1

Network Monitor Filter Examples

Posted on by Rhoderick Milne [MSFT]
The below is an assortment of Network Monitor (NetMon) filters that I used on a frequent basis.  With each of the filters, there is a quick explanation of why they are used.
The filters can be used as regular display filters, or as a colour filter.  The retransmission one is especially useful to have set as a colour filter, as they they stand out when reviewing traces.

Filter Source IPv4 Address

// Filter on source IPv4 address.
IPv4.SourceAddress == 192.168.0.1

Filter Source or Destination IPv4 Address

// Filter on IPv4 address (source or destination).
IPv4.Address == 192.168.0.1

Filter IPV4 Source and Destination

// View IPv4 traffic between a source and a destination node.
IPv4.Address==10.0.0.1 and IPv4.Address==10.0.0.222

Filter HTTP Only

While it is possible to filter using the protocol of HTTP in the network monitor display filter, using the port allows control if a custom port was used.  This is most likely to apply when a proxy server is listening on a custom port.
// Filter frames by TCP port number. 
tcp.port == 80
OR
Payloadheader.LowerProtocol.port == 80

Filter HTTPS Only

// Filter frames by TCP port number. 
tcp.port == 443
OR
Payloadheader.LowerProtocol.port == 443

Filter Proxy CONNECT Verb

This is useful to drill into the HTTPS requests sent via a proxy server.
// Filter frames with CONNECT verb
HTTP.Request.Command == "CONNECT"

TCP Zero Window

When reviewing a TCP conversation, the receiving machine will state the amount of space available in its receive buffer during the conversation.  If the receive buffer is overwhelmed, then a zero window condition can occur which is a performance issue.  Note reset frames are separate to this issue.
// Filter frames with zero window
TCP.Window == 0x0

Show SSL Negotiation Frames

When reviewing a large capture to Office 365, there will be several endpoints accessed.  By filtering on the SSL negotiation frames, we can quickly see the name the client is looking for and then follow the correct TCP conversation
// Filter frames with SSL Handshake
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0x1

Show Frames With SYN and also SYN ACK

This allows to easily identify particular portions of the three way handshake.  Handy when there are thousands or hundreds of frames, and potentially multiple separate TCP streams.
// Show all TCP SYN ACK Frames
TCP.Flags.Ack == 1 AND TCP.Flags.Syn == 1

Show Retransmit and SYN Retransmits

This is useful to review file upload and download issues, where excessive retransmissions are causing performance impact.

// Searches a trace for all TCP retransmits. 

Property.TCPRetransmit == 1

// Uncomment this next line to find Syn Retransmits as well.

|| Property.TCPSynRetransmit == 1

// The Retransmitted frame will contain the original frame of which it is a retransmit of.

//  NOTE:
//  This filter requires that Conversations are turned On
//  If conversations are not enabled, the filter may not
//  work at all, or may not return the information you expect.

 

Bonus Filters

The following example block is for a display filter that may be useful in capturing network traffic for troubleshooting issues with Enterprise Voice, and is from the OCS 2007 R2 TechNet documentation

The intent of the below is to be a huge boiler plate, where the required filters can be easily crafted simply by uncommenting the relevant line.  The below can be easily modified for other scenarios.

 

// Network Monitor 3.x display filter for Office Communications Server troubleshooting.

tcp.port==5061 // SIP over TLS.  This is used by most functions of OCS

// Uncomment any additional protocols you wish to monitor. && = logical AND

// && tcp.port==5060   // SIP over TCP

// && tcp.port==5062   // Default SIP for the  A/V edge

// && tcp.port==5063   // Default SIP for the A/V Conferencing server

// && tcp.port==443     // HTTPS, TCP STUN

// && udp.port==3478  // UDP STUN

// && tcp.port==8057   // PSOM

// && tcp.port==135    // RPC endpoint mapper used on front end servers for WMI and DCOM

// && dns                      // DNS

 

// Media port ranges.  These ranges may be commonly used by non OCS devices on the network.

// && (udp.Port>=50000 && udp.port<=59999)       // RTP media port range on outside A/V edge

// && (tcp.Port>=49152 && tcp.port<=65535)         // RTP media port range for A/V MCU

// && ((tcp.port>=1024 && tcp.port<=65535) || (udp.port>=1024 && udp.port<=65535))     // External Communicator media port range

 

// These are additional filters that may be useful.  Add a && token if they are to be used in combination with the above.

// The following will show the start of TCP conversations (SYN) as well as resets

// TCP.Flags.Reset == 1 || TCP.Flags.Syn == 1

 

// The following will show retransmits if conversations are enabled

// (Property.TCPRetransmit == 1 || Property.TCPSynRetransmit == 1)

// The following will hide RDP if the network trace was captured in a terminal session.

//!(tcp.port==3389)

 

 

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *