How to Capture and Inspect Network Packets in Windows Server

Whereas troubleshooting tough connection or software points, it may be very useful to see what’s being transmitted throughout the community. Microsoft initially supplied the Microsoft Community Monitor which was succeeded by the Microsoft Message Analyzer. Sadly, Microsoft has discontinued the Microsoft Message Analyzer and eliminated its obtain hyperlinks. Presently, solely the older Microsoft Community Monitor is accessible.

In fact, you should utilize third-party instruments for performing community captures, akin to WireShark. Although some third-party instruments could supply a greater expertise Microsoft Community Monitor nonetheless holds its personal. On this article, we’re going to see how one can seize and examine packets utilizing the final out there model of Microsoft Community Monitor, one of the crucial standard instruments on the market.

Though I might have used WireShark, I’ve discovered that the interface and value of Microsoft Community Monitor, out of the field, is much simpler to make use of. A lot of the identical could be achieved in WireShark, however you could have to do way more configuration within the interface.

Capturing Packets Utilizing Microsoft Community Monitor

First, we have to set up Microsoft Community Monitor, you’ll be able to find the obtain right here after which proceed to put in it. Upon getting Microsoft Community Monitor put in, go forward and launch this system. As soon as launched, you’ll click on on New Seize.

Viewing the Begin Web page

Subsequent, you’ll want to begin the monitoring by clicking on the Begin button. This may immediately begin the seize and you will notice conversations beginning to present up on the left-hand aspect.

Viewing a New Seize display earlier than it has began capturing

When you discover that you just get an error message saying no adapters are certain, then you must run Microsoft Community Monitor as an Administrator. Moreover, in case you have simply put in this, it’s possible you’ll have to reboot.

One of many nice advantages of utilizing Microsoft Community Monitor is that it teams your community conversations very simply on the left-hand aspect. This makes particular processes a lot simpler to seek out after which dive into.

Viewing Community Conversations

Increasing any one of many plus indicators will present you the particular set of “conversations” that the community monitor could have captured and grouped beneath a course of.

Filtering Visitors

You’ll shortly discover that with all of this information coming in, you have to to extra simply filter out noise. One instance of utilizing a filter, is the DnsAllNameQuery, underneath the DNS part of Commonplace Filters. By including this line to the show filter part and clicking on Apply, then it is possible for you to to solely show these packets which might be DNS queries, akin to beneath.

Viewing the DnsAllNameQuery Filter

Constructing Filters

Creating filters, or modifying the built-in filters, could be very straightforward. Inside the Show Filter area, there are a number of methods to assemble filters. By getting into in a Protocol Identify and following that by a . (interval), you will notice an auto-complete of potential area values to match. Utilizing the usual comparability operator of == we are able to see if sure values are equal. We will even create multi-expressions utilizing logic operators akin to and and or. An instance of what this seems to be like is beneath.

DNS.QuestionCount AND
DNS.ARecord.TimeToLive == 14

There are a couple of strategies as effectively which might be out there akin to comprises() and UINT8(). You possibly can see utilizing the comprises technique beneath to filter out simply DNS data that comprise []( and a TimeToLive of 14.

DNS.QuestionCount AND
DNS.ARecord.TimeToLive == 14 AND

As you may be capable of inform, there are a variety of how to mix filters to make them helpful and handy to make use of. This can be a nice strategy to solely return the information that you’re curious about, particularly since packet seize can develop into fairly massive. Within the subsequent part, we check out some extra helpful examples.

Instance Filters

Some sensible examples, past what the default built-in ones are, go an extended strategy to serving to you perceive how one can get to only the helpful information that you just want.

Filtering by Port Quantity

Although it’s potential to make use of the HTTP protocol to filter by, utilizing the next technique lets you account for customized ports, akin to 8080 or 8443, which is particularly helpful when troubleshooting.

// Filter by TCP Port Quantity
tcp.port == 80 OR Payloadheader.LowerProtocol.port == 80
tcp.port == 443 OR Payloadheader.LowerProtocol.port == 443

TCP frames which have been fragmented are reassembled and inserted into a brand new body within the hint that comprises a particular header named, Payloadheader. By on the lookout for each, we are able to be sure we’re getting all the information we’re on the lookout for right here.

Discover SSL Negotiation Frames

Whereas troubleshooting, it’s possible you’ll want to grasp what SSL connections are tried to be negotiated. Although it’s possible you’ll not be capable of decrypt the inner visitors, it will assist discover what servers the connection is making an attempt to make use of.

// Filter by SSL Handshake
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0x1

Discover TCP Retransmits and SYN Retransmits

To troubleshoot file add and obtain issues, you’ll be able to look to see if many retransmissions are occurring that may very well be impacting efficiency.

Property.TCPRetransmit == 1 || Property.TCPSynRetransmit == 1

Ensure you have conversations turned on, this filter relies on that performance.

Studying Frames and Hex Knowledge

By default, the window format has two backside panes devoted to Body Particulars and Hex Particulars. Inside the Body Particulars is every packet damaged up into its element components. On the alternative aspect is the Hex Particulars that are the uncooked bytes and decoding. As you choose a special part inside the Body particulars, the identical part inside the Hex code shall be highlighted as effectively.

Viewing Body Particulars and the uncooked Hex Knowledge


Performing community traces could be very straightforward with the newest model of Home windows. Although Microsoft has opted to discontinue or deprecate their internally created instruments, some nonetheless thrive. There are many others, akin to WireShark, however Microsoft Community Monitor nonetheless makes it fairly straightforward to parse and perceive the packet data that’s captured.

About Adam Bertram

Check Also

How to Fix Problems with Thumbnails on Windows 10

In Home windows 10, typically thumbnail icons have a white or black border behind them, …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.