Resources For IT Professionals
Post an article
Wikis - Page Details
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Network Monitor Fields and Properties for Filtering

Network Monitor Fields and Properties for Filtering

Network Monitor Fields and Properties for Filtering

The links below list common data fields and properties that can be used for filtering with Network Monitor 3.x.  They are categorized by protocol.  This list is helpful for understanding some of the more common data fields and properties with descriptions of what they do.  Please help us extend the list by editing the wiki with fields you've found useful.

Data Fields represent real data that is on the wire.  Each piece of the raw data will most likely have a field associated with it.

Properties represent meta data.  There are many uses for Properties in the protocol parsing code, but a few useful ones from a user perspective are:

  • Calculation or summary of multiple data fields - For Instance, there is no field that represents the TCP length, but there is a property that does.
  • Represents a data field with different root paths- For instance and SMB file name can appear in many different structures and locations with in and SMB and SMB2 packet.  It's difficult to filter on each of these separately because you'd have to know all the possible paths.  In some instances, a property decorates the data fields in each location it appears in the parser code.  Using these properties to filter makes it easier to find any instance of a value regardless where it appears in the protocol parser.
  • Pairs- Pairs are special properties and in the tables below are listed under the fields section as they are associated with a protocol.  Pair properties represent two pieces of data at the same time so, for instance, that they can be evaluated as a source/destination pair.  When you filter with a pair, the

Click on each protocol below to see a list of data fields, properties and examples.

Conversation The conversation scope provides state information properties at different levels.  At the root it contains process information.  And for each protocol, state information based on the current conversation.
Ethernet This protocol contains the low level machine addresses and protocol type.  Most traffic has an Ethernet header, though there are exceptions like wireless and Tunneled traffic.  Look at Ethernet on Wikipedia.
FrameVariable FrameVariable is a special scope which contains frame level information like frame length and time related fields.
HTTP HTTP is the main protocol used to describe web pages for your browser to render.  Look at HTTP on Wikipedia.
IPv4 IPv4 is the Internet layer protocol which provides general network layer addressing.  Look at IPv4 on Wikipedia.
IPv6 IPv6 is the update to IPv4 to provide more networking addresses.  Look at IPv6 on Wikipedia.
Property The property scope represents a set of properties which exist for the current frame.  Some of these are mentioned with regards to other protocols as they are defined in multiple places.  The property value you see is the last one that is set after the frame is completely parsed.
SMB Server Message Block (SMB) is a common protocol for file and sharing type communication.  The SMB protocol documentation is available here.
SMB2 This is an update to SMB which is used in Vista moving forward.  The SMB2 protocol documentation is available here.
TCP TCP is the transport layer which handles sequencing and deliver of packets on the network.  Look at TCP on Wikipedia.
WiFi WiFi is the hardware layer for Wireless traffic. Our driver adds a wireless header which contains information like signal strength, channel and data rate.

 Go to Network Monitor Blog

, , [Edit tags]
Leave a Comment
  • Please add 5 and 1 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
Page 1 of 1 (2 items)