Q: How do I search packets for line of text in Netmon 3.4?

A: I was recently performing some monitoring testing and wanted to see when a particular text file had been opened, but it was hard to find the actual TCP packet that represented the content of the file being read.

I found a great solution using the ContainsBin filter that enables packet frame data to be searched for an ASCII string. For example, to search for SavillText I used

ContainsBin(FrameData, ASCII, "SavillText")

This enabled me to quickly find my packet, as the figure shows below.

Note that I performed this monitoring within a Windows Server 2012 Hyper-V virtual machine (VM) that was on the same host as the target file server VM. To enable this promiscuous monitoring to work, three configurations were required.

  • On the file server VM, under the advanced features of the network adapter, its Port mirroring mode was set to Source.


    This could also be set with Windows PowerShell:

    Set-VMNetworkAdapter -VMName -PortMirroring Source
     
  • On the VM running network monitor, under the advanced features of the network adapter, its Port mirroring mode was set to Destination.
    This could also be set with PowerShell:

    Set-VMNetworkAdapter -VMName -PortMirroring Destination
     
  • In Network Monitor, under Capture Settings, the network adapter that is being listened on (Ethernet) is set to P-Mode (promiscuous, which means it can see traffic of other network addresses).