Network Monitor is a useful Microsoft tool to catch and examine network packets
travelling between systems. This section describes how to set it up and use.
Proper installation is required for this tool to work. Copying files that it uses is not going to work.
Microsoft provides a knowledge base article describing how to set up Network Monitor on a Windows 2000 Server: Q243270 - How to Install Network Monitor in Windows 2000. Http link: http://support.microsoft.com/support/kb/articles/Q243/2/70.ASP. Basically this is done by invoking Control Panel - Add/Remove Programs - Add/Remove Windows Components and then selecting Network Monitor Tools in Management and Monitoring Tools. The system then asks for Windows 2000 Server distribution files.
The version of NetMon installed with such process has a built in traffic filter. When I tried
to examine the filter properties I was presented with the following self-describing message:
"For security reasons, Windows NT Server Network Monitor captures only network traffic
(frames) sent to or from the local computer, including broadcast and multicast frames.
To capture frames sent to or from any computer on the network, use the version of Network
Monitor included with Systems Management Server."
The process described above does not work on Windows 2000 Professional. You don't have Network Monitor Tools option listed in Management and Monitoring Tools. However, it is possible to use SMS 2.0 NetMon on Windows 2000 Professional. The installation process requires 2 steps.
I used Disc 6 of Microsoft BackOffice Test Platform (June 1999) to install SMS 2.0 components on
my Windows NT 4.0 Workstation. I was interested in Network Monitor only. To start the installation
I launched Setuppad.exe located in Sms20/Autorun/I386 directory.
I have never done this myself. However, Microsoft provides the following knowledge base
article that may help: Q200910 - How to Install Network Monitor in Windows 95/98.
The article is available at the following link
http://support.microsoft.com/support/kb/articles/Q200/9/10.ASP
If you are not familiar with Network Monitor you will need to practice a little bit with it to learn how to capture traffic. Capturing all traffic may be too much. You need to learn how to filter it. Ideally, for reverse engineering tasks, you are only interested in traffic between 2 machines (a client and a server). To establish a filter you need to know the other machine network card address. In order to find it out first establish a filter between your machine and any other, then ping the other machine and capture packets. Look for other machine network card address in the packets you’ve captured. Then use it to establish a one to one traffic filter.
The following Microsoft knowledge base articles may be helpful: