{"id":290571,"date":"2021-07-01T13:59:00","date_gmt":"2021-07-01T10:59:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/"},"modified":"2021-07-01T13:59:00","modified_gmt":"2021-07-01T10:59:00","slug":"how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/","title":{"rendered":"#How to Capture and Inspect Network Packets in Windows Server \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a42252c0269a\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a42252c0269a\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/#Capturing_Packets_Using_Microsoft_Network_Monitor\" >Capturing Packets Using Microsoft Network Monitor<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/#Filtering_Traffic\" >Filtering Traffic<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/#Building_Filters\" >Building Filters<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/#Example_Filters\" >Example Filters<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/#Filtering_by_Port_Number\" >Filtering by Port Number<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/#Find_SSL_Negotiation_Frames\" >Find SSL Negotiation Frames<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/#Find_TCP_Retransmits_and_SYN_Retransmits\" >Find TCP Retransmits and SYN Retransmits<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/#Reading_Frames_and_Hex_Data\" >Reading Frames and Hex Data<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-capture-and-inspect-network-packets-in-windows-server-cloudsavvy-it\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Capture and Inspect Network Packets in Windows Server \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-4336\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/12\/690269ba.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1400\" height=\"666\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>While troubleshooting tricky connection or <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication issues, it can be very helpful to see what is being transmitted across the network. Microsoft originally offered the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=4865\">Microsoft Network Monitor<\/a> which was succeeded by the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.microsoft.com\/en-us\/message-analyzer\/microsoft-message-analyzer-operating-guide\">Microsoft Message Analyzer<\/a>. Unfortunately, Microsoft has discontinued the Microsoft Message Analyzer and removed its download links. Currently, only the older Microsoft Network Monitor is available.<\/p>\n<p>Of course, you can use third-party tools for performing network captures, such as WireShark. Though some third-party tools may offer a better experience Microsoft Network Monitor still holds its own. In this article, we are going to see how to capture and inspect packets using the last available version of Microsoft Network Monitor, one of the most popular tools out there.<\/p>\n<p>Although I could have used WireShark, I have found that the interface and usability of Microsoft Network Monitor, out of the box, is far easier to use. Much of the same can be accomplished in WireShark, but you may have to do far more configuration in the interface.<\/p>\n<h2 id=\"capturing-packets-using-microsoft-network-monitor\"><span class=\"ez-toc-section\" id=\"Capturing_Packets_Using_Microsoft_Network_Monitor\"><\/span>Capturing Packets Using Microsoft Network Monitor<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>First, we need to install Microsoft Network Monitor, you can locate the download <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=4865\">here<\/a> and then proceed to install it. Once you have Microsoft Network Monitor installed, go ahead and launch the program. Once launched, you will click on New Capture.<\/p>\n<figure style=\"width: 722px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3336 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/12\/6bda0b92.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"722\" height=\"358\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\">Viewing the Start Page<\/figcaption><\/figure>\n<p>Next, you will want to start the monitoring by clicking on the Start button. This will instantly start the capture and you will see conversations starting to show up on the left-hand side.<\/p>\n<figure style=\"width: 662px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3337 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/12\/e2aa9217.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"662\" height=\"354\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\">Viewing a New Capture screen before it has started capturing<\/figcaption><\/figure>\n<p><em>If you find that you get an error message saying no adapters are bound, then you should run Microsoft Network Monitor as an Administrator. Additionally, if you have just installed this, you may need to reboot.<\/em><\/p>\n<p>One of the great benefits of using Microsoft Network Monitor is that it groups your network conversations very easily on the left-hand side. This makes looking at specific processes much easier to find and then dive into.<\/p>\n<figure style=\"width: 316px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3338 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/12\/3f3cc2c8.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"316\" height=\"364\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\">Viewing Network Conversations<\/figcaption><\/figure>\n<p>Expanding any one of the plus signs will show you the specific set of \u201cconversations\u201d that the network monitor may have captured and grouped underneath a process.<\/p>\n<h2 id=\"filtering-traffic\"><span class=\"ez-toc-section\" id=\"Filtering_Traffic\"><\/span>Filtering Traffic<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You will quickly find that with all of this data coming in, you will need to more easily filter out noise. One example of using a filter, is the <code>DnsAllNameQuery<\/code>, under the DNS section of Standard Filters. By adding this line to the display filter section and clicking on Apply, then you will be able to only display those packets that are DNS queries, such as below.<\/p>\n<figure style=\"width: 885px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3339 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/12\/4c63c206.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"885\" height=\"580\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\">Viewing the DnsAllNameQuery Filter<\/figcaption><\/figure>\n<h3 id=\"building-filters\"><span class=\"ez-toc-section\" id=\"Building_Filters\"><\/span>Building Filters<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Creating filters, or modifying the built-in filters, is very easy. Within the Display Filter field, there are several ways to construct filters. By entering in a Protocol Name and following that by a <code>.<\/code> (period), you will see an auto-complete of possible field values to compare. Using the standard comparison operator of <code>==<\/code> we can see if certain values are equal. We can even create multi-expressions using logic operators such as <code>and<\/code> and <code>or<\/code>. An example of what this looks like is below.<\/p>\n<pre><code>DNS.QuestionCount AND&#13;\nDNS.ARecord.TimeToLive == 14<\/code><\/pre>\n<p>There are a few methods as well that are available such as <code>contains()<\/code> and <code>UINT8()<\/code>. You can see using the contains method below to filter out just DNS records that contain <code>[google.com](http:\/\/google.com)<\/code> and a TimeToLive of <code>14<\/code>.<\/p>\n<pre><code>DNS.QuestionCount AND&#13;\nDNS.ARecord.TimeToLive == 14 AND&#13;\nDNS.QRecord.QuestionName.contains(\"google.com\")<\/code><\/pre>\n<p>As you might be able to tell, there are a number of ways to combine filters to make them useful and convenient to use. This is a great way to only return the data that you are interested in, especially since packet capture can become quite big. In the next section, we take a look at some more useful examples.<\/p>\n<h2 id=\"example-filters\"><span class=\"ez-toc-section\" id=\"Example_Filters\"><\/span>Example Filters<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Some practical examples, beyond what the default built-in ones are, go a long way to helping you understand how to get to just the useful data that you need.<\/p>\n<h3 id=\"filtering-by-port-number\"><span class=\"ez-toc-section\" id=\"Filtering_by_Port_Number\"><\/span>Filtering by Port Number<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Though it\u2019s possible to use the HTTP protocol to filter by, using the following method allows you to account for custom ports, such as <code>8080<\/code> or <code>8443<\/code>, which is especially useful when troubleshooting.<\/p>\n<pre><code>\/\/ Filter by TCP Port Number&#13;\ntcp.port == 80 OR Payloadheader.LowerProtocol.port == 80&#13;\ntcp.port == 443 OR Payloadheader.LowerProtocol.port == 443<\/code><\/pre>\n<p><em>TCP frames that have been fragmented are reassembled and inserted into a new frame in the trace that contains a special header named, <code>Payloadheader<\/code>. By looking for both, we can make sure we are getting all of the data we are looking for here.<\/em><\/p>\n<h3 id=\"find-ssl-negotiation-frames\"><span class=\"ez-toc-section\" id=\"Find_SSL_Negotiation_Frames\"><\/span>Find SSL Negotiation Frames<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>While troubleshooting, you may need to understand what SSL connections are attempted to be negotiated. Though you may not be able to decrypt the internal traffic, this will help find what servers the connection is attempting to use.<\/p>\n<pre><code>\/\/ Filter by SSL Handshake&#13;\nTLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0x1<\/code><\/pre>\n<h3 id=\"find-tcp-retransmits-and-syn-retransmits\"><span class=\"ez-toc-section\" id=\"Find_TCP_Retransmits_and_SYN_Retransmits\"><\/span>Find TCP Retransmits and SYN Retransmits<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>To troubleshoot file upload and download problems, you can look to see if many retransmissions are occurring that could be impacting performance.<\/p>\n<pre><code>Property.TCPRetransmit == 1 || Property.TCPSynRetransmit == 1<\/code><\/pre>\n<p><em>Make sure you have conversations turned on, this filter depends on that functionality.<\/em><\/p>\n<h2 id=\"reading-frames-and-hex-data\"><span class=\"ez-toc-section\" id=\"Reading_Frames_and_Hex_Data\"><\/span>Reading Frames and Hex Data<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>By default, the window layout has two bottom panes dedicated to Frame Details and Hex Details. Within the Frame Details is each packet broken up into its component parts. On the opposite side is the Hex Details which are the raw bytes and decoding. As you select a different section within the Frame details, the same section within the Hex code will be highlighted as well.<\/p>\n<figure style=\"width: 1552px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3340 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/12\/dda619a3.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1552\" height=\"509\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\">Viewing Frame Details and the raw Hex Data<\/figcaption><\/figure>\n<h2 id=\"conclusion\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Performing network traces is very easy with the latest version of Windows. Though Microsoft has opted to discontinue or deprecate their internally created tools, some still thrive. There are plenty of others, such as WireShark, but Microsoft Network Monitor still makes it quite easy to parse and understand the packet information that is captured.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/3335\/how-to-capture-and-inspect-network-packets-in-windows-server\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Capture and Inspect Network Packets in Windows Server \u2013 CloudSavvy IT&#8221; While troubleshooting tricky connection or application issues, it can be very helpful to see what is being transmitted across the network. Microsoft originally offered the Microsoft Network Monitor which was succeeded by the Microsoft Message Analyzer. Unfortunately, Microsoft has discontinued the Microsoft&#8230;<\/p>\n","protected":false},"author":1,"featured_media":290572,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2019\/12\/690269ba.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-290571","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/290571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=290571"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/290571\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/290572"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=290571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=290571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=290571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}