Microsoft Network Monitor I had never heard of this tool until today... I've always used Wireshark. Today I needed to view traffic broken out by application (PID/ProcessName). I went hunting and found the Microsoft Network Monitor. Surprisingly it's very feature rich, easy to use, and did exactly what I needed it to do... and sooo much more. Check it out! Microsoft Links Information about Network Monitor 3 Download Microsoft Network Monitor 3.4 (archive) Example Filters Capturing everything except RDP: !(tcp.port==3389) Capture only DNS: DNS Filter Source or Destination IPv4 Address: IPv4.Address == 1.1.1.1 Filter Source IPv4 Address: IPv4.SourceAddress == 1.1.1.1 Filter IPV4 Source and Destination: IPv4.Address==1.1.1.1 and IPv4.Address==2.2.2.2 Filter IPv4 Source or Destination to subnet: ((ipv4.Address & 255.0.0.0) == 10.0.0.0) Filter IPv4 traffic to private only traffic (source and destination in RFC-1918 private subnets): (((IPv4.SourceAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.SourceAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.SourceAddress & 255.255.0.0) == 192.168.0.0)) && (((IPv4.DestinationAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.DestinationAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.DestinationAddress & 255.255.0.0) == 192.168.0.0)) Filter CDP traffic Ethernet.Address == 01-00-0c-cc-cc-cc Filter LLDP traffic LLDP Filter Mikrotik MNDP traffic Microsoft netmon has no protocol disassembler for the MNDP protocol. All you will see is a UDPPayloadData Binary Large Object, however, you can see data in the Hex Details view and can extract the data you need from there fairly easily. (udp.DstPort==5678 AND udp.SrcPort==5678) Filter CDP + LLDP + MNDP Ethernet.Address == 01-00-0c-cc-cc-cc OR LLDP OR (udp.DstPort==5678 AND udp.SrcPort==5678) Filter traffic by ProcessName The filter below allows you to see if a process is communicating with any other IP address besides the one you listed: ProcessName.Contains("WindTerm.exe") && IPv4.Address!= 9.9.9.9 Filtering NPS + Azure MFA The Azure MFA NPS Extension uses HTTPS to communicate with login.microsoftonline.com and credentials.azure.com. The filters below enable capturing related traffic. Suggested capture filter: // Suggested capture filter tcp.port == 443 // HTTPS OR udp.port == 1812 // RADIUS OR DNS.Qrecord.QuestionName.contains("login.microsoftonline.com") OR DNS.Qrecord.QuestionName.contains("credentials.azure.com") Suggested display filter: // Suggested display filter udp.port==1812 // RADIUS packets OR DNS.Qrecord.QuestionName.contains("login.microsoftonline.com") OR DNS.Qrecord.QuestionName.contains("credentials.azure.com") OR ContainsBin(FrameData, ASCII, "login.microsoftonline.com") // Will show HTTPS certificate negotiation packets OR ContainsBin(FrameData, ASCII, "credentials.azure.com") // Will show HTTPS certificate negotiation packets OR ((ipv4.SourceAddress & 255.255.0.0) == 20.190.0.0) || ((ipv4.DestinationAddress & 255.255.0.0) == 20.190.0.0) OR ((ipv4.SourceAddress & 255.255.0.0) == 40.126.0.0) || ((ipv4.DestinationAddress & 255.255.0.0) == 40.126.0.0) Example on other sites: Network Monitor Filter Examples   Running nmcap from the cmd prompt Run the following command from anywhere to view the command line usage. "C:\Program Files\Microsoft Network Monitor 3\nmcap.exe" /usage Run the following command from anywhere to view the network adapters. "C:\Program Files\Microsoft Network Monitor 3\nmcap.exe" /displaynetworks After determining the network adapter you would like to perform the capture on, grab the command below, update the capture network interface, the capture filter, and the stop / start conditions. "C:\Program Files\Microsoft Network Monitor 3\nmcap.exe" /network 4 /capture "dns || icmp || ((ipv4.Address & 255.255.248.0) == 104.244.40.0)" /CaptureProcesses /file C:\tmp\nmcap-capture-testing.cap /TerminateWhen /KeyPress x /StopWhen /TimeAfter 30 min   Running nmcap from PowerShell Run the following command from anywhere to view the command line usage. & 'C:\Program Files\Microsoft Network Monitor 3\nmcap.exe' /usage Run the following command from anywhere to view the network adapters. & 'C:\Program Files\Microsoft Network Monitor 3\nmcap.exe' /displaynetworks After determining the network adapter you would like to perform the capture on, grab the command below, update the capture network interface, the capture filter, and the stop / start conditions. & 'C:\Program Files\Microsoft Network Monitor 3\nmcap.exe' /network 4 /capture "dns || icmp || ((ipv4.Address & 255.255.248.0) == 104.244.40.0)" /CaptureProcesses /file C:\tmp\nmcap-capture-testing.cap /TerminateWhen /KeyPress x /StopWhen /TimeAfter 30 min   nmcap full command line usage PS C:\> & 'C:\Program Files\Microsoft Network Monitor 3\nmcap.exe' /usage Network Monitor Command Line Capture (nmcap) 3.4.2350.0 Options: /Help /? /Usage Displays this message. Example Usage: nmcap /Usage /Example(s) Displays a list of examples. Example Usage: nmcap /Example nmcap /examples /TimeFormat Displays the list of date and time formats available for the /Time switch. Example Usage: nmcap /TimeFormat /DisplayNetwork(s) Displays the network adapters that Network Monitor can capture from. Example Usage: nmcap /DisplayNetwork nmcap /displaynetworks /SetNplPath [;;...] Builds a profile titled "NMCap Last Path" and attempts to compile. If compilation is successful, the new profile is set as active. If the provided NPL cannot compile, the Active Profile is unchanged. On success, any existing "NMCap Last Path" profile is updated. /DisplayNplPath Displays the NPL path. Example Usage: nmcap /DisplayNplPath Note: Nmcap gets the NPL files in the following order: 1) Files in the current directory 2) Files in the path set by /SetNplPath 3) Default NMCap installation directory /DisplayProfiles Display the installed profiles. /DisplayProfileInfo Display detailed information for the indicated profile. A Profile Key can be either the GUID or the Index displayed when using the /DisplayProfiles argument. /UseProfile Use an alternate profile for the capture session. This setting must be before any /Capture arguments. Otherwise, the active profile is used. A Profile Key can be either the GUID or the Index displayed when using the /DisplayProfiles argument. /SetActiveProfile Set the active profile for to the indicated profile. This setting changes the default profile for other Network Monitor applications, as well. A Profile Key can be either the GUID or the index displayed when using the /DisplayProfiles argument. /DeleteProfile Delete the indicated profile. Only user-defined profiles can be deleted. A Profile Key can be either the GUID or the index displayed when using the /DisplayProfiles argument. /SetDefaultParser [NplFileName.npl] Specifies the default NPL parser Example Usage: nmcap /SetDefaultParser sparser.npl /DisplayDefaultParser Displays the default NPL parser. Example Usage: nmcap /DisplayDefaultParser Note: If you do not explicitly set the default parser using /SetDefaultParser, /DisplayDefaultParser does not display anything. /MaxFrameLength Specifying the Max Frame Length limits the number of bytes captured per frame to the specified value. If you enter a value of 68, every frame is truncated to the first 68 bytes. This has an impact on filtering because the filter may require elements defined in the frame which are no longer present as a result of the truncation. Example Usage: The following captures all traffic on all adapters and limits the captured data to the first 68 bytes. nmcap /network * /MaxFrameLength 68 Note: This does not apply to frames retrieved from /inputcapture files. The following options are used together and have no meaning independently. Refer to the examples to better understand how they can be used together. Specifying Input Sources: /Network [ ...] Selects one or more space-delimited network adapters to capture from. Adapters may be specified using their index, partial name with wildcard (*), or quoted friendly name. (find using /DisplayNetwork above). Example Usage: /Network inte* 2 'Local Area Connection 1' /InputCapture [ ...] Selects one or more space-delimited capture files to capture from. The frames in the capture files are replayed through NMCap. Example Usage: /InputCapture dns.cap tcp.cap c:\temp\test.cap /DisableConversations Disables conversations. This enhances the performance of NMCap. Some protocols such as MSRPC require conversation to be enabled. Example Usage: /DisableConversations /CaptureProcesses Enables process tracking. This is incompatible with the /DisableConversations switch as process tracking requires conversations. Example Usage: /CaptureProcesses /DisableLocalOnly Disables local-only capture. This enables the capture in p-mode. All frames seen by this computer are captured. Example Usage: /DisableLocalOnly /RecordFilters Records the capture filters in the capture file. Example Usage: /RecordFilters /RecordConfig Records the network configuration in the capture file. Example Usage: /RecordConfig /MinDiskQuotaPercentage Specifies the minimal disk size percentage allowed. Note: Default minimal disk size percentage is 2 percent. Example Usage: /MinDiskQuotaPercentage 20 (Sets the minimal disk size percentage to 20 percent.) /MinDiskQuota: Specifies the minimal disk size allowed. Example Usage: /MinDiskQuota 20M (Sets the minimal disk size to 20 MB.) /Frame Frame filter. The frame filter is constructed from the NPL files. You can use all the filter expressions that you can in the Netmon UI. For more sample filters, type nmcap /Examples or see Standards Filter in the Filter Toolbar of the UI. This switch must be part of /StartWhen, /StopWhen, and /TerminateWhen. Example Usage: /Frame Dns.Flags.Stats == 3 Capture File output: /Capture [FrameFilter] /File [/File ...] Saves frames that pass the frame filter to the specified capture files. Example Usage: /Capture dns.flags.status == 3 /File t.cap /File t2.cap /ReassembleCapture [FrameFilter] /File [/File ...] An alternate to Capture (above) Saves frames that pass the frame filter to the specified capture files, along with reassembled payloads. Example Usage: /ReassembleCapture tcp /File tcp.cap /File tcp2.cap /File [:] Name of capture file to save frames to. Extensions are used to determine the behavior of NMCap. .cap -- Netmon 2 capture file .chn -- Series of Netmon 2 capture files: t.cap, t(1).cap, t(2).cap... is optional. It limits the file size of each capture file generated. Default single capture file size limit is 20 MB. The upper bound of the file size limit is 500 MB. The lower bound of the file size limit depends on the frame size captured. (Note that the maximal size of Ethernet frames is 1500 bytes) The files are circular, so once the size limit is reached, new data overwrites older data. Example Usage: /File t.cap:50M Starting, stopping, and events: /StartWhen List of conditions that specify when to start capturing network frames. If it is ignored, NMCap starts capturing immediately. When input from capture files by /InputCapture, this switch is generally ignored. Example Usage: /StartWhen /Time 7:02:00 AM 9/10/2005 /StopWhen List of conditions that specify when to stop capturing network frames. Example Usage: /StopWhen /TimeAfter 20 min This switch becomes active only after a preceding /StartWhen evaluates to TRUE. Example: /StartWhen /TimeAfter 10 min ... /StopWhen /TimeAfter 20 min Nmcap starts after 10 minutes and stops after 10+20=30 minutes. /StopWhen never terminates the program while the /StartWhen option is set to FALSE. /TerminateWhen should be used to safely terminate immediately. /TimeAfter [units] Indicates a time period. This switch can be part of /StartWhen, /StopWhen, and /TerminateWhen. The user specifies the time units. By default it is in seconds. Example Usage: /TimeAfter 20 seconds /Time