Dive into Network Monitor

Detailed network packet information. The fourth pane (pane 4, yellow frame) displays detailed information about the number and type of frames sent to or received from each device. If an unusually large number of bytes are sent to or received from a particular device, the device might be faulty or simply transferring a large amount of data across the network.

You can set a capture filter by selecting Capture, Filter, then setting parameters for the capture filter. A filter lets you trap packets according to specific protocols, network addresses, or text-pattern matches. It also reduces the size of the capture buffer, which can be helpful on busy networks. If you're new to Network Monitor, I suggest that you don't use the capture filter until you're very familiar with the type of traffic on your network. It's easy to accidentally filter out the exact data you're looking for by setting a capture filter that's too restrictive. If you want to filter out traffic, I suggest using the display filter (which I explain a bit later) after you've completed your network capture to hide any unwanted packets.

Displaying Captured Packets
After you've captured the amount of data that you want, click the stop and view icon (circled in red in Figure 2) to stop and view the packet capture. Figure 2 shows the results of a packet capture. The capture summary displays several columns, which Table 1 defines.

Double-clicking a frame lets you view detailed information for that specific packet, as Figure 3, shows. The top pane displays a summary of captured packets. The middle pane displays detailed information about the packet that's highlighted in the top pane. The bottom pane displays the raw packet information in hexadecimal format. When you click the detailed information in the middle pane, the bottom pane highlights where the information is coming from in the packet. In the middle pane, you can click any plus (+) sign to display additional detail. The middle pane consists of the following information:

• Base frame properties—contains general information about the packet that Network Monitor tracks and that isn't contained in the captured packet. The information includes when the packet was captured, time interval since the previously captured frame, frame number, and frame length.
• Frame header information—contains the packet's destination and source MAC addresses, routing information, and the number of bytes that remain in the packet.
• IP header information—contains information about the version of IP in use (typically IP version 4—IPv4), header length, type of service, packet length, time to live—TTL (i.e., the number of router hops a packet can take before it's discarded), and source and destination IP addresses.
• TCP/UDP/Internet Control Message Protocol (ICMP) header information—contains information about the source and destination ports, sequence number, acknowledgment number, data offset, TCP flag information, window, checksum, and number of bytes remaining in the packet. The information in this section will vary depending on the protocol type.
• Data section—contains actual data. If the packet contains a higher-level protocol such as DNS or HTTP, Network Monitor will display additional information in the packet's data section.

Setting Display Filters
After you capture packets, you can use Network Monitor's display filter to display only packets that meet certain criteria. To set a filter, select Display, Filter and enter any necessary conditions. You can filter by address, protocol, or protocol property. For example, to set a filter that displays only undocumented header packets for HTTP packets, follow these steps:

1. Select Display, Filter.
2. Click the Expression box.
3. Click the Property tab. In the Protocol:Property window, scroll down and double-click HTTP.
4. Click Undocumented Header.
5. In the Relation window, select exists and click OK twice.

TCP/IP Session Basics
The "lite" version of Network Monitor captures broadcast packets and network traffic that's sent to or received from the server on which Network Monitor is installed. If you've ever examined your firewall log, you'll see that Network Monitor captures similar information but in much greater detail. A Network Monitor packet capture can be a little intimidating the first time you inspect one. (The first time I reviewed a packet capture, my initial thought was, "What the heck am I looking at?") To ease the shock of interpreting a packet capture, it's helpful to know what to look for and what you're looking at. But before we learn how to read a packet capture, a basic understanding of a TCP/IP session is in order. At a very basic level, a TCP/IP session includes the following components:

1. Establish a session—three-way handshake. A TCP/IP session begins with a handshake. The computer that requests the session sends a synchronize (SYN) packet to the target computer. The target computer responds with an acknowledgment (ACK) packet and sets the data window size. Then the computer that originally requested the session sends an ACK packet to the target computer to acknowledge the data window size.
2. Data transfer. During the session, data is transferred between two computers, with the receiving computer sending an ACK packet with approximately every other packet it receives from the sender. Under typical circumstances, most packets are either ACK or push (PSH) packets. During the data-transfer session, the number of packets that can be sent without requiring an ACK packet might be modified according to the amount of network traffic and buffer space on the receiving computer. This modification is known as a "sliding window" because the amount of data transferred can "slide" before requiring an ACK packet.
3. Close session—modified three-way handshake. During a graceful close, the sender (i.e., the computer that requests the session close) sends a finish (FIN) packet to indicate that the data transfer is complete. The receiver sends an ACK to the sender to acknowledge the receipt of the FIN packet, then sends a FIN packet back to the sender. The sender then sends an ACK packet back to the receiver. A session close can also be ungraceful. In this scenario, the sender transmits a packet to the receiver that the receiver doesn't acknowledge. The sender keeps resending the packet to the receiver until the maximum retry value is reached, at which time the session is aborted.