFSRH, commented and highlighted it, and then pasted it back into a frame comment in netmon. Now I can store the whole mess in the netmon trace, where it will be handy for the next person. Note that frame number 688 has a “#” next to it in the summary view so that I can tell it’s got a commented associated. We even added a “Next Comment” and “Previous Comment” button.

But that’s not all….you can filter for just comments (.framevariable.CommentTitle) and you can access the comments from the NM33 API.

Enjoy!

- Dave MacDonald

Group Program Manager, Protocol Engineering Team

---

Network Monitor 3.3 Beta Available on Connect

It’s time again for a new Beta version of Network Monitor. Using your feedback we’ve added some compelling new features! One in particular is the ability to launch experts from the UI. And what use would this be without something to launch? We’ll also be releasing some cool experts, like Top Users and Simple Search. In fact Simple Search is already available, just use the Experts menu from a saved trace to connect to our Experts landing page. Return every so often to see what is new.

What’s an Expert? What is Simple Search?

An expert is a tool, run separately from Network Monitor that performs expert analysis on your trace data. For instance, Simple Search will allow you to search all trace data for strings and better yet, regular expressions! Need to find an email address or phone number, but don’t know exactly which one? A regular expression, using Simple Search, lets you find this type of string. Just launch the expert from the menu and search away.

But there’s so much more, so let’s list out what else is new.

What’s New in NM3.3 Beta

• Ability to capture on WWAN and Tunnel interfaces on Win7
• Critical fixes to NM3.3 to operate correctly with Hyper-V
• Right-click add to alias.   Right-click a frame in the Frame Summary window with an IPv4, IPv6, or MAC address to add that address as a new alias.

• Right click go to definition:  Right-click a field in the Frame Details windows and select Go To Data Field Definition or Go To Data Type Definition to see where the field is defined in the NPL parsers.
• Auto-scroll.   See the most recent traffic as it comes in.  In a live capture, click the Autoscroll button on the main toolbar to have the Frame Summary window automatically scroll down to display the most recent frames as they come in.  Click Autoscroll again to freeze the view in its present location.
• Experts available online:  Experts are stand-alone applications that analyze Network Monitor capture data.   Various experts are available online at  http://go.microsoft.com/fwlink/?LinkID=133950.
• Frame Comments:  Attach comments to frames in a saved capture file.  Select the Frame Comments tab in the lower-right window to add, view, edit, or delete comments.

• API Extensions:   API methods have been added to enable access to conversation information, properties, field display strings, and comments. 
• Ability to open ETL files and correlate information by Network Tracing scenario.

• See our Release Notes for a complete list of new features and known issues.

Gimme, Gimme, Gimme!

The Beta is available on our connect site at https://connect.microsoft.com/site/sitehome.aspx?SiteID=216. But it is only available as a download if you join Connect. By joining you’ll also get updated when we release and be able to file bugs with us if you find issues. So give NM3.3 Beta a test drive and please let us know what you think!

Provide feedback at http://go.microsoft.com/fwlink/?LinkID=142458 (you will need to login with your Connect Network Monitor credentials to see the Beta survey). Our voting website, input.microsoft.com has an expired certificate that we are working to renew.  For now, you can tell your browser to ignore the expired certificate as we address this problem.

SQL Parser in Latest CodePlex Package

I know many have asked about this in the past. And now it’s finally here, a shiny new Microsoft SQL Tabular Data Stream Protocol or TDS as we often refer to it. Simply go to www.CodePlex.com/NMParsers and install the latest release.

I’m sure some of you have left me already by clicking on the link, so I’ll stop blabbing and let you play. Just remember you need to enable the full parser set.  To do this go to Tools, Options, and the Parsers tab from the main menu. Then click on the Windows line and make sure the “set” column reads as FULL. If this is not the case click the Stubs button at the top.

How can we help?

Hi!  I’m the Group Program Manager for Microsoft’s Protocol Engineering Team. Our team includes those who bring you Netmon.

We are approaching our Beta of version 3.3. It’s the most exciting protocol analyzer on the planet, in my humble opinion. The team has listened to you and has turned around a quick release with some really compelling features, like auto-scroll, frame commenting, support for WWan capture (mobile broadband), more parsers, API improvements, support for expert plug-ins, and some polish. And, we’re developing parsers now in open source at http://www.codeplex.com/nmparsers.  I’m really proud of our team and my hat is off to them.

But that’s not why I’m writing.

I’m writing to ask, “How can we help?”. If you are a Microsoft enterprise customer, what can we do to help you run your enterprise network more efficiently? What kind of diagnostics or network experts do you need? If you are a web developer, check out the Virtual Round Trip Analyzer developed by the MSN team here.  If you are a developer using our MSDN documentation to build software that interoperates with Microsoft products, how can we help you do that efficiently?

We know that times are tough, and we want you to know that your friends at Microsoft are here to help.  Write me and tell us how.

- Dave MacDonald

DavemacD@microsoft.com

Group Program Manager, Microsoft Protocol Engineering Team

EventCap Revisited Using NMAPI

You may remember a blog where we talked about automating a capture so that it stops when a particular event shows up in the Windows Event Log. (http://blogs.technet.com/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx). Now that we have the API for NM3.2, we are going to revisit this tool and rewrite it as an expert. Furthermore, the code for the tool is available as a project on http://www.CodePlex.com/NM3EventCap.

The Problem We Are Solving

Often you need to gather a trace, up until a certain event occurs in the event log. Back in the day, we had a tool called EventCap which allowed you to do this. But since it was based on Netmon2.x, it is limited to older OS’s. The NM3.2 API gives us access to the capture engine, so as long as you have NM3.2 installed, this program now gives you this capability in one executable!

Examples

The basic example is you supply a capture file and event number to wait for. In this case we’ll want to stop when PowerShell is run, which is event message 400. We’ll save the capture file to t1.cap.

    NM3EventCap t1.cap 400

The cool thing with the API is that you get access to all the various capturing formats for free. So you can do chained files and different size circular captures. It’s just a matter of exposing those in your code. So for instance to make this a chained capture with a 200 MB size, you would execute:

    NM3EventCap t1.cap 400 –b 200 –c

The Source Code

I’m not going to go into much detail here as you can look at the source code on http://www.codeplex.com/NM3EventCap/SourceControl/ListDownloadableCommits.aspx, but here the basics.

The CPrgExeState class reads the parameters, initializes the capture file and sets up the Network Monitor 3.2 engine. It opens the capture engine, initializes the capture file, and loads the NPL parser. This class also provides methods to start and stop the capture. Look at PrgExeState::InitCapture to see how to initialize the capture engine. CPrgExeState::StartCapture and CPrgExeState::StopCapture show you how to start and stop the capture engine. To understand how we created the capture file, look at CPrgExeState::CreateCap.

The rest of the code is to control the access to the event log error message (the CEventMonWbem class). This is out of scope of Network Monitor, but these interfaces are documented on MSDN if you want more information.

The CodePlex Connection

CodePlex will be the location where further examples are posted. At some point we’ll create a portal that will be used to centralize Network Monitor 3 API related projects. The goal is to create a set of useful tools for capturing and analyzing network traffic. So if there are networking folks out there with ideas that can be turned into simple experts and network tools please create a project and let us know.

Customizing the User Interface

Perhaps it’s already known, but I’m going to let the cat out of the bag. You can move your windows around and re-dock them in different places within the capture tab window. Our UI developer may flip out because he’s told me before this isn’t supported. He tells me there is a chance your layout may not be saved or you’ll end up in a state that you’ll have to reset. Also, if you upgrade, expect your window layout to also be reset. Just read that as a disclaimer and let’s mix things up in the UI.

Press Shift While Moving a Window

Shift is the key to making the window placement easy! [Dern puns] If you hold the shift key, and grab onto a window title, you will see a shaded area that previews how the window will dock. You can dock as a TAB when the shaded area fills the entire window area. Or you can split the window up/down or side to side. If you release the Shift button while dragging, and then release the window, the result is a floating window. This might be useful, except it’s limited to the confines of the parent capture tab. For me, docking is the way to go.

Recovering From “Disaster”

If you make a mistake or as the disclaimer mentions something strange happens, have no fear! There’s a way to recover easily. Just simply go to the View menu->Window and click “Restore Default Layout”. This will restore the original Network Monitor layout. Then feel free to try a completely new customized layout.

Paul’s Favorite Setup

My main requirement is to have plenty of space for the frame summary. I want to have as many columns as I could and as much width for the information, in particular the description. While I use the Hex display probably more than most users, I don’t need it front and center. So here are the steps to show you how I accomplish my favorite setup.

First, I move the Hex details in the Display Filter section as another TAB. After this step, it looks like this.

Next I move the Hex Details/Filters/Alias/Select Networks Tab section to the middle.

Then I move the Conversation Tree so it’s on the left side of the Frame Details.

Finally I put the Hex Details/Filters/Alias/Select Networks Tab section above the Frame Details. I end up with the following layout.

I prefer this setup because it gives me maximum column width for the Frame Summary. Also I have plenty of width for my Frame Details, which I can extend vertically by shrinking the Frame Summary window length.

Column Rearrangement

I’m not going to stop there. I also feel I can optimize the column layout. This is a supported change and it’s easy to move columns around by dragging and dropping. You can also right click the headings and choose “Choose Columns…” for more customization. But for my general setup, I will simply move the columns already there.

With the addition of the Find Conversation Feature, I no longer need the ConvID column. So I move it to the right of the description. I also find the Protocol Column is always repeated in the description, so I will also move this to the right of the description. With this change, my resulting setup looks like this below.

Now that I’m happy with this setup, I will save my column setup by right clicking and selecting “Save Column Layout”. The window layout will be saved once I exit.

A Custom Fit

While changing the Window layout isn’t a “supported” scenario, it does work well enough that I believe it’s safe to change. And if you do have to reset your window layout, it’s not that difficult to rearrange again. Each window in the Capture Tab Window is movable so I’m sure you can find a layout which best suits your needs.

Open Source Parsers for Network Monitor 3.2

With the release of NM3.2, we revamped the parser management so that we can support parser upgrades. So I’m pleased to announce that we just released a new version of the parsers on http://www.codeplex.com/nmparsers. As new parsers become available or the current parsers become extended or improved, you’ll be able to get the latest version.

The Plan

Our plan is to release a new set parsers every month. The updates will be based on your feedback and bug/issue reports that are filed on the site. It may take us a bit of time to completely convert our development over to CodePlex. In the meantime there may be fixes for bugs that have been filed internally. But soon you’ll see the parser files updated live along with a matching MSI installer each month. We have already released a new MSI with the current parser changes. Just look at the Release tab off of our CodePlex site and choose the MSI package that matches your installed Network Monitor OS version.

Eventually, we will document and expose the code for MSI creation so that you can create packages for your own parser sets. Also, we are planning to provide documentation for how to test parsers so that you can understand how we test internally for regressions and compatibility.

How does CodePlex work?

CodePlex is an Open Source Community. People can sign in and provide various roles for filing bugs, developing code, and coordinating projects. Anybody can file bugs in on CodePlex, so you are all welcome to contribute in that regard.

Currently, our CodePlex project’s developer and coordinator roles are being handled by the same MS folks who have been doing this job internally. But there is no reason these roles can’t be open up to public as well.  Interested parties who are committed can be positioned to assume responsibility for a subset of parsers. Eventually as our community grows, there may be bigger external partners which may want to release their own sets of parser packages. In these cases we can communicate with them about providing links to their CodePlex development sites from ours.

You can also get the source code to a specific NPL from the Source Code tab if you can’t wait for the next tested MSI release. Integration may require you to get dependant parser files and you will also have to copy the files manually. Please ask for help if you run into an issue. The Discussions section of CodePlex would be a perfect place to do this.

FAQ

Q: Why are the parser packages Processor dependant?

A: While the parsers themselves are not Processor dependent, currently the Network Monitor MSI installer contains registry locations based on the processor type. So to start, we made different MSI versions to keep things easier for our development. In the future we’ll be looking at combining everything into one package that works for all processors.

Q: How can I tell which parser package version I have?

A: If you enable the Version column under “Program and Features” in the Vista control panel, you can find the version number next to the “Microsoft Network Monitor: Microsoft Parsers” entry. It is also available in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Netmon3\ParserPackages\Microsoft Parsers, you will see a registry key called Version. This will tell you the version of the parser package in question.

Q: Why is the version number 3.3 and not 3.2?

A: These parsers are from the future! They are coinciding with the release of our internal builds which have already been labeled 3.3. Therefore the new versions of our parsers are labeled 3.3 as well. Don’t worry though as we will continue to ensure through testing that they are still compatible with Network Monitor 3.2.

Q: Do I have to Exit NM3 to install?

A: You don’t have to Exit NM3, but you will have to rebuild the parsers. Rebuilding the parsers often requires you to reload any capture files you have loaded. So while you don’t have to exit NM3, a restart may still be required for things to parse correctly. The easiest way to get the changes is to simply restart NM3 after you’ve installed the package. This will cause a rebuild to occur automatically.

Q: How do I contribute a parser to the project?

A: You can contact us by filing an issue on CodePlex. Look at http://www.CodePlex.com/NMParsers/Wiki/View.aspx?title=Parser%20Development&referringTitle=Getting%20Started for more information. Also, feel free to request parsers that are missing in our current package.

We understand that having accurate and up-to-date parsers is the most important aspect of a protocol analyzer. By releasing the parsers on CodePlex you can now keep up-to-date without having to wait for another release of Network Monitor. And perhaps with the help of the community we will get contributions for other parsers.