.png?width=100&auto=webp&quality=80&disable=upscale "Picture of John Savill")
.png?width=400&auto=webp&quality=80&disable=upscale "John Savill")
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Search for Text By Using Netmon
Search for specific text using Netmon.
John Savill
June 9, 2013
1 Min Read
Q: How do I search packets for line of text in Netmon 3.4?
A: I was recently performing some monitoring testing and wanted to see when a particular text file had been opened, but it was hard to find the actual TCP packet that represented the content of the file being read.
I found a great solution using the ContainsBin filter that enables packet frame data to be searched for an ASCII string. For example, to search for SavillText I used
ContainsBin(FrameData, ASCII, "SavillText")
This enabled me to quickly find my packet, as the figure shows below.
Note that I performed this monitoring within a Windows Server 2012 Hyper-V virtual machine (VM) that was on the same host as the target file server VM. To enable this promiscuous monitoring to work, three configurations were required.
On the file server VM, under the advanced features of the network adapter, its Port mirroring mode was set to Source.This could also be set with Windows PowerShell:Set-VMNetworkAdapter -VMName -PortMirroring Source
On the VM running network monitor, under the advanced features of the network adapter, its Port mirroring mode was set to Destination.This could also be set with PowerShell:Set-VMNetworkAdapter -VMName -PortMirroring Destination
In Network Monitor, under Capture Settings, the network adapter that is being listened on (Ethernet) is set to P-Mode (promiscuous, which means it can see traffic of other network addresses).
About the Author
You May Also Like
