Microsoft Network Monitor
I had never heard of this tool until today... I've always used Wireshark. Today I needed to view traffic broken out by application (PID/ProcessName). I went hunting and found the Microsoft Network Monitor. Surprisingly it's very feature rich, easy to use, and did exactly what I needed it to do... and sooo much more. Check it out!
Microsoft Links
Example Filters
Capturing everything except RDP:
!(tcp.port==3389)
Capture only DNS:
DNS
Filter Source or Destination IPv4 Address:
IPv4.Address == 1.1.1.1
Filter Source IPv4 Address:
IPv4.SourceAddress == 1.1.1.1
Filter IPV4 Source and Destination:
IPv4.Address==1.1.1.1 and IPv4.Address==2.2.2.2
Filter IPv4 Source or Destination to subnet:
((ipv4.Address & 255.0.0.0) == 10.0.0.0)
Filter IPv4 traffic to private only traffic (source and destination in RFC-1918 private subnets):
(((IPv4.SourceAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.SourceAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.SourceAddress & 255.255.0.0) == 192.168.0.0))
&&
(((IPv4.DestinationAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.DestinationAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.DestinationAddress & 255.255.0.0) == 192.168.0.0))
Filter traffic by ProcessName
The filter below allows you to see if a process is communicating with any other IP address besides the one you listed:
ProcessName.Contains("WindTerm.exe") && IPv4.Address!= 9.9.9.9
Example on other sites:
-end