Skip to main content

Microsoft Network Monitor

I had never heard of this tool until today... I've always used Wireshark. Today I needed to view traffic broken out by application (PID/ProcessName). I went hunting and found the Microsoft Network Monitor. Surprisingly it's very feature rich, easy to use, and did exactly what I needed it to do... and sooo much more. Check it out!

Example Filters

Capturing everything except RDP:

!(tcp.port==3389)

Capture only DNS:

DNS

Filter Source or Destination IPv4 Address:

IPv4.Address == 1.1.1.1

Filter Source IPv4 Address:

IPv4.SourceAddress == 1.1.1.1

Filter IPV4 Source and Destination:

IPv4.Address==1.1.1.1 and IPv4.Address==2.2.2.2

Filter IPv4 Source or Destination to subnet:

((ipv4.Address & 255.0.0.0) == 10.0.0.0)

Filter IPv4 traffic to private only traffic (source and destination in RFC-1918 private subnets):

(((IPv4.SourceAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.SourceAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.SourceAddress & 255.255.0.0) == 192.168.0.0))
&&
(((IPv4.DestinationAddress & 255.0.0.0) == 10.0.0.0) || ((IPv4.DestinationAddress & 255.240.0.0) == 172.16.0.0) || ((IPv4.DestinationAddress & 255.255.0.0) == 192.168.0.0))

Filter CDP traffic

Ethernet.Address == 01-00-0c-cc-cc-cc

Filter LLDP traffic

LLDP

Filter Mikrotik MNDP traffic

Microsoft netmon has no protocol disassembler for the MNDP protocol. All you will see is a UDPPayloadData Binary Large Object, however, you can see data in the Hex Details view and can extract the data you need from there fairly easily.

(udp.DstPort==5678 AND udp.SrcPort==5678)

Filter CDP + LLDP + MNDP

Ethernet.Address == 01-00-0c-cc-cc-cc
OR
LLDP
OR
(udp.DstPort==5678 AND udp.SrcPort==5678)

Filter traffic by ProcessName

The filter below allows you to see if a process is communicating with any other IP address besides the one you listed:

ProcessName.Contains("WindTerm.exe") && IPv4.Address!= 9.9.9.9

Filtering NPS + Azure MFA

The Azure MFA NPS Extension uses HTTPS to communicate with login.microsoftonline.com and credentials.azure.com. The filters below enable capturing related traffic.

Suggested capture filter:

// Suggested capture filter
tcp.port == 443         // HTTPS
OR udp.port == 1812     // RADIUS
OR DNS.Qrecord.QuestionName.contains("login.microsoftonline.com")
OR DNS.Qrecord.QuestionName.contains("credentials.azure.com")

Suggested display filter:

// Suggested display filter
udp.port==1812 // RADIUS packets
OR DNS.Qrecord.QuestionName.contains("login.microsoftonline.com")
OR DNS.Qrecord.QuestionName.contains("credentials.azure.com")
OR ContainsBin(FrameData, ASCII, "login.microsoftonline.com") // Will show HTTPS certificate negotiation packets
OR ContainsBin(FrameData, ASCII, "credentials.azure.com")     // Will show HTTPS certificate negotiation packets
OR ((ipv4.SourceAddress & 255.255.0.0) == 20.190.0.0) || ((ipv4.DestinationAddress & 255.255.0.0) == 20.190.0.0)
OR ((ipv4.SourceAddress & 255.255.0.0) == 40.126.0.0) || ((ipv4.DestinationAddress & 255.255.0.0) == 40.126.0.0)

Example on other sites:


-end