How To Install Inspect Exe In Windows 10

While troubleshooting tricky connection or application bug, it can be very helpful to meet what is existence transmitted beyond the network. Microsoft originally offered the Microsoft Network Monitor which was succeeded by the Microsoft Message Analyzer. Unfortunately, Microsoft has discontinued the Microsoft Message Analyzer and removed its download links. Currently, only the older Microsoft Network Monitor is available.

Of course, you can use third-political party tools for performing network captures, such as WireShark. Though some third-party tools may offering a better experience Microsoft Network Monitor nonetheless holds its own. In this article, we are going to encounter how to capture and inspect packets using the last bachelor version of Microsoft Network Monitor, one of the most popular tools out at that place.

Although I could have used WireShark, I take found that the interface and usability of Microsoft Network Monitor, out of the box, is far easier to use. Much of the aforementioned can be achieved in WireShark, but y'all may have to do far more configuration in the interface.

Capturing Packets Using Microsoft Network Monitor

First, we need to install Microsoft Network Monitor, you tin locate the download here and then go on to install it. Once yous take Microsoft Network Monitor installed, go ahead and launch the program. One time launched, y'all volition click on New Capture.

Viewing the Commencement Folio

Adjacent, you will desire to start the monitoring by clicking on the Showtime button. This will instantly start the capture and yous will see conversations starting to show up on the left-hand side.

Viewing a New Capture screen before it has started capturing

If you detect that you get an fault message saying no adapters are leap, then you should run Microsoft Network Monitor every bit an Administrator. Additionally, if yous have just installed this, you may need to reboot.

One of the nifty benefits of using Microsoft Network Monitor is that it groups your network conversations very easily on the left-mitt side. This makes looking at specific processes much easier to find and then dive into.

Viewing Network Conversations

Expanding whatever one of the plus signs will prove y'all the specific set of "conversations" that the network monitor may have captured and grouped underneath a procedure.

Filtering Traffic

Yous will quickly discover that with all of this information coming in, you volition demand to more hands filter out dissonance. One example of using a filter, is the DnsAllNameQuery, under the DNS section of Standard Filters. Past adding this line to the display filter section and clicking on Employ, then you volition be able to only brandish those packets that are DNS queries, such as below.

Viewing the DnsAllNameQuery Filter

Building Filters

Creating filters, or modifying the built-in filters, is very like shooting fish in a barrel. Within the Display Filter field, at that place are several means to construct filters. Past inbound in a Protocol Proper name and following that by a . (menstruation), you will see an auto-complete of possible field values to compare. Using the standard comparison operator of == nosotros tin see if certain values are equal. Nosotros can even create multi-expressions using logic operators such as and and or. An example of what this looks like is below.

            DNS.QuestionCount AND DNS.ARecord.TimeToLive == 14          

There are a few methods as well that are available such as contains() and UINT8(). You lot can meet using the contains method beneath to filter out but DNS records that contain [google.com](http://google.com) and a TimeToLive of 14.

            DNS.QuestionCount AND DNS.ARecord.TimeToLive == fourteen AND DNS.QRecord.QuestionName.contains("google.com")          

As you might be able to tell, there are a number of ways to combine filters to make them useful and user-friendly to employ. This is a corking manner to only return the information that you are interested in, specially since packet capture can become quite big. In the adjacent department, we take a expect at some more useful examples.

Instance Filters

Some practical examples, beyond what the default built-in ones are, get a long fashion to helping you understand how to get to just the useful data that you demand.

Filtering past Port Number

Though information technology's possible to utilize the HTTP protocol to filter past, using the post-obit method allows you to account for custom ports, such every bit 8080 or 8443, which is especially useful when troubleshooting.

            // Filter by TCP Port Number tcp.port == 80 OR Payloadheader.LowerProtocol.port == lxxx tcp.port == 443 OR Payloadheader.LowerProtocol.port == 443          

TCP frames that take been fragmented are reassembled and inserted into a new frame in the trace that contains a special header named, Payloadheader. By looking for both, we can make sure we are getting all of the data we are looking for here.

Notice SSL Negotiation Frames

While troubleshooting, you may need to understand what SSL connections are attempted to be negotiated. Though yous may not be able to decrypt the internal traffic, this will help find what servers the connection is attempting to use.

            // Filter past SSL Handshake TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0x1          

Find TCP Retransmits and SYN Retransmits

To troubleshoot file upload and download bug, you lot can look to meet if many retransmissions are occurring that could be impacting functioning.

            Property.TCPRetransmit == 1 || Property.TCPSynRetransmit == ane          

Make sure you accept conversations turned on, this filter depends on that functionality.

Reading Frames and Hex Data

By default, the window layout has 2 bottom panes dedicated to Frame Details and Hex Details. Inside the Frame Details is each package broken upwards into its component parts. On the reverse side is the Hex Details which are the raw bytes and decoding. As you select a dissimilar department within the Frame details, the same section within the Hex code volition be highlighted too.

Viewing Frame Details and the raw Hex Data

Conclusion

Performing network traces is very easy with the latest version of Windows. Though Microsoft has opted to discontinue or deprecate their internally created tools, some yet thrive. There are enough of others, such as WireShark, only Microsoft Network Monitor still makes information technology quite easy to parse and sympathise the packet information that is captured.

Source: https://www.howtogeek.com/devops/how-to-capture-and-inspect-network-packets-in-windows-server/

Posted by: stoneclinking.blogspot.com

Share this post