Paul Schnackenburg25 September 2006, 8:02 AM
Need to sniff a network? Find out what's going on? Want to discover passwords your software is sending in clear-text? Microsoft's soon-to-be-released Network Monitor 3.0 can do it, and it's now freeware.
Ever heard of Ethereal? It's a pillar of the open-source community - a free tool that captures network packets and displays all of their content in detail. It runs on Windows as well as Linux and other platforms.
In the opposite corner of the ring we have an aging contender from Microsoft. Network Monitor 2 comes with Windows Server but only captures traffic destined for your PC. And if you need the full featured Network Monitor 2 you have to buy Systems Management Server.
It's not an equal fight really. Ethereal wins on performance, feature set and price. Microsoft clearly didn't like this result so it has sprung back with a series of body blows.
To take the strained boxing analogy to its teetering limits, in round two we have Microsoft Network Monitor 3 (currently in beta 2 release), which will be full featured and to be offered as a free download.
So what’s new?
Click to see expanded views of any of the screenshots.
For a start, the user interface is cleaned up, and it’s much easier to use.
Creating filters (both capture and display) is much easier with "Intellisense" to guide you. A set of standard filters are included which is an improvement over the earlier version.
Conversations is a new concept: it tracks traffic between two nodes and allows you to follow a particular communication easily.
NM 3 also runs on Vista 64 bit and is multithreaded for better performance.
I tested on a Windows XP Pentium M 2.13 GHz with 2 GB of RAM. (Minimum specs are a 1 GHz CPU and 1 GB of RAM. and Windows XP, Vista or Windows Server 2003.)
You need to be an administrator to use NM to capture traffic, but in Vista you can add the user account to the Netmon Users group instead.
With heavy network traffic I observed both high CPU usage as well as memory consumption but these are both symptoms mentioned in the beta documentation. As the product is polished for release I would expect these problems to be minimised.
As in earlier versions NM 3.0 installs a special driver for the network connection.
This is a capture of a conversation between the test PC and an FTP server on the internet. One strength of NM 3.0 is that it can capture on several network interfaces simultaneously so in this capture some LAN traffic was included as well.
Using Intellisense we created a display filter to only show the FTP traffic between the test laptop and the server.
By typing in protocol. (note the period after protocol), NM suggests protocols making it much easier to build a filter.
Similarly typing in TCP. lists TCP elements that a capture can be filtered on.
A new capability in NM 3.0 is that you can test your filter by clicking the “verify” button. Colours can also be used to help in sorting out traffic.
This is how the traffic is displayed using the conversations feature.
As in other network capture tools, promiscuous mode can be used where all traffic seen by a network interface is captured rather than only traffic destined for your particular computer.
For the adventurous there’s the new Network Parsing Language (NPL), so if a protocol isn’t covered by the built-in interpreters you can write your own.
And for the script-addicted there’s also a command line version that allows capture, NMCap.exe.
Network Monitor 3.0 is an impressive step up from the earlier version and is now on par with other software packet sniffers.