Capturing network packets using Netmon step by step

Disclaimer: The views expressed in my posts on this site are mine & mine alone & don’t necessarily reflect the views of Microsoft. All posts are provided “AS IS” with no warranties & confers no rights. If I post any code, scripts or demos, they are provided for the purpose of illustration & are not intended to be used in a production environment. They are provided ‘as is’ without warranty of any kind, expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. I grant you a nonexclusive, royalty-free right to use & modify my sample code & to reproduce & distribute the object code form of the sample code, provided that you agree: (i) to not use my name, my companies name, logo, or trademarks to market your software product in which the sample code is embedded; (ii) to include a valid copyright notice on your software product in which the sample code is embedded; and (iii) to indemnify, hold harmless, and defend me, Microsoft & our suppliers from & against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the sample code.

Updated: N/A

Published: May 13th, 2020

Applies to:

Windows Server 2019

Windows Server 2016

Windows 10

Windows Server 2012 R2

Windows 8.1

Windows Server 2012

Windows 8

Windows Server 2008 R2

Windows 7

Windows Server 2008

Windows Vista

Does not apply:

Windows Server 2003

Windows XP

Using Microsoft Network Monitor (Netmon) to capture a network trace

Q: What is Network Monitor (aka Netmon)?

A:  Network Monitor or Netmon is a very helpful tool to collect the raw packets as they pass through your network and/or wireless adapter. It can be used to diagnose the various network issue you may face.

The most common issue that we see in an Enterprise is with firewall (TLS inspection (used to be known as SSL inspection)), proxy servers and/or network load balancers (nlb).

You looked at the event log, you looked at the application log, you tried to check if a port was working, you ran a procmon (or wprui) and still can’t find what’s happening w/ the application and/or service.

Using netmon can show you the raw packets and decode them to see what data is actually being passed.

Tips:

• A good practice is to capture with no filters, and save “All captured frames” to avoid missing anything useful in the trace, unless you know clearly that you are interested in a specific part of the trace only.
• If VPN is involved in the interested traffic, make sure “WAN Miniport” is included in step 3 above;

Q:  Why I personally like to grab it with Netmon 3.4 vs Wireshark or netsh trace start?

A:  I get the PID (Process ID) thus able to filter it down quickly when analyzing.

[Prep]

Before you proceed, you might want to review:

1)  Basic Network Capture Methods
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/basic-network-capture-methods/ba-p/258922

2)  Before you capture any network trace, here are questions you should have ready when you are capturing it:

Network tracing (packet sniffing) data to provide when troubleshooting.

3)  Minimize the noise.

Close all the applications that are unnecessary for the issue that you are investigating.

4)  Clear any caching that has been done.

Clear all name resolution cache as well as all cached Kerberos tickets.

To clear DNS name cache you type in:

IPConfig /FlushDNS

To clear NetBIOS name cache you type in:

NBTStat -R

     Note:  This command requires you to be a “Local Aministrator” (i.e.  CMD ( Run as admin)).

To clear Kerberos tickets will need KList.exe:

KList purge

Please go to the following URL and install the latest version of Network Monitor 3.4.

     Note:  Make sure you download the right version depending upon your machine’ architecture (64bit or 32bit)

[Install Netmon]

5) Download and install Netmon from the following URL.

Microsoft Network Monitor 3.4 (archive)

https://www.microsoft.com/en-us/download/details.aspx?id=4865

6) Get ready to reproduce the problem.

For example:

Step 6a)

You want to capture the Log Analytics Agent (LLA, used to be known as OMS agent, and before that as Microsoft Monitoring Agent (MMA)) network traffic.

Open “Control Panel”

Double-click on “Microsoft Monitoring Agent”

Click on “Azure Log Analytics (OMS)” tab

Step 6b)  Open Services.msc

Find “Microsoft Monitoring Agent” service.  Don’t do anything yet.  This is for step 11 below.

Step 6c)

Open a second CMD (Run as admin)

When you have the repro, to make the network trace with a ‘marker’ that you are done.

Type “ping 127.0.0.1” without the quotation marks and do not press Enter yet.  This is for step 12 below.

7) Launch Netmon.

All Programs –> Microsoft Network Monitor 3.4

Right-click on “Microsoft Network Monitor 3.4”

Click on “Run as admin”

If prompted with the “Microsoft Update Opt-in”
Click on “No”.

8) Select the appropriate network interface.

The first time you run Netmon, you’ll be asked to select the network interface to trace. 

Under “Select Networks”

Check all the boxes (normal unless you are working on a Hyper-V server, you might want to limit to the network that you are investigating).

The following command should help you to identify the appropriate interface via the “Physical Address”:

Start, CMD (Run as admin)

ipconfig /all

9) Increase the buffer settings.

By default, Netmon will only trace up to 20MB of data before it starts to overwrite the capture buffer. 

Set the buffer to a larger size (say 1GB)

Click on Tools –> Options… –> “Capture” tab

Under “Temporary capture file”

Size: 1024 Megabytes

Click on OK

[Start the trace]

10) Start the trace

Click on “New capture tab”

Now click the “start” icon on the tool bar, or press F5 to start capture.

You can see the “Frame Summary” view being populated with new frames.

[Repro the issue]

11) Reproduce the issue.

For example:  We are going to restart the “Microsoft Monitoring Agent” agent (step from Step 6b)

Note:  It takes less than 30 seconds for the MMA to communicate properly unless you are having network issues.

12)  On the second CMD (Run as admin)

Where you had typed “ping 127.0.0.1”, now Press Enter.

[Stop the trace]

13) Stop the trace 

TIP:  For the MMA issue, you might want to wait 3-5 minutes since it downloads the .cab file, extracts it, then has to communicate w/ Azure Log Analytics before the service is started.

Stop tracing by clicking the “Stop” icon in the tool bar , or click F7.

14) Save the trace via the File-> “Save As”

Leave the default radio button “All captured frames”

15) To complement the trace, capture network configuration information to a .txt file:

Start, CMD (Run as admin)
ipconfig /all > %computername%-ipconfig.txt

tasklist >> %computername%-ipconfig.txt

tasklist /svc >> %computername%-ipconfig.txt

16) .ZIP up the .cap and .txt files and send it out for analysis.

Thanks,

Yong

Twitter:  @YongRheeMSFT

https://twitter.com/yongrheemsft

P.S.  Viewing Traces

To view your traces, launch NetMon.exe, choose the File/Open/Capture menu and open the .cap file collected above.

When you open a trace file you will see that NetMon.exe displays the traces at various layers.

Fire & Forget: How to Stop a Network Trace Programmatically using Network Monitor
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/fire-amp-forget-how-to-stop-a-network-trace-programmatically/ba-p/256200

Book(s):

Administering Windows Server 2012 R2: Monitoring and Auditing
https://www.microsoftpressstore.com/articles/article.aspx?p=2217266&seqNum=2

Other useful network packet capture tools:

https://www.telerik.com/download/fiddler

https://www.wireshark.org/download.html