Microsoft Network Monitor

I had never heard of this tool until today... I've always used Wireshark. Today I needed to view traffic broken out by application (PID/ProcessName). I went hunting and found the Microsoft Network Monitor. Surprisingly it's very feature rich, easy to use, and did exactly what I needed it to do... and sooo much more. Check it out!

Example Filters

Capturing everything except RDP:


Capture only DNS:


Filter Source or Destination IPv4 Address:

IPv4.Address ==

Filter Source IPv4 Address:

IPv4.SourceAddress ==

Filter IPV4 Source and Destination:

IPv4.Address== and IPv4.Address==

Filter IPv4 Source or Destination to subnet:

((ipv4.Address & ==

Filter IPv4 traffic to private only traffic (source and destination in RFC-1918 private subnets):

(((IPv4.SourceAddress & == || ((IPv4.SourceAddress & == || ((IPv4.SourceAddress & ==
(((IPv4.DestinationAddress & == || ((IPv4.DestinationAddress & == || ((IPv4.DestinationAddress & ==

Filter traffic by ProcessName

The filter below allows you to see if a process is communicating with any other IP address besides the one you listed:

ProcessName.Contains("WindTerm.exe") && IPv4.Address!=


