2 comments

Quick Tip: Filter on IP in Network Monitor 3.4

Published on Wednesday, April 16, 2014 in

[Update 2014-04-17] Thanks to Steve’s comment I learned that the HEX notation is absolutely not a must. You can just use the IP address but unlike simple filters like Destination or Source you must not use quotes around the IP! Using quotes for the IP will give you a valid filter but no matches will be found. So there’s absolutely no benefit in using the HEX notation. Makes by post a bit useless, but at least I learned something out of it!

In the past I often used Wireshark to debug all kinds of issues. The last year I’ve been using Microsoft Network Monitor 3.4 more and more. I don’t think Network Monitor is better or worse than Wireshark, but Network Monitor has the capabilities to use a trace file generated by the built-in tracing engine of Windows ( See Network Tracing Awesomeness) That means I don’t have to install Wireshark allover the place!

Small side note: Network Monitor 3.4 has been out for a while and I’ve often wondered when a newer version would be released. I wasn’t missing any particular features, but hey I’m an IT guy, I like new stuff! And today I happen to stumble upon this: http://blogs.technet.com/b/messageanalyzer/ Seems like Microsoft does have a successor: Message Analyzer. I installed it an did some quick tests and it seems like there’s a lot of fancy stuff in there! Using it will take some time to learn though. Some fancy features: graphs (e.g. SMB performance) and remote live capturing!!! Awesome!

Either way, back to my good old Network Monitor. One of the things I often do is blindly capture everything and then I try to filter the data that is displayed. One thing I often require is to ensure only traffic with a particular host is displayed. Typically I did this by adding a filter which is of the format “Source == IP and Destination == IP”. This does work mostly, but sometimes it doesn’t when the IP is translated to the actual DNS name. Besides that, it always bothered me I had to type such a long filter.

Next to “Source” and “Destination” there’s also IPv4.SourceAddress, IPv4.DestinationAddress and IPv4.Address. I tried those in the past a few time: e.g. IPv4.Address == “10.6.69.121” and although the filter is accepted, no traffic is shown. Today I accidentally found out that those IPv4.XYZ filters expect an IP in HEX format!

If you got some captured data and you want to filter you can simply drill down the IP packet information, right-click sourceAddress and choose add to display filter. That will give you the hex notation.

image

Now this works perfectly if you want to do it for a display filter. But what if you want to limit the amount of data captured by using a capture filter?

clip_image002[4]

Sample filter:

clip_image002[6]

Well you can just use a simple IP to HEX converter site like this: http://www.miniwebtool.com/ip-address-to-hex-converter/?ip=10.6.69.121

Or you can use the following PowerShell oneliner:

"$(([Net.IPAddress]"10.6.69.121").GetAddressBytes() | ForEach-Object { '{0:x2}' -f $_ })" -Replace '\s'

clip_image002

The PowerShell oneliner will require you to add an x after the first 0 though.

Happy tracing!

Related Posts

2 Response to Quick Tip: Filter on IP in Network Monitor 3.4

Steve Shockley
16 April, 2014 19:08

I've always just used the IP address. For example, from the Capture Settings window, if you do Load Filter, Standard Filters, Addresses. IPv4 Addresses, you'll see a sample (commented out) for 192.168.0.100. I've used that plenty of times, it never even occurred to me that you could use hex addresses.

Note that you do need to hit Apply for the filter to take effect.

17 April, 2014 09:12

Steve,

You are absolutely right. I'm glad you learned that HEX is an option. But to be honest why go through the hassle of converting to HEX?! :p

I am very happy you took the time to reply. I should use standard filters more to get to know them better. If you use "Destination" or "Source" or "ProtocolName", you have to put "" around your IP. However if you do that with IPv4.address you'll have a valid filter but it won't find anything. That's how I got myself in the mess of the HEX stuff.

But, I learned something new today, so this is a good day!

Much appreciated.

Add Your Comment