Rhonda Layfield Sniffing Your Network With Netmon 3.3
1. Network Monitor: From “No” to
“Pro” in 75 Minutes
Rhonda J. Layfield
Sr. Technical Consultant
2. Outline
• Meet Network Monitor: the Basics
– Capture and Interpret data: lots of data and lots of
demos!
– Filters: making sense out of all of that data
• Going Beyond the Basics: Advanced Features
– What machine do I run Netmon on?
– Hearing from all players: simultaneous traces
• Secure Your Network with Network Monitor
– Watching intruders
– Auditing applications
3. Why does anyone care?
• NYC Government Agency office under
attack by a specific machine name
• Exchange server under attack while
attempting to verify existing domain names
before delivering emails
• Would you like to know if there are
uninvited guests in your network?
4. Turning your Network into Glass
• Wouldn’t it be nice if we could actually see
what is on the network wire?
• I mean really SEE the traffic, data,
protocols and ports being used
5. This is Our Network
Deploy
Server
DC/DNS/DHCP 20.20.20.10
20.20.20.5
Bare Metal client
6. Network Monitor: the Basics
• Why should we use Netmon?
• When should we use Netmon?
– To find out what type of traffic is on our network
– When we get unexpected results from software/hardware
– To find security holes we may not be aware of based on where
traffic is coming from
• How do we use it? Generate a trace
– Explain the panes
• Where do we take the trace from? Do we need more
than one trace?
• Create pre/post capture filters
7. Netmons History…the versions
• In the past the version that ships on the
Operating System CD was
– 2.1 Lite Version
– Version 5.2 (Build 3790: Service Pack 1)
• The version that you get with SMS was
– 2.1 (Build 5.2.3790.170.040510-1249)
• There is an open source “free”
promiscuous sniffer called Wireshark
– We only have time for Netmon today
8. What’s new with Netmon 3.1
• Complete re-write of it’s capture/parser engine
• Detecting other machines running Network
Monitor
• Capture wireless 802.11 frames in monitor mode
• New Reassembly Engine
• Performance improvements
• Capture on the VPN and RRAS interfaces
• Protocol parsers are better
• Filtering is more flexible
9. Where do you get Netmon 3.2?
• Netmon 3.x doesn’t ship with any OS or
product but is a free download from
Microsoft
• Supported to run on:
– Windows XP
– Windows Vista
– Windows Server 2003 / 2008
10. Which Users may run Netmon?
• Windows XP
– Anyone logged on as a local administrator
• Windows Vista
– From an elevated command prompt you can run
Netmon.exe as administrator
– Right-click the icon and select Run as administrator
– Any user account in the Netmon Users group which
is created during the installation of Network Monitor
3.1
11. How do you run Netmon?
• Log on as administrator
• Run either Netmon.exe or Nmcap.exe with
administrative privilege
– from either an elevated command prompt
– or by right-clicking Netmon.exe icon and selecting
Run as administrator.
• Log on as a standard user
• Add your user account to the Netmon Users
group
• Log off and back on for your token to be updated
with the new group membership
12. Standard user running Netmon?
• When they attempt to start a capture the
error quot;None of the network adapters are
bound to the Netmon driver“ will be
displayed
• AND
• When viewing your adapters in Netmon
the error quot;This network adapter is not
configured to capturequot; will be displayed
14. Before You use Netmon
• Disc space: capture files named cap*.tmp
will be created and stored in your local
settingstemp directory. The files will be 20
MB each until your disc is within 2% of
available free space before it will stop
capturing.
• Memory & Processor utilization: The
“Enable Conversations” box uses a lot
more memory and processor cycles
16. Starting a Capture
• Start page / Create a new capture tab
• Or, File / New / Capture
• Choose your network from the Select
Networks window
• Configure your capture filter in the Filter
window
• On the Capture menu, click Start or F10 or
click on the play button
17. What is captured…
• Frames addressed to the specific
computer
• Broadcast frames
• Multicast to a group that an application on
the computer is assigned
• To capture all traffic on the wire you can
set netmon to capture in quot;p-modequot;
(promiscuous modequot;)
20. Conversations
• Netmon assigns properties to frames and groups them into
quot;conversationsquot; using those properties
• All Traffic
– My Traffic
– Other Traffic
– frames are sorted by source and destination network address
– drill down to see more specific conversations
• Conversations are disabled by default
• The corresponding frames are displayed in the Frame Summary
window
• To build custom filters for conversations, right-click the desired
conversation, select Copy Conversation Filter to Clipboard
• Some higher-level protocol filters require conversation properties, so
you may need to experiment if you are planning on using capture
filters with conversation support turned off
21. Saving the Captured Frames
• The default location is:
– DocumentsMicrosoft Network Monitor_3Captures
• cap2C0.tmp, cap2C1.tmp, cap2C2.tmp
• File/Save AS
– All captured frames
– Displayed frames
– Selected frames
– A range of frames (ie…from 17..53)
– Click Save.
22. Create and Apply Aliases
• From the capture tab
• Select Aliases tab
• Click the Create New Alias icon
• Enter the IP address of the computer you want
to grant an alias, the name of the alias and
comments
• Click the “Applyquot; button from the aliases
toolbar
• You could also go through the View / Aliases
menu
25. Save and Load your Aliases
• Save your aliases by clicking the Save
Alias button on the aliases toolbar
• Load saved aliases by clicking the Open
Folder icon on the aliases toolbar
• Browse to the folder containing your
saved aliases file (.nma)
• Select the aliases file
• Apply the aliases
26. Welcome to “Filters”
• There are two different types of filters
– Capture filter - Captures only specific types of traffic
• Traffic between two machines
• Frames containing a certain pattern match (computer name)
in them
• Be careful NOT to filter out information that could help
identify an issue
– Display Filter
• Used most often because the possibility of filtering out traffic
which could give you a clue for troubleshooting purposes is
no longer a problem
• Captures all traffic
• Filter after the capture and all frames stay in tact even if you
change the filters
27. Filter Expressions
Filter on:
– Properties
– Protocols
– Protocol elements
• Limited intellisense technology
• Looking for a specific Protocol?
– .Protocol. And choose from the drop-down list
• Type the protocol name (icmp or http) and add
a period quot;.quot;
31. Building Custom Filters
• Filter expressions are similar to equations
• Usually separated by AND / OR (C representation of &&
AND, || = OR)
• Basic Operators
– == (equals)
– != (NOT equal to)
– ! (NOT)
• // begins a comment field
• // View IPv4 traffic between a source and a destination
node
IPv4.Address==10.50.50.50 and
IPv4.Address==10.50.50.55
• Program FilesMS
NetmonHelpFilterExpressionManual.doc
32. Add a little Color to Your Filter
• Click Filter from the menu options
• Color Filter
35. Document
• It can become confusing when analyzing
traces as to which machine the issue was
occurring on
• Document which services are running on
which machine…Comp1 (Exchange),
Comp2 (DNS), Comp3 (Active Directory)
• Keep detailed notes on the Issues you are
working on and what you have found
36. Advanced Features
• Where do you take a trace from?
– Follow the flow of traffic
• How many traces do you need?
– How many interfaces does the traffic flow
through?
• Follow that packet – multiple trace
scenario
– Time of day option can be helpful here
• Server / Client on the same machine?
– Turn local traffic into network traffic so you
37. Where to take a trace from?
Between two
machines is easy, take
the trace on either one
OR
Sometimes it is
necessary to take a
trace on both at the
same time
38. Now Where?
Exchange Server
XP Client
Internal Firewall
External
39. How many traces do you need?
• In our previous example we had three
different pieces of equipment to look at
– An XP workstation
– A Firewall with two interfaces
– An Exchange Server
• To follow a data packet from the XP
workstation all the way through to the
Exchange server we would need four
traces taken at the same time
40. Follow that Trace
• Time of day comes in handy here…
• Open all four traces and find the time of
day
• Then you can watch the flow from one
trace to the next pretty easily
41. Tips and Tricks
• For really large traces use PING packets
as bookmarks Outlook Clients
Exchange
Server
42. How to Find the Needle in the
Haystack
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKET
43. Use PINGs as Bookmarks
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPINGPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PINGPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKETPAC
KETPACKETPACKETPACKETPACKETPACKET
PACKETPACKETPACKETPACKETPACKETPAC
KET
44. Server/Client Traffic on the
same machine
• Req: The computer must be on a routed
network
• route add <IP Address of the server that
you are on> <IP Address of default
gateway of the server you are on>
• remove the “route add statement”
– route add <IP Address of the server that you
are on>
45. Securing your network with
Network Monitor
• Excessive traffic
• IP addresses not from your network
• Black hole router
46. What we Covered
• Where to get Netmon
• Which Oses support it
• Capture – network trace
• Filters – pre & post capture
• Aliases
• Conversations
• Simultaneous traces
• Parsers
47. Thank You
•NetMon traces can be read anywhere…
•Please let me help you with your traces
•Rhonda@Minasi.Com
Notas do Editor
This causes the server to send internal packets over the network that would ordinarily stay completely local and not be viewable in a network trace. The packets will just return to the test computer itself.