- Search Event Logs and error codes with Netikus.net System32 - Thu, Jan 10 2019
- Netikus.net IPMon+ – GUI for ipmon.exe - Tue, Nov 20 2018
- Understanding PowerShell Begin, Process, and End blocks - Mon, Oct 15 2018
To install IPMon+, you will need to download the entire pack of SysAdmin Tools (v2.4.1.0 at the time of writing this post). Once you have downloaded the free tools, install them via the downloaded .exe. To open up IPMon+, you can search via the Windows Start menu or go to C:\Program Files (x86)\essysadmintools\ipmonplus.exe and run it directly.
Dialog box
If you do not have it already (Wireshark users can skip this step), then you will also need a compatible network capturing driver installed. IPMon+ supports both the WinPcap (Windows Packet Capture) Network Driver as well as the newer Npcap driver (needs to be installed in WinPcap-compatible mode)
When you first open IPMon+ you are presented with a mostly blank dialog. To start capturing data, first select an interface by clicking the Interfaces button in the Control section of the dialog.
Once you have selected the appropriate interface you can start capturing network traffic by clicking the Start button. As soon as network traffic is picked up by the driver, IPMon+ will begin displaying all the relevant information you will need. Additionally, you have several ways to sort and filter this information for your needs.
For example, if you wanted to sort by time and filter by only TCP connections, you would see the following (as an example):
Network capture output
Interestingly, you can select the Threat Intelligence checkbox in the control section, which will be display a new column in the output when you start to capture network traffic. This checkbox enables IPMon+ to check IP addresses against cymon.io, an open-source intelligence platform.
IPMon+ uses cymon.io, an open source threat intelligence platform
Even if you do not enable the Threat Intelligence option, you can still select a specific IP and right-click it. This brings up an option to View threat intel on x.x.x.x for the specific IP address you selected:
Viewing thread intel
As I mentioned before, you also have the ability to filter your captured results. You can filter by UDP, TCP, ICMP, and ARP protocols. Additionally, you can filter by specific ports or port ranges.
With IPMon+, you get access to the following data columns in a sortable data grid view:
- Time
- Protocol
- Source Hostname
- Source IP
- Source Port
- Dir (direction)
- Destination Hostname
- Destination IP
- Destination Port
- Bytes
- Packets (count)
- KB/sec
- Threat intel (optional)
IPMon+ also supports copying data to another application for additional analytics. Simply select one or more row and press CTRL+C to copy the traffic data to the clipboard which can then be pasted into another application like Excel.
If you need to quickly grab and visualize network traffic on a workstation or server, IPMon+ is a great choice. It's fast and extremely easy to use. If you need more detailed information, for example viewing the packets coming across the wire, you will need to use another tool like Wireshark.
The SysAdmin Tools, including IPMon+, are a great set of free tools that help with troubleshooting applications and services on Windows workstations and servers. Their documentation is decent, but the command-line help is outstanding.
IPMon+ adds an easy-to-use GUI wrapper to the IPMon command-line utility, with the added benefit of built-in threat intelligence using the cymon.io open-source threat intelligence feed. This is by far the best feature about this product, and it's extremely helpful when you're attempting to determine potentially suspicious activity on a system.
Subscribe to 4sysops newsletter!
Overall, IPMon+ and the SysAdmin Tools are most definitely a toolset you should keep around for the just-in-case moments. I myself am throwing it on my personal thumb drive.
