Analyzing Traffic With Network Monitor

by [Published on 30 June 2005 / Last Updated on 30 June 2005]

As an administrator, it’s important for you to keep tabs on the traffic that’s flowing across your network. I’m not saying that you need to be intimately familiar with every single packet that’s sent or received, but you need to know what types of protocols are flowing across your network. Monitoring the network allows you to have a better understanding of how bandwidth is being used. It also allows you to find out if users are running file sharing programs, or if some kind of evil Trojan is silently transmitting information in the background. What you might not realize is that Microsoft has given you a tool that you can use for monitoring network traffic. Appropriately, the tool is called Network Monitor. In this article, I will introduce you to this tool and show you how to use it.

Microsoft has given you a tool that you can use for monitoring network traffic. Appropriately, the tool is called Network Monitor. There are actually two different versions of Network Monitor that ship with Microsoft products. The version that comes with Windows Server 2003 is the watered down version. It is very similar to the full version, except that it only allows you to analyze traffic sent to or from the server that Network Monitor is running on. The full version of Network Monitor is included with SMS Server. It allows you to monitor any machine on your network and to determine which users are consuming the most bandwidth. You can also use the SMS version of Network Monitor to determine which protocols are using the most bandwidth on the network, locate network routers, and resolve device names into MAC addresses.

Another feature that is left out of the Windows version of Network Monitor is the ability to capture, edit, and retransmit a packet. This functionality is used by hackers when performing a replay attack. The idea behind a replay attack is that a hacker can capture some sensitive piece of information, such as an authentication packet. Later, if the hacker wants to log on as someone else, they can edit the packet to change the source address and then retransmit it. The actual process is a little more complicated than that, but not much.

Installing Network Monitor

As you may have already figured out, the Windows Setup program doesn’t install Network Monitor by default. To install the Windows version of Network Monitor, open the Control Panel and select the Add / Remove Programs option. Next, click the Add / Remove Windows Components button to launch the Windows Components wizard. Scroll through the list of components until you locate the Management and Monitoring Tools option. Select the Management and Monitoring Tools option and click the Details button. Select the Network Monitor Tools option and click Next. Windows will now begin the installation process. You may be prompted to insert your Windows installation CD. Click Finish to complete the installation process.

Running Network Monitor

After the installation process completes, you can launch Network Monitor by selecting the Network Monitor command found on Window’s Administrative Tools menu.  When Network Monitor initially loads, you will see a dialog box asking you to select a network that you can capture data from. Click OK and you will see the Select a Network dialog box. Simply expand the My Computer container and then select the network adapter that you want to monitor. Click OK to continue.

At this point, you will see the main Network Monitor screen, shown in Figure A. Right now, Network Monitor isn’t capturing any data. It’s up to you to initiate the data capture process. Before you do though, you might want to set up a capture filter.

Figure A: This is the main Network Monitor screen

The reason why filtering is so important is because there is a tremendous amount of traffic that flows into and out of most servers. You can easily capture so much traffic that analyzing it becomes next to impossible. To help cut down on the amount of traffic that you must analyze, Network Monitor allows you to use filters. There are two different types of filters that you can use; capture filters and display filters.

Capture filters allow you to specify which types of packets will be captured for analysis. For example, you may decide that you only want to capture HTTP packets. The main advantage to implementing a capture filter is that by filtering packets during the capture, you will use a lot less hard disk space than you would if you captured every packet.

Display filtering works similarly to capture filtering except that all network traffic is captured. You filter the data that you want to analyze at the time of analysis rather than at the time of capture. Display filtering uses a lot more hard disk space than capture filtering, but you will have the full dataset on hand just in case you decide to analyze something other than what you originally intended.

Capturing Data

If you have decided that you want to filter the data being captured, select the Filter option from the Capture menu, and configure your filter. Otherwise, you can start the capture process by selecting the Start command found on the Capture menu. You can see what the capture process looks like in Figure B. When you have captured the data that you want, then select the Stop command from the Capture menu.

Figure B: This is what the capture process looks like

Analyzing the Data

To analyze the captured data, select the Display Captured Data command from the Capture menu. When you do, you will see the screen shown in Figure C.

Figure C: This is a summary of the captured data

The screen shown in Figure C shows a summary of all of the captured packets in the sequence that those packets were captured. The data that you are looking at is unfiltered. You could set up a display filter at this point by selecting the Filter option from the Display menu.

Once you have located a packet that you are interested in, double click on the packet to see it in greater detail. When you do, you will see the screen that’s shown in Figure D.

Figure D: This is the screen that you will use to analyze a packet

As you can see in the figure, the packet screen is divided into three sections. The top section is simply a condensed view of the summary screen. You can use this section to select a different packet to analyze without having to go back to the mail summary screen.

The second section contains the packet’s contents in a decoded, tree format. For example, in the screen capture, you can see that the top portion of the tree says FRAME: Base Frame Properties. If you expand this portion of the tree, you can see the date and time that the frame was captured, the frame number, and the frame length.

The third section contains the raw data that makes up the frame. In this section, the column to the far left shows the base address of the bytes on that line in hexadecimal format. The middle section shows the actual hexadecimal data that makes up the frame. The hexadecimal code is positions wide. To determine the address of any of the hex characters, start with the base address for that line, and then count the position of the character that you are interested in. For example, if the base address is 00000010, and the character that you are interested in is in the twelfth position, then the character’s address would be 0000001B.

The column to the far right contains a reprint of the data in decimal notation. This is probably the most useful part of the screen because anything that has been transmitted in clear text is clearly readable in this column. For example, if an E-mail were transmitted in an unencrypted format and the transmission were captured, you could read the contents of the message in this location (assuming that you could locate the correct packet). If you look closely at Figure D, you will notice that this is an LDAP packet that I have captured. The decimal portion of the packet clearly shows a call to the Active Directory (CN=Configuration,DC=production,DC=com).


In this article I have explained that Microsoft includes the Network Monitor tool with Windows so that you can monitor the types of traffic flowing in and out of a server. I then went on to demonstrate the installation and use of this tool.

The Author — Brien M. Posey

Brien M. Posey avatar

Brien Posey is an MCSE and has won the Microsoft MVP award for the last few years. Brien has written well over 4,000 technical articles and written or contributed material to 27 books.

Latest Contributions


Featured Links