Rhonda Layfield Sniffing Your Network With Netmon 3.3

Network Monitor: From “No” to
“Pro” in 75 Minutes

Rhonda J. Layfield
Sr. Technical Consultant

Outline
• Meet Network Monitor: the Basics
– Capture and Interpret data: lots of data and lots of
demos!
– Filters: making sense out of all of that data
• Going Beyond the Basics: Advanced Features
– What machine do I run Netmon on?
– Hearing from all players: simultaneous traces
• Secure Your Network with Network Monitor
– Watching intruders
– Auditing applications

Why does anyone care?
• NYC Government Agency office under
attack by a specific machine name
• Exchange server under attack while
attempting to verify existing domain names
before delivering emails
• Would you like to know if there are
uninvited guests in your network?

Turning your Network into Glass
• Wouldn’t it be nice if we could actually see
what is on the network wire?
• I mean really SEE the traffic, data,
protocols and ports being used

This is Our Network
Deploy
Server
DC/DNS/DHCP 20.20.20.10
20.20.20.5

Bare Metal client

Network Monitor: the Basics
• Why should we use Netmon?
• When should we use Netmon?
– To find out what type of traffic is on our network
– When we get unexpected results from software/hardware
– To find security holes we may not be aware of based on where
traffic is coming from
• How do we use it? Generate a trace
– Explain the panes
• Where do we take the trace from? Do we need more
than one trace?
• Create pre/post capture filters

Netmons History…the versions
• In the past the version that ships on the
Operating System CD was
– 2.1 Lite Version
– Version 5.2 (Build 3790: Service Pack 1)
• The version that you get with SMS was
– 2.1 (Build 5.2.3790.170.040510-1249)
• There is an open source “free”
promiscuous sniffer called Wireshark
– We only have time for Netmon today

What’s new with Netmon 3.1
• Complete re-write of it’s capture/parser engine
• Detecting other machines running Network
Monitor
• Capture wireless 802.11 frames in monitor mode
• New Reassembly Engine
• Performance improvements
• Capture on the VPN and RRAS interfaces
• Protocol parsers are better
• Filtering is more flexible

Where do you get Netmon 3.2?
• Netmon 3.x doesn’t ship with any OS or
product but is a free download from
Microsoft
• Supported to run on:
– Windows XP
– Windows Vista
– Windows Server 2003 / 2008

Which Users may run Netmon?
• Windows XP
– Anyone logged on as a local administrator
• Windows Vista
– From an elevated command prompt you can run
Netmon.exe as administrator
– Right-click the icon and select Run as administrator
– Any user account in the Netmon Users group which
is created during the installation of Network Monitor
3.1

How do you run Netmon?
• Log on as administrator
• Run either Netmon.exe or Nmcap.exe with
administrative privilege
– from either an elevated command prompt
– or by right-clicking Netmon.exe icon and selecting
Run as administrator.
• Log on as a standard user
• Add your user account to the Netmon Users
group
• Log off and back on for your token to be updated
with the new group membership

Standard user running Netmon?
• When they attempt to start a capture the
error quot;None of the network adapters are
bound to the Netmon driver“ will be
displayed
• AND
• When viewing your adapters in Netmon
the error quot;This network adapter is not
configured to capturequot; will be displayed

Meet Netmon and your Networks

Scroll to see “State” = Bound

Before You use Netmon
• Disc space: capture files named cap*.tmp
will be created and stored in your local
settingstemp directory. The files will be 20
MB each until your disc is within 2% of
available free space before it will stop
capturing.
• Memory & Processor utilization: The
“Enable Conversations” box uses a lot
more memory and processor cycles

The Captured File Sizes
– Tools / Options /
capture

Starting a Capture
• Start page / Create a new capture tab
• Or, File / New / Capture
• Choose your network from the Select
Networks window
• Configure your capture filter in the Filter
window
• On the Capture menu, click Start or F10 or
click on the play button

What is captured…
• Frames addressed to the specific
computer
• Broadcast frames
• Multicast to a group that an application on
the computer is assigned
• To capture all traffic on the wire you can
set netmon to capture in quot;p-modequot;
(promiscuous modequot;)

Conversations
• Netmon assigns properties to frames and groups them into
quot;conversationsquot; using those properties
• All Traffic
– My Traffic
– Other Traffic
– frames are sorted by source and destination network address
– drill down to see more specific conversations
• Conversations are disabled by default
• The corresponding frames are displayed in the Frame Summary
window
• To build custom filters for conversations, right-click the desired
conversation, select Copy Conversation Filter to Clipboard
• Some higher-level protocol filters require conversation properties, so
you may need to experiment if you are planning on using capture
filters with conversation support turned off

Saving the Captured Frames
• The default location is:
– DocumentsMicrosoft Network Monitor_3Captures
• cap2C0.tmp, cap2C1.tmp, cap2C2.tmp
• File/Save AS
– All captured frames
– Displayed frames
– Selected frames
– A range of frames (ie…from 17..53)
– Click Save.

Create and Apply Aliases
• From the capture tab
• Select Aliases tab
• Click the Create New Alias icon
• Enter the IP address of the computer you want
to grant an alias, the name of the alias and
comments
• Click the “Applyquot; button from the aliases
toolbar
• You could also go through the View / Aliases
menu

Save and Load your Aliases
• Save your aliases by clicking the Save
Alias button on the aliases toolbar
• Load saved aliases by clicking the Open
Folder icon on the aliases toolbar
• Browse to the folder containing your
saved aliases file (.nma)
• Select the aliases file
• Apply the aliases

Welcome to “Filters”
• There are two different types of filters
– Capture filter - Captures only specific types of traffic
• Traffic between two machines
• Frames containing a certain pattern match (computer name)
in them
• Be careful NOT to filter out information that could help
identify an issue
– Display Filter
• Used most often because the possibility of filtering out traffic
which could give you a clue for troubleshooting purposes is
no longer a problem
• Captures all traffic
• Filter after the capture and all frames stay in tact even if you
change the filters

Filter Expressions
Filter on:
– Properties
– Protocols
– Protocol elements
• Limited intellisense technology
• Looking for a specific Protocol?
– .Protocol. And choose from the drop-down list
• Type the protocol name (icmp or http) and add
a period quot;.quot;

Sample Filters
• Load filters button in Capture/Display filter
windows

Building Custom Filters
• Filter expressions are similar to equations
• Usually separated by AND / OR (C representation of &&
AND, || = OR)
• Basic Operators
– == (equals)
– != (NOT equal to)
– ! (NOT)
• // begins a comment field
• // View IPv4 traffic between a source and a destination
node
IPv4.Address==10.50.50.50 and
IPv4.Address==10.50.50.55
• Program FilesMS
NetmonHelpFilterExpressionManual.doc

Add a little Color to Your Filter
• Click Filter from the menu options
• Color Filter

Colors…
• Load standard filter & choose colors

Lets see how Netmon displays
this…

Document
• It can become confusing when analyzing
traces as to which machine the issue was
occurring on
• Document which services are running on
which machine…Comp1 (Exchange),
Comp2 (DNS), Comp3 (Active Directory)
• Keep detailed notes on the Issues you are
working on and what you have found

Advanced Features
• Where do you take a trace from?
– Follow the flow of traffic
• How many traces do you need?
– How many interfaces does the traffic flow
through?
• Follow that packet – multiple trace
scenario
– Time of day option can be helpful here
• Server / Client on the same machine?
– Turn local traffic into network traffic so you

Where to take a trace from?

Between two
machines is easy, take
the trace on either one
OR
Sometimes it is
necessary to take a
trace on both at the
same time

Now Where?

Exchange Server
XP Client

Internal Firewall

External

How many traces do you need?
• In our previous example we had three
different pieces of equipment to look at
– An XP workstation
– A Firewall with two interfaces
– An Exchange Server
• To follow a data packet from the XP
workstation all the way through to the
Exchange server we would need four
traces taken at the same time

Follow that Trace
• Time of day comes in handy here…
• Open all four traces and find the time of
day
• Then you can watch the flow from one
trace to the next pretty easily

Tips and Tricks
• For really large traces use PING packets
as bookmarks Outlook Clients

Exchange
Server

How to Find the Needle in the
Haystack
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKET

Use PINGs as Bookmarks

KETPACKETPACKETPACKETPINGPACKETPAC
PINGPACKETPACKETPACKETPACKETPACKET
KET

Server/Client Traffic on the
same machine
• Req: The computer must be on a routed
network
• route add <IP Address of the server that
you are on> <IP Address of default
gateway of the server you are on>
• remove the “route add statement”
– route add <IP Address of the server that you
are on>

Securing your network with
Network Monitor
• Excessive traffic
• IP addresses not from your network
• Black hole router

What we Covered
• Where to get Netmon
• Which Oses support it
• Capture – network trace
• Filters – pre & post capture
• Aliases
• Conversations
• Simultaneous traces
• Parsers

Thank You
•NetMon traces can be read anywhere…
•Please let me help you with your traces
•Rhonda@Minasi.Com

Rhonda Layfield Sniffing Your Network With Netmon 3.3

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (7)

Destaque

Destaque (20)

Semelhante a Rhonda Layfield Sniffing Your Network With Netmon 3.3

Semelhante a Rhonda Layfield Sniffing Your Network With Netmon 3.3 (20)

Mais de Nathan Winters

Mais de Nathan Winters (10)

Rhonda Layfield Sniffing Your Network With Netmon 3.3

Notas do Editor