Rhonda J. Layfield

Sr. Technical Consultant

Network Monitor: From “No” to “Pro” in 75 Minutes

Outline

• Meet Network Monitor: the Basics– Capture and Interpret data: lots of data and lots of

demos!– Filters: making sense out of all of that data

• Going Beyond the Basics: Advanced Features– What machine do I run Netmon on?– Hearing from all players: simultaneous traces

• Secure Your Network with Network Monitor– Watching intruders– Auditing applications

Why does anyone care?

• NYC Government Agency office under attack by a specific machine name

• Exchange server under attack while attempting to verify existing domain names before delivering emails

• Would you like to know if there are uninvited guests in your network?

Turning your Network into Glass

• Wouldn’t it be nice if we could actually see what is on the network wire?

• I mean really SEE the traffic, data, protocols and ports being used

This is Our Network

Deploy

DC/DNS/DHCP 20.20.20.5

Bare Metal client

Server 20.20.20.10

Network Monitor: the Basics

• Why should we use Netmon?• When should we use Netmon?

– To find out what type of traffic is on our network– When we get unexpected results from software/hardware– To find security holes we may not be aware of based on where

traffic is coming from• How do we use it? Generate a trace

– Explain the panes• Where do we take the trace from? Do we need more

than one trace?• Create pre/post capture filters

Netmons History…the versions

• In the past the version that ships on the Operating System CD was – 2.1 Lite Version– Version 5.2 (Build 3790: Service Pack 1)

• The version that you get with SMS was– 2.1 (Build 5.2.3790.170.040510-1249)

• There is an open source “free” promiscuous sniffer called Wireshark– We only have time for Netmon today

What’s new with Netmon 3.1

• Complete re-write of it’s capture/parser engine• Detecting other machines running Network

Monitor • Capture wireless 802.11 frames in monitor mode• New Reassembly Engine • Performance improvements• Capture on the VPN and RRAS interfaces • Protocol parsers are better• Filtering is more flexible

Where do you get Netmon 3.2?

• Netmon 3.x doesn’t ship with any OS or product but is a free download from Microsoft

• Supported to run on:– Windows XP– Windows Vista– Windows Server 2003 / 2008

Which Users may run Netmon?• Windows XP

– Anyone logged on as a local administrator

• Windows Vista– From an elevated command prompt you can run

Netmon.exe as administrator– Right-click the icon and select Run as administrator– Any user account in the Netmon Users group which

is created during the installation of Network Monitor 3.1

How do you run Netmon?

• Log on as administrator• Run either Netmon.exe or Nmcap.exe with

administrative privilege– from either an elevated command prompt– or by right-clicking Netmon.exe icon and selecting

Run as administrator.• Log on as a standard user• Add your user account to the Netmon Users

group• Log off and back on for your token to be updated

with the new group membership

Standard user running Netmon?

• When they attempt to start a capture the error "None of the network adapters are bound to the Netmon driver“ will be displayed

• AND• When viewing your adapters in Netmon

the error "This network adapter is not configured to capture" will be displayed

Meet Netmon and your Networks

Scroll to see “State” = Bound

Before You use Netmon

• Disc space: capture files named cap*.tmp will be created and stored in your local settings\temp directory. The files will be 20 MB each until your disc is within 2% of available free space before it will stop capturing.

• Memory & Processor utilization: The “Enable Conversations” box uses a lot more memory and processor cycles

The Captured File Sizes

– Tools / Options / capture

Starting a Capture• Start page / Create a new capture tab• Or, File / New / Capture • Choose your network from the Select

Networks window • Configure your capture filter in the Filter

window • On the Capture menu, click Start or F10 or

click on the play button

What is captured…• Frames addressed to the specific

computer• Broadcast frames• Multicast to a group that an application on

the computer is assigned• To capture all traffic on the wire you can

set netmon to capture in "p-mode" (promiscuous mode")

Real-time Packet View

Packet Details

Conversations• Netmon assigns properties to frames and groups them into

"conversations" using those properties• All Traffic

– My Traffic– Other Traffic– frames are sorted by source and destination network address– drill down to see more specific conversations

• Conversations are disabled by default• The corresponding frames are displayed in the Frame Summary

window• To build custom filters for conversations, right-click the desired

conversation, select Copy Conversation Filter to Clipboard• Some higher-level protocol filters require conversation properties, so

you may need to experiment if you are planning on using capture filters with conversation support turned off

Saving the Captured Frames

• The default location is: – Documents\Microsoft Network Monitor_3\Captures

• cap2C0.tmp, cap2C1.tmp, cap2C2.tmp

• File/Save AS– All captured frames– Displayed frames– Selected frames– A range of frames (ie…from 17..53)– Click Save.

Create and Apply Aliases

• From the capture tab• Select Aliases tab • Click the Create New Alias icon• Enter the IP address of the computer you want

to grant an alias, the name of the alias and comments

• Click the “Apply" button from the aliases toolbar

• You could also go through the View / Aliases menu

New Aliases

Creating an Alias

Save and Load your Aliases

• Save your aliases by clicking the Save Alias button on the aliases toolbar

• Load saved aliases by clicking the Open Folder icon on the aliases toolbar

• Browse to the folder containing your saved aliases file (.nma)

• Select the aliases file• Apply the aliases

Welcome to “Filters”

• There are two different types of filters– Capture filter - Captures only specific types of traffic

• Traffic between two machines• Frames containing a certain pattern match (computer name)

in them• Be careful NOT to filter out information that could help

identify an issue– Display Filter

• Used most often because the possibility of filtering out traffic which could give you a clue for troubleshooting purposes is no longer a problem

• Captures all traffic• Filter after the capture and all frames stay in tact even if you

change the filters

Filter Expressions

Filter on:– Properties– Protocols– Protocol elements

• Limited intellisense technology• Looking for a specific Protocol?

– .Protocol. And choose from the drop-down list

• Type the protocol name (icmp or http) and add a period "."

Sample Filters• Load filters button in Capture/Display filter

windows

Filtering on ICMP

Applying an ICMP Filter

Building Custom Filters• Filter expressions are similar to equations• Usually separated by AND / OR (C representation of &&

AND, || = OR)• Basic Operators

– == (equals)– != (NOT equal to)– ! (NOT)

• // begins a comment field• // View IPv4 traffic between a source and a destination

nodeIPv4.Address==10.50.50.50 and IPv4.Address==10.50.50.55

• Program Files\MS Netmon\Help\FilterExpressionManual.doc

Add a little Color to Your Filter

• Click Filter from the menu options• Color Filter

Colors…

• Load standard filter & choose colors

Lets see how Netmon displays this…

Document

• It can become confusing when analyzing traces as to which machine the issue was occurring on

• Document which services are running on which machine…Comp1 (Exchange), Comp2 (DNS), Comp3 (Active Directory)

• Keep detailed notes on the Issues you are working on and what you have found

Advanced Features• Where do you take a trace from?

– Follow the flow of traffic• How many traces do you need?

– How many interfaces does the traffic flow through?

• Follow that packet – multiple trace scenario– Time of day option can be helpful here

• Server / Client on the same machine?– Turn local traffic into network traffic so you

can see it

Where to take a trace from?

Between two machines is easy, take the trace on either one OR

Sometimes it is necessary to take a trace on both at the same time

Now Where?

Firewall

XP ClientExchange Server

Internal

External

How many traces do you need?

• In our previous example we had three different pieces of equipment to look at – An XP workstation– A Firewall with two interfaces– An Exchange Server

• To follow a data packet from the XP workstation all the way through to the Exchange server we would need four traces taken at the same time

Follow that Trace

• Time of day comes in handy here…• Open all four traces and find the time of

day• Then you can watch the flow from one

trace to the next pretty easily

Tips and Tricks

• For really large traces use PING packets as bookmarks Outlook Clients

Exchange Server

How to Find the Needle in the Haystack

PACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKET

Use PINGs as Bookmarks

PACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPINGPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPINGPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKETPACKET

Server/Client Traffic on the same machine

• Req: The computer must be on a routed network

• route add <IP Address of the server that you are on> <IP Address of default gateway of the server you are on>

• remove the “route add statement” – route add <IP Address of the server that you

are on>

Securing your network with Network Monitor

• Excessive traffic• IP addresses not from your network• Black hole router

What we Covered

• Where to get Netmon• Which Oses support it• Capture – network trace• Filters – pre & post capture• Aliases• Conversations• Simultaneous traces• Parsers

Thank You• NetMon traces can be read anywhere…

• Please let me help you with your traces

• Rhonda@Minasi.Com