Microsoft Network Monitor is probably the only free network and protocol analysis tool that is a match for Wireshark. It still lacks a few features when it comes analyzing stored network traces and that's where the Network Monitor Experts comes in. At the moment, there are three available Open Source extensions: TCP Analyzer, Simple Search, and Top Users.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
These extensions are separate tools that require Network Monitor 3.3. After you have installed them, you will find them in the Experts menu. This menu is only displayed when you open a previously stored file. Today, I will introduce Simple Search and in the next two posts, I will discuss Top Users and TCP Analyzer.
Network Monitor has its own search function. It is a powerful tool because you can leverage Network Monitor's filters. However, this also makes it a bit complicated to use for those who use the tool only every now and then. For example, if you want to search for a string in the TCP payload, you have to use this command: property: TCPPayload contains ("search string").
With Simple Search, it is easier and also much more convenient to search for a specific search string than it is with Network Monitor's integrated search function. To search for a string, you can just enter it as is. If you want it a bit more complicated, then you can also use regular expressions.
The feature l like most, however, is Simple Search's ability to jump directly to the position where the string was found. If you enable "Record Raw Data" in the search options in the lower pane, then a new tab named Hex Details will appear. Enabling "Automatically Display Raw Data" will open this tab whenever you click on "Find Next" and it will highlight the search string in the text column. Simple Search can also select the corresponding frame in Network Monitor. However, like Network Monitor's search tool, it can't highlight the search string there.
The option "Automatically Discover Search File" allows you to use Simple Search for another capture file instead of the original file; i.e., the one you selected when you launched Simple Search. Unfortunately, you can't use Simple Search to search in multiple capture files. Moreover, it is not possible to search within a Capture tab; that is, you always have to save the captured data to a capture file and then open the file with Network Monitor, before you can use Simple Search. This makes using the tool a bit unsuitable for quick and dirty searches, but this is a problem with all Network Monitor Experts. All of them can only be applied to a capture file but not to the current Capture tab.
I tested Simple Search v2.1. In one of my next posts, I will introduce the Top Users Experts, a Network Monitor extension that allows you to analyze the bandwidth consumption on a host.
You once wrote that your prefer Smartsniff over Netmon, due to Smartsniff’s portability. I gather these extensions don’t change your opinion? Even with the availability of Wireshark Portable, do you still consider Netmon a “match”, or is that based solely on a comparison of the two apps’ feature sets?
Actually, I think all three tools have their advantages. I recently installed Netmon on Vista x64. I had to remove it after a couple of days because its drivers were interfering somehow with other software on the system. Smartniff worked without problems and even though it is a much simpler tool it was good enough to get the job done. It was not the first time I had such problems with Netmon. The same applies to Wireshark. Their complexity is sometimes a disadvantage. However, for more difficult tasks I usually use Netmon. Wireshark is nice too, but I find my way always faster with Netmon because its user interface is more intuitive to me. I guess Wireshark is better when it comes to statistics, but I don’t need this often.
What kind of software issues were you having with your Vista installation of Netmon? I have Wireshark/Smartsniff in my portable toolkit, so I’ve never used Netmon. With these additional extensions, sounds like it’s time I gave it a look. Thanks for the 411.
my OS is vista, and now i still use Wireshark, i will consider to use another software
Hi Michael,
Glad to see your article on our Expert system. Looking forward to see the others in the series as well.
Sorry to hear in your post above that you had some trouble with our driver on Vista.
Please feel free to contact us so we can better understand what happened and see if we can help you out.
– Michael Hawker
Network Monitor Program Manager
RoninV, sorry for the belated reply. I somehow missed your comment. The Netmon driver hanged, causing 100% CPU load immediately after system start. I had to use Vista’s system restore feature because I wasn’t even able to uninstall Netmon.
performa, you should definitely have a look at Netmon. If you know how to use Wireshark you won’t need long to get used to Netmon.
Michael, it is quite probably that it wasn’t Netmon’s fault. I suspect that my Dell/Broadcom Bluetooth driver was the real culprit because it was responsible for other networking issues I had before. Unfortunately, I can’t live without Bluetooth. I will soon upgrade to Windows 7 and see if the problem still persists.
Any followup on Netmon’s use with Vista?
Vista? I must have heard that name before. I guess it was a hotel somewhere in Italy. But Netmon works fine on Windows 7. 😉