Network Monitor

Network Monitor is a useful Microsoft tool to catch and examine network packets travelling between systems. This section describes how to set it up and use. Proper installation is required for this tool to work. Copying files that it uses is not going to work.
 

Installing Network Monitor on a Windows 2000 Server System

Microsoft provides a knowledge base article describing how to set up Network Monitor on a Windows 2000 Server: Q243270 - How to Install Network Monitor in Windows 2000. Http link: http://support.microsoft.com/support/kb/articles/Q243/2/70.ASP. Basically this is done by invoking Control Panel - Add/Remove Programs - Add/Remove Windows Components and then selecting Network Monitor Tools in Management and Monitoring Tools. The system then asks for Windows 2000 Server distribution files.

The version of NetMon installed with such process has a built in traffic filter. When I tried to examine the filter properties I was presented with the following self-describing message: "For security reasons, Windows NT Server Network Monitor captures only network traffic (frames) sent to or from the local computer, including broadcast and multicast frames. To capture frames sent to or from any computer on the network, use the version of Network Monitor included with Systems Management Server."
 

Installing Network Monitor on a Windows 2000 Professional System

The process described above does not work on Windows 2000 Professional. You don't have Network Monitor Tools option listed in Management and Monitoring Tools. However, it is possible to use SMS 2.0 NetMon on Windows 2000 Professional. The installation process requires 2 steps.

• Installing SMS 2.0 NetMon. I have done it by running setup.exe in SMS20\NMEXT\I386 directory of Disc 6 of Microsoft BackOffice Server Test Platform (January 2000). Alternatively, you can use SMS 2.0 Service Pack 1 disk (Disc 15 of the BackOffice Server Test Platform (October, 1999)). This installs NetMon but it's not functional until you install the NetMon driver.
• Installing Network Monitor driver. This may be accomplished via Start - Settings - Network and Dial-up Connections - Local Area Connection. Select Properties and click on the Install button. Depending on the driver version available select either Microsoft Network Monitor Driver or Network Monitor Agent v2 Driver. See figures below.

• If you use SMS 2.0 Service Pack 2 (I have it on disc 16 of the BackOffice Server Test Platform, September 2000), then everything may be done in one step by just doing the "Set Up SMS 2.0" option. It installs the driver automatically.

Installing Network Monitor on a Windows 4.0 System

I used Disc 6 of Microsoft BackOffice Test Platform (June 1999) to install SMS 2.0 components on my Windows NT 4.0 Workstation. I was interested in Network Monitor only. To start the installation I launched Setuppad.exe located in Sms20/Autorun/I386 directory.
 

Installing Network Monitor on a Win9X System

I have never done this myself. However, Microsoft provides the following knowledge base article that may help: Q200910 - How to Install Network Monitor in Windows 95/98. The article is available at the following link http://support.microsoft.com/support/kb/articles/Q200/9/10.ASP
 

Using Network Monitor

If you are not familiar with Network Monitor you will need to practice a little bit with it to learn how to capture traffic. Capturing all traffic may be too much. You need to learn how to filter it. Ideally, for reverse engineering tasks, you are only interested in traffic between 2 machines (a client and a server). To establish a filter you need to know the other machine network card address. In order to find it out first establish a filter between your machine and any other, then ping the other machine and capture packets. Look for other machine network card address in the packets you’ve captured. Then use it to establish a one to one traffic filter.

The following Microsoft knowledge base articles may be helpful:

• Q148942 - How to Capture Network Traffic with Network Monitor. Http link: http://support.microsoft.com/support/kb/articles/Q148/9/42.ASP
• Q124837 - Connecting to a Remote Network Monitor Agent Across a Router. Http link: http://support.microsoft.com/support/kb/articles/Q124/8/37.ASP