This article contains download and support information, installation notes, and general usage information about Network Monitor 3.2.
- Process tracking. You can view the process name and PID of all the processes that generate network traffic on a computer. Additionally, you can use the conversation tree to view the frames that are associated with each process.
- Find conversations. You can quickly isolate frames in the same network conversation. This includes TCP streams, HTTP flows, and other kinds of network traffic.
- PCAP capture file support.
Network Monitor 3.2 includes software that was developed by the following entities:
- The University of California, Berkeley, and its contributors
- Kungliga Tekniska Hogskolan and its contributors
- Yen Yen Lim and North Dakota State University
- The Capture engine was redesigned to improve the capture rate for high-speed networks. Network Monitor 3.2 drops significantly fewer frames than does Network Monitor 3.1.
- Extensive parser set. Network Monitor 3.2 now supports parsers for more than 300 protocols. This includes the protocols that are covered by the Windows Open Protocol Specifications. For more information, visit the following Microsoft Web site:
- Network Monitor API. You can create your own applications that capture, parse, and analyze network traffic.
- Better parser management. By default, only a subset of parsers is loaded. You can load the full parser set by changing the parser search order. You can do this under the Parser item on the Options menu.
- Support for frame truncation. You can limit the number of bytes captured per frame to improve performance. You can do this under the Options item on the
- More extensive documentation of the NPL. This documentation includes documentation about the new NMAPI. You can access this documentation from the
NPL and API Documentation item on the Help menu.
- Enhanced filtering on items within NPL while loops or arrays. You can specify an index in the array or in the while loop that you want to filter.
- Availability of an IA-64 version.
- ContainsBin plug-in. You can search frames for arbitrary byte sequences or strings. For example, you can search for "msn" by using the following query: ContainsBin(FrameData, ASCII, “msn”)
- More UI indicators. New indicators include conversation status, dropped frames, and the number of frames in the capture buffer.
Download and support informationTo download Network Monitor 3.2, visit the following Microsoft Web site:Note This site includes Network Monitor 3.2 downloads for Windows Vista x86-based versions, for Windows Vista x64-based versions, and for Windows Vista IA-64-based versions.
For support information about Network Monitor 3.2, visit the following Microsoft Web site:
Options column of the table. After you enroll in the program, you have access to newsgroups, and you can submit bug reports.
Installation notesNetwork Monitor 3.2 can coexist with Network Monitor 2.x and earlier versions. By default, Network Monitor 3.2 is installed in the %Program Files%\Microsoft Network Monitor 3 folder. Therefore, conflicts do not occur if an earlier version is installed in a different folder on the computer. When you install Network Monitor 3.2, earlier versions of Network Monitor 3 are uninstalled.
Network Monitor 3.2 includes a driver for Windows Vista-based computers. This driver supports new features of the Network Driver Interface Specification (NDIS) 6.0 driver. If you are using tools that rely on Network Monitor 2.x NPPTools, these tools will no longer work. To capture network data in Windows Vista, you must use Network Monitor 3.2. Network Monitor 2.x does not capture network data correctly in Windows Vista.
The following are the suggested hardware requirements for Network Monitor 3.2:
- 1 gigahertz (GHz) processor or faster
- 1 gigabyte (GB) or more of memory
- 25 megabytes (MB) of free space on the hard disk, and additional hard disk space to store capture files
- Windows Vista
- Windows Server 2008
- Windows XP
- Windows Server 2003
Warnings and cautions
Currently, we do not recommend that you run Network Monitor 3 on production systems. In scenarios where load is important, use the following command-line version of Network Monitor 3 to capture network data:
Network Monitor 3.2 may consume lots of system resources. The following are some important considerations.
- Disk space
When you start a capture session, Network Monitor 3 stores frames in a sequence of capture files that are located in the Temp folder. By default, the size of each capture file is 20 MB. If you do not stop the capture session, Network Monitor 3 continues to store capture files in the Temp folder until the free hard disk space on the computer falls below 2 percent. Then, Network Monitor 3 stops the capture session.
You can configure the capture file size, the location in which the capture files are stored, the free hard disk space limit, and other capture options. To do this, point to Options on the Tools menu, and then click the Capture tab.
- Memory use
In addition to capturing data, Network Monitor 3 assigns properties to frames and then uses these properties to group the frames into conversations. Network Monitor 3 displays the conversations and the associated frames in a tree structure in the Network Conversations window.
The Conversations feature in Network Monitor 3 significantly increases memory use. This may cause the computer to become unresponsive. By default, the Conversations feature is disabled. Some higher-level protocol filters require conversation properties. To enable the Conversations feature, click the
Start Page tab, and then click to select the Enable Conversations check box.
- Processor utilization
The Conversations feature of Network Monitor 3 may significantly increase processor utilization when lots of frames are processed. By default, the Conversations feature is disabled.
General usageGeneral usage information for Network Monitor 3 includes the following.
- Capture network data
If you want to minimize the effect on system resources when you use Network Monitor 3 to capture data, use the Nmcap.exe command-line tool to capture data.
Network Monitor 3 lets you collect network data and view this data in real time as it is captured. To start a capture session in Network Monitor 3, click Start Page, click
Create a new capture, and then either click
Start Captureor press F5.
Network Monitor 3 uses a simple syntax that is expression-based to filter frames. All frames that match the chosen expression are displayed to the user. For more information about filters, do any of the following:
- View the topics in the "Using Filters" section of the Network Monitor 3 User's Guide. To do this, click Contents on the Help menu, and then double-click Using Filters.
- On the Help menu, point to How Do I , and then click Use Filters.
- To view standard filters, click the Capture Filter tab or the Display Filter tab.
By default, the conversation feature is enabled. This setting can consume lots of memory, especially in scenarios where you capture lots of data or where you capture data over long periods. See the "NMCap" section for information about how to capture data over long periods.
Conversations enable the grouping and display of frames in the Network Conversations window in a tree structure according to the conversations to which they belong. For example, TCP data that uses the same source port and the same destination port is organized into a group. When you click a node in the Network Conversations window, the corresponding conversation filter is automatically applied to the frames in the Frame Summary window. Only frames that belong to that particular conversation are displayed.
- Nmcap.exe command-line tool
The Nmcap.exe command-line tool lets you configure the start and stop times for a capture session. You can also use this command-line tool to created chained captures. Chained captures let you create multiple capture files while you keep the size of each capture file small.
- Network Parsing Language (NPL)
Network Monitor 3 parsers are written in a language that is designed specifically to make parser development more straightforward. This also provides a level of protection against potential exploitation from malicious code that may occur if parsers were created as DLL files. You can view or modify the parsers that are included in Network Monitor 3. Documentation for the NPL language can be accessed on the Helpmenu.
NMAPI lets you programmatically access the parsing and capturing engine of Network Monitor 3.2. See the Help menu for a link to the API documentation.
Common issuesCommon Network Monitor 3.2 issues include the following:
- Protocols do not parse correctly. This issue may occur if either of the following conditions is true:
- The Conversations feature is disabled.
Certain protocols depend on conversation properties to store state values that may be needed in later frames. For example, TCP requires conversations to store information about retransmitted frames. The filter for TCP Retransmits will not work unless the Conversations feature is enabled.
Similarly, the Server Message Block (SMB) protocol cannot translate the response to a Transact command, because the response does not contain the original command. The original command is saved in conversation properties.
- You do not have the full parser set loaded. The default parser configuration for Network Monitor 3.2 is a subset of the complete set. This behavior lets Network Monitor 3.2 run more quickly. If you want to load the full set, see the “How Do I…Load full parsers?” topic on the Help menu.
- The Conversations feature is disabled.
- You receive one of the following error messages when you run Network Monitor 3 on a Windows Vista-based computer:None of the network adapters are bound to the Netmon driverThis network adapter is not configured to capture with Network MonitorThis issue occurs if either of the following conditions is true:
- You are not running Network Monitor 3 as an administrator.
- You are not a member of the Netmon Users group.
Article ID: 955998 - Last Review: Aug 24, 2009 - Revision: 1