Written by Mike James   
Wednesday, 12 May 2010
We have already looked at the basics of  Microsoft Network Monitor 3.3, which is free-to-download software that works under Windows. In a second article we looked at setting up filters to monitor remote traffic with it and now, in the third and final article on the topic, we look at using Experts.

Help from an Expert

Using a network monitor is tough. There's so much data to look at even after a relatively small capture and what does it all mean? The basic ideas seems simple enough - the monitor records the details of all the packets sent and received and what they contained. In principle there isn't anything  you can't find out about the network communications - but in practice it can just be too complicated to make detailed sense of.

This is where the idea of an Expert comes in. After you have used the monitor to capture the packets you can load and use an expert to perform an analysis of the data for you. At the moment there are only a few experts available but the details of the API are published and anyone can write an expert to perform a custom analysis. Let's take a look at two useful experts that might just make your use of Network Monitor 3.3 an everyday event.

First you need to know that you cannot make use of an expert until you have captured some data. The Expert menu doesn't even appear until you have saved and loaded a capture - it isn't enough to simply run and stop a capture. The experts invariably work on a capture stored on disk and so you have to load a capture from disk before you can see the Experts menu.

Getting started

So to get started - create a new capture, run it for some minutes, save the capture and then load the capture file. You should now see Experts as a new entry in the main menu. To load a new expert simply click on the Download Experts option and select and download at least Top Users and TCP Analyzer - the two that we examine further here.

Top Users simply reports the source and destination of any network packets ranked by total volume. What this means is that you can see almost at a glance what sort of traffic is using the network most. All you have to do is load any capture file and select Experts,Top User by Conversation and Launch Expert. After a few seconds you should see a spreadsheet like display listing IP address and total data volume. You can also ask for a bar or pie chart of the data but unless the number of traffic sources is low, because you have applied a filter say, then the result is usually too muddled to interpret. You can use this expert to track down heavy network use due to malware or just a program that has entered an infinite loop.


The second expert - the TCP Analyzer - is much more sophisticated. It can give you and idea of how well a

connection between two IP addresses is performing. For the analysis to make any sense you need to first collect a lot of data. You can do this either by setting up a filter so you only record data between the two locations or you can just collect the lot and process it later. For example, if you want to analyze traffic between your machine and a web server start a capture and start browsing the web site concerned. Make sure you view a lot of pages so that there is enough data to analyze - each page should start a new conversation that you can analyze.

When you have saved the capture and reloaded it navigate down the Network Conversations panel, usually at the far left, and expand the browser node and select the conversation between the host and the server (you need to know the IP address of both).




