If you want to add a new FAQ, please feel free to contribute. Simple add a bullet under the appropriate section. Then create a Q: section and create an anchor using the text in your question (look at some of the other questions for examples). Then link to that new section and provide an answer section.
A: You can TCP.NPL and add a new port as a case statement for the protocol you wish to parse. For instance, if you want to parse port 1234 as HTTP, use the following change in TCP.NPL.
case 80: case 8080: case 1234: HTTP Http;
Once you make this change, you'll need to save the parser. For more information on how to proceed see the answer to "How do I change or add a protocol parser?".
A: If you making changes using the Network Monitor application, you'll notice you get an "Access is denied" error when you attempt to save a change you've made. This happens because the files are located in a read-only location. This is to protect you from make changes to the original source. You will be prompted to save to another location, so choose "Yes". By default the location is "Documents\Network Monitor 3\Parsers" which is perfect.
After you have saved your parser you need to take one more step. With Network Monitor 3.4, we have a new feature called Parser Profiles. You need to use this new feature to create a new profile that contains the directory with your parser change. From the Parser Profiles button, open the "Parser Profile Options...". Then choose the profile you want to use as a base and hit the New button and select "Created From Selected". A new dialog will open with a list of directories. By default we add the "Documents\Network Monitor 3\Parsers" directory where you hopefully saved your parser change. If you are adding a new directory, you'll have to add that manually. Now hit OK to save your changes.
If you are adding a new parser, one more step is necessary. You will need to update the my_spaser.npl file and include the name of the new directory (do not use a full path). So for instance if your new file is called MyNewParser.npl, add the following:
include "MyNewParser.npl"
To use your new parsers, simply select it from the Parser Profiles drop down button under User Defined Profiles. Assuming that no errors occurred while building the new parser set you should be ready to go. If you do have errors, you'll have to look on the parser window to understand what has happened.
A: There are many resources that describe how to filter with Network Monitor 3.
A: Please check to see if the driver is installed correctly or if any of the problems below match your situation.
A: Check to see whether any of the following are true:
Is TCP chimney enabled? In this case you might see a TCP 3-way handshake and then no other traffic. With TCP Chimney enabled, the NIC directly interfaces through memory with the TCP engine and bypasses NDIS completely, therefore Network Monitor doesn't see this traffic. In Windows 2008 and above you can use the type "netsh int tcp show global" at the command prompt to determine the status of off loading. Before Windows 2008, offloading is an option that each NIC provides separately, so you'll need to consult your manufacture for exact instructions. http://support.microsoft.com/kb/951037.
A: The Driver Capture Location registry change allows you to configure where the Network Monitor driver captures information. See the help, under Capture Options, for more details about this option. To make the option take affect, you must restart the driver. To do this you can type "sc stop nm3" and then "sc start nm3" on the command line to avoid rebooting. The key is listed below.
\HKLM\System\CurrentControlSet\Services\nm3\LoadUpperLayers
A: In Network Monitor 3, the behavior of the Source column (which is just a property in NPL), is to show the alias name first, then the resolved name, then the IP, and finally the machine address.
You can add a separate column for the IP address, the property is called SourceNetworkAddress and DestinationNetworkAddress.
You could also change the behavior of the source property in NPL, and add in the IPv4 address in addition to the resolved and aliased name if you wanted.
A: When you install Network Monitor, NetmonInstall.log is created in the %tmp% directory. You might be able to find more information as to why the installation failed.
In some cases, the installation won't even start. This could be due to your %TMP% path containing a space. If this is the case, you can extract the files manually using the "/T:\tempdir /C" options. Then you can attempt to install each MSI manually using MSIExec and the following two commands:
This will install each of the two packages silently. If either of these fail, you might want to enable logging explicitly using the MSIExec command with the /l option. Type MSIExec /? for more details.
A: In some situations you might not be able to save frames after capturing. This is usually after a long capture session or you've captured many frames. We recommend you use NMCap, the command line utility, to capture if you need to do so for long periods of time. NMCap can run for longer periods of time and has a smaller memory foot print as long as conversations are not required. The UI has to remember all state information and when it gets in this state, it's unable to save the capture file because it has run out of resources to do so.
However, you might be able to work around this problem. This blog about saving frames might help you work around this situation.
A: There is a built in plug-in called ContainsBin which can search all the frame data for a ASCII, Unicode or Hex pattern. If you look under the Standard Filters in the application for "Search Frame", you will see some examples of how to use it. Keep in mind that it is case sensitive and you have to specify the type, ASCII, UNICODE or Hex, that you are looking for.
If you need something more flexible, we do have an expert call Simple Search which has some more features. You can do regular expressions and it will also highlight the hex it finds by automating the UI. You can find that expert on our Experts Page on Codeplex.
Carsten Siemens edited Revision 10. Comment: Fixed misspellings
How can i get ContainsBin plugin?