I’ve recently been using Microsoft’s Network Monitor 3.3 to troubleshoot a few issues. I have a lot of experience of earlier versions of the tool, which although good for basic stuff soon reached its limits if you needed to dig a bit deeper. I’d found that Wireshark was much more powerful and also had the advantage of working on Linux. There are of course plenty of paid for network capture utilities out there but as I’d never reached the limits of the free open source Wireshark, I’d never felt the need to try them out.
There are many new features in Network Monitor 3.3 including powerful capture and display filters which despite the large number of examples and the ‘verify filter’ function, I initially found difficult to use. The ‘Network Conversations’ window is a welcome addition as it allows you to easily see traffic between specific hosts without relying on the filters.
Some effort has been made with regards to performance. You can switch parsers on and off as required and also run the tool from the command line. It’s also possible to limit the number of bytes captured.
An API is made available allowing you in theory to pull capture data into your own application or expand functionality. Some example add-ons, known as Experts, are available on the Microsoft site and can be easily integrated into the tool.
Other advanced features that I’ve not tested include capturing WWAN and tunnelled traffic. Something useful that I did test was Network Monitor’s ability to read pcap files. Hence you can capture the output of something like TCPDump to a file and then view it with Network Monitor.
Posts
Whilst researching this article I notice there is now a version of Wireshark for Portable apps. http://wni-sec.blogspot.com/2009/11/portable-apps.html. Ideally you would already have winpcap installed but if not, it installs it for you on each use and then removes it afterwards.
ReplyDelete