This article contains information about Microsoft Network
Monitor 3.2. Network Monitor 3.2 is a protocol analyzer that lets you capture,
view, and analyze network data. You can use it to help troubleshoot problems
with applications on the network.
This article contains download and
support information, installation notes, and general usage information about
Network Monitor 3.2.
Network Monitor 3.2 is the latest version of Network
Monitor. The following list contains information about the new features in
Network Monitor 3.2:
- Process tracking. You can view the process name and PID of
all the processes that generate network traffic on a computer. Additionally,
you can use the conversation tree to view the frames that are associated with
- Find conversations. You can quickly isolate frames in the
same network conversation. This includes TCP streams, HTTP flows, and other
kinds of network traffic.
- PCAP capture file support.
includes software that was developed by the following entities:
- The University of California, Berkeley, and its
- Kungliga Tekniska Hogskolan and its
- Yen Yen Lim and North Dakota State
- The Capture engine was redesigned to improve the capture
rate for high-speed networks. Network Monitor 3.2 drops significantly fewer
frames than does Network Monitor 3.1.
Download and support information
To download Network Monitor 3.2, visit the following Microsoft Web site:Note
This site includes Network Monitor 3.2 downloads for Windows Vista x86-based versions, for Windows Vista x64-based versions, and for Windows Vista IA-64-based versions.
For support information about Network Monitor 3.2,
visit the following Microsoft Web site:
You must sign in to this Web site by using a Windows Live ID.
After you sign in, you can apply to participate in the program. To do this,
next to Network Monitor 3
column of the table. After you enroll in the program,
you have access to newsgroups, and you can submit bug reports.
Network Monitor 3.2 can coexist with Network Monitor
and earlier versions. By default, Network
Monitor 3.2 is installed in the %Program Files%\Microsoft Network Monitor 3
folder. Therefore, conflicts do not occur if an earlier version is installed in
a different folder on the computer. When you install Network Monitor 3.2,
earlier versions of Network Monitor 3 are uninstalled.
Monitor 3.2 includes a driver for Windows Vista-based computers. This driver
supports new features of the Network Driver Interface Specification (NDIS) 6.0
driver. If you are using tools that rely on Network Monitor
NPPTools, these tools will no longer work. To
capture network data in Windows Vista, you must use Network Monitor 3.2.
Network Monitor 2.x
does not capture network data
correctly in Windows Vista.
The following are the suggested hardware
requirements for Network Monitor 3.2:
- 1 gigahertz (GHz) processor or faster
- 1 gigabyte (GB) or more of memory
- 25 megabytes (MB) of free space on the hard disk, and
additional hard disk space to store capture files
Network Monitor 3.2 is supported on the following operating
- Windows Vista
- Windows Server 2008
- Windows XP
- Windows Server 2003
Warnings and cautions
Currently, we do not recommend that you run Network Monitor 3
on production systems. In scenarios where load is important, use the following
command-line version of Network Monitor 3 to capture
information about Nmcap.exe, see the "Nmcap.exe command-line tool" section.
Network Monitor 3.2 may consume lots of system resources. The
following are some important considerations.
- Disk space
When you start a capture session, Network Monitor 3
stores frames in a sequence of capture files that are located in the Temp
folder. By default, the size of each capture file is 20 MB. If you do not stop
the capture session, Network Monitor 3 continues to store capture files in the
Temp folder until the free hard disk space on the computer falls below 2
percent. Then, Network Monitor 3 stops the capture session.
configure the capture file size, the location in which the capture files are
stored, the free hard disk space limit, and other capture options. To do this,
point to Options on the Tools menu, and then
click the Capture tab.
- Memory use
In addition to capturing data, Network Monitor 3 assigns
properties to frames and then uses these properties to group the frames into
conversations. Network Monitor 3 displays the conversations and the associated
frames in a tree structure in the Network Conversations window.
Conversations feature in Network Monitor 3 significantly increases memory use.
This may cause the computer to become unresponsive. By default, the
Conversations feature is disabled. Some higher-level protocol filters require
conversation properties. To enable the Conversations feature, click the
Start Page tab, and then click to select the Enable
Conversations check box.
- Processor utilization
The Conversations feature of Network Monitor 3 may
significantly increase processor utilization when lots of frames are processed.
By default, the Conversations feature is disabled.
General usage information for Network Monitor 3 includes the
- Capture network data
If you want to minimize the effect on system resources
when you use Network Monitor 3 to capture data, use the Nmcap.exe
command-line tool to capture data.
Network Monitor 3 lets you collect
network data and view this data in real time as it is captured. To start a
capture session in Network Monitor 3, click Start Page, click
Create a new capture, and then either click
or press F5.
Network Monitor 3 uses a simple syntax that is
expression-based to filter frames. All frames that match the chosen expression are
displayed to the user. For more information about filters, do any of the
- View the topics in the "Using Filters" section of the
Network Monitor 3 User's Guide. To do this, click Contents on
the Help menu, and then double-click Using
- On the Help menu, point to How
Do I , and then click Use Filters.
- To view standard filters, click the Capture
Filter tab or the Display Filter tab.
By default, the conversation feature is enabled. This
setting can consume lots of memory, especially in scenarios where you capture
lots of data or where
you capture data over
long periods. See the "NMCap" section for information about how to
over long periods.
Conversations enable the
grouping and display of frames in the Network Conversations window in a tree
structure according to the conversations to which they belong. For example, TCP
data that uses the same source port and the same destination port is organized
into a group. When you click a node in the Network Conversations window, the
corresponding conversation filter is automatically applied to the frames in the
Frame Summary window. Only frames that belong to that particular conversation
- Nmcap.exe command-line tool
The Nmcap.exe command-line tool
lets you configure the
stop times for a capture session.
You can also use this command-line tool to created chained captures. Chained
captures let you create multiple capture files while you keep the size of each
capture file small.
- Network Parsing Language (NPL)
Network Monitor 3 parsers are written in a language that
is designed specifically to make parser development more straightforward. This
also provides a level of protection against potential exploitation from
malicious code that may occur if parsers were created as DLL files. You can
view or modify the parsers that are included in Network Monitor 3.
Documentation for the NPL language can be accessed on the Help
lets you programmatically access the parsing and capturing engine of Network
Monitor 3.2. See the Help menu for a link to the API documentation.
Monitor 3.2 issues
include the following:
- Protocols do not parse correctly. This issue may occur if
either of the following conditions is true:
- The Conversations feature is disabled.
protocols depend on conversation properties to store state values that may be
needed in later frames. For example, TCP requires conversations to store
information about retransmitted frames. The filter for TCP Retransmits will not
work unless the Conversations feature is enabled.
Server Message Block (SMB) protocol cannot translate the response to a Transact command, because the response does not contain the original
command. The original command
is saved in conversation properties.
- You do not have the full parser set loaded. The default
parser configuration for Network Monitor 3.2 is a subset of the complete set.
lets Network Monitor 3.2 run more
quickly. If you want to load the full
set, see the “How Do I…Load full parsers?” topic on the Help menu.
- You receive one of the following error messages when you
run Network Monitor 3 on a Windows Vista-based computer:
None of the network adapters are bound to the Netmon
This issue occurs if either of the
following conditions is true:
This network adapter is not configured to
capture with Network Monitor
For more information, see the Network Monitor 3 releases
notes, or see the "Operating on Windows Vista" topic on the Network Monitor 3 Help
- You are not running Network Monitor 3 as
- You are not a member of the Netmon Users
For support information about Network Monitor 3, visit the
following Microsoft Web sites:
Article ID: 955998 - Last Review: September 24, 2008 - Revision: 2.3
- Windows Vista Ultimate
- Windows Vista Enterprise
- Windows Vista Ultimate 64-bit Edition
- Windows Vista Enterprise 64-bit Edition
|kbhowto kbinfo kbexpertiseinter KB955998|