Introduction:
Microsoft Network Monitor is useful for understanding data that is being sent over a network. One use could be the analysis of a browser’s requests being sent to a server, how this is represented in terms of network packets, and the responses the server sends back. This traffic can be exported in .csv format and parsed if needed.
Microsoft Network Monitor can return a massive amount of frames during a network capture, so initially, it is probably helpful to filter through this traffic.
Requirements:
Microsoft Network Monitor download/install (available from Microsoft’s Download Center)
Procedure:
After Stopping a Started capture in a Capture tab in Microsoft Network Monitor, a massive amount of frames may result in the “Frame Summary” pane. This is because Microsoft Network Monitor listens for whatever network traffic it can, perhaps from Outlook, One Drive, or other applications, in addition to a browser such as Internet Explorer.
When the Frames are displayed in the Frame Summary, the Source and Destination columns appear. The application being tested by the browser will not display using its URL, however. Network Monitor will list it using its IPv4 address. If you are uncertain what the site’s IPv4 address is that you want to filter by, you can ping it from the command line:
ping HOSTNAME.com
where HOSTNAME is the name of the application. This will return:
Ping statistics for XX.XXX.XX.XX:
where the IPv4 address of the host is listed.
You will need this IPv4 address, and it should display within the columns Source and Destination within Microsoft Network Monitor, depending if the frame is a request to the site, or a response back from it.
In the Display Filter pane, enter the filter:
((IPv4.SourceAddress == XX.XXX.XX.XX) OR (IPv4.DestinationAddress == XX.XXX.X.XX))
where the IPv4 address of the host is provided. This will reduce the Frame Summary results to just the traffic between your browser and the site.
In the Display Filter pane, make sure you press Apply to apply the filter.
It is important to note that this filter will limit the results to requests to the site and responses back. This may be desired. In some cases, you may prefer to view only requests or the returned responses instead.
