Now, why would someone want to use it as opposed to something like Wireshark? The two are very similar but do have a few differences. For one, the big advantage of Network Monitor is that it separate conversations based on the program, and on the server it connects to. For example, you will see an entry for your browser, your mail client, and so on, and inside of each, you'll have a different conversation for each web site you currently have open. Also, in my opinion the filters provided are easier to work with than Wireshark. On the negative side, it doesn't provide color-coded entries, but you can add your own.
Getting started
First you'll have to download the latest version of Network Monitor from the Microsoft site here. This will install the packet capture driver and the monitoring software. Simply double click on the icon to launch it.
In the program window, you can see a list of your interfaces on the lower left corner. Usually you'll want to select your Local Area Connection or whichever link you use to connect to the Internet. Then, click on the New Capture toolbar button. This will open a new tab for your capture, and you can click the Start toolbar button.
As the capture is going on, you will be able to see on the left pane the various applications that use the network, and the conversations they are having. You will see application names such as Firefox or Internet Explorer, and less obvious ones like System, svhost and Unknown. Once you've captured for a while you can Stop the capture and start analyzing the results.
Packet analysis
If you aren't familiar with networking protocols this may look intimidating. First, click on a conversation on the left pane, such as a web site you went to. Next to each conversation, you will see your own IP address and the IP of the machine you connected to. On the right side of the screen you will see the list of packets that were sent. You may also see the host names of the servers you connected to, which is more useful than just IP addresses.
As you click on any of the lines on the right pane, you will see the details appear in the two windows at the bottom right of the screen. The right one is the raw packet in HEX code, but the left one gives you information about all the protocols used, such as the version number, which ports were used, and so on.
You can also filter the results by using the top right box. Simply click on the Load Filter button, and you can see a series of default filters that Microsoft has by default. You could restrict to just web traffic, or network shares, DNS, and so on.
Real world example
Here's a quick example of what can be found this way. In the screenshot above I showed about 2 minutes of network traffic, during which I went to a few web sites, one of which was Microsoft.com. In the list, there was a conversation with an unknown IP, under the System process, which I clicked on, as shown below.
As you can see in this screenshot, this IP turned out to be microsoft.webtrends.akadns.net, which I assume is some kind of ads or monitoring service. But if you look at the packet information, at the very bottom of the screen, we can see exactly the URL called. It seems that by going to a Microsoft site, it also invoked a script on this site, to which it passed not only the address I went to on the Microsoft site, but also the Google search string I used to find the site, as a referral.
This is the kind of nifty information that can be shown, network connections you may not even imagine your computer is doing, and Network Monitor can be a great tool to track them down. While this example is probably quite benign, you can use the same steps to track down spyware and so on.
0 comments:
Post a Comment