August 2007 - Posts
Network Monitor (and other sniffers) is a tool that provides insight to what really happens on a
network, it will display the raw data that is sent over a network. By viewing this data, a system administrator
or a network administrator can gain insight as to what is happening in the background - on the network.
This insight is significant when troubleshooting a problem that is network related, especially when the
software involved does not provide any indication of the problem that is plaguing it.
It is odd that yet the majority of people I know have a tendency to shy away from sniffers if they don't have
in-depth networking knowledge. In my opinion, intricate knowledge of a protocol is beneficial yet when
troubleshooting an issues most system/network administrator's will gain valuable information by using a sniffer.
Recently, I had to troubleshoot an FTP session that just seemed to freeze (no error messages could be found).
By using Network Monitor and analyzing the FTP sessions I was able to identify the issue by examining an
error message inside the protocol that was not relayed by the software.
Network Monitor History and Basics
Up until the release of Network Monitor 3.0, the tool had two versions:
- Bundled with a Microsoft server operating system - NM was not installed by default and could only
capture data that was sent from it or was addressed to it (this also included broadcast traffic).
- SMS version - The major advantage this version has is it's ability to capture all data that the system
"hears" (a.k.a promiscuous mode).
Network Monitor 3.0 is no longer bundled with Windows 2008(at the time of writing this post), it can be downloaded at:
After installing NM3, the user is greeted with the "Start Page":
There are several interesting points worth mentioning here:
- The page is divided into three parts:
- The top left part has two buttons that enable the creation of capture or the viewing of a capture file.
The third point of interest here is the checkbox before the sentence saying "Enable Conversations" (disabled
Conversations are a new and interesting feature, once enabled, NM3 will try to provide the user with filters based
on network conversation between two hosts for a specific purpose (a DNS query). More on this subject later.
- On the bottom left the user can choose which network interface will be used for capturing the data and wether
the NIC will be used in p-mode (promiscuous mode) or not(capturing only traffic destined to it or coming from it and
- The right half provides general information about NM3.
- Tabs- NM3 allows the user to initiate several captures and view them simultaneously by using tabs. Each tab is a different
capture. As you can see in the screenshot above,I have three captures, two active and one inactive (lights represent the
- Parsers tab- The parsers tab provides a glimpse to the inner workings of NMS3. Each protocol that is "identified" by NM3,
Thus displayed with the correct fields, is defined by a parser. If a specific protocol has no parser it's information will be
be displayed by NM3 as raw data.
Creating a data capture tab
Once you are ready to use NM3 you should create a data capture tab by pressing the button appropriately called "Create a
new capture tab...". Once the button is pressed a new tab is created but no data is captured yet.
The capture tab has the following points of interest:
- Left window (Network Conversation) - The conversation window, provides details about specific conversations
and enables the filtering of data based on those conversations.
- Top right (Filters and Masks) - Provides the user with the ability to define filters and to mask information by
- Middle right (Frame Summary) - Provides the capture information formatted in a structure where each frame is a line.
This is intended to be a summary of the frame. The columns to be displayed can be configured to the level of specific
fields inside specific protocols.
- Bottom left (Frame Details) - The details of a specific frame, or in other words each field of the protocols captured inside
a specific frame(based on the structure that the parser dictates).
- Bottom right (Hex Details) - The raw data as captured.
After all the theory and explanations lets get into it. I will start by capturing data and then explaining how each window can
be used in order to understand the capture.
I will create the following data:
- A DNS query (www.microsoft.com)
- Ping a remote system (10.0.0.2) (DC01)
- My systems IP address is 10.0.0.4 (CORE)
After creating the capture tab to start capturing data all that needs to be done is to press the green play button the toolbar.
Once NM3 started capturing I initiated the traffic and the result I received can be seen in the following screenshot:
After looking at the previous screenshot, needle in a hay stack comes to mind... So to find the traffic we are
looking for we have to start filtering. This can be done using several methods, the simplest is to use conversations.
As mentioned earlier conversations are classifications of captured data into coherent pieces of information.
Think about being in a room full of people that are talking to each other, it would be relatively hard to understand the
conversations they are conducting if you tried to listen to every conversation simultaneously. In this case it would be beneficial
if you could isolate each conversation and listen to it separately.
That is exactly what NM3 conversations do for you.
The conversations window is built around an inverted tree, this tree has two branches:
- My Traffic- Shows only traffic either initiated by the local system or intended to it.
- Other traffic - If p-mode is enabled this will show other conversations on the network (based on the physical
environment you are connected to you may need port mirroring enabled on the switch).
Under each branch, each conversation between a pair of computers is given a specific conversation ID. Each conversation
can branch out to a more specific conversations on specific subjects (IP>UDP>DNS). Lets take a look at our example:
As you can see the under "My Traffic" there are several conversations. The one that interest us is the one with the ID of
4. This conversation is between our system (10.0.0.4) and a remote system (10.0.0.2) using IPv4. Inside this conversation
several specific conversations exist. One of them was created by our DNS query for 'www.microsoft.com'.
When we look at the sub-conversation with the ID of 12 (or 4:12) and then further drill down to 13 (4:12:13) we find our
query and the reply to it (this is evident from looking at the 'Frame Summary' and 'Frame Details' Windows.
Filters are a more flexible method for focusing you view on a specific part of the captured traffic. With filters,you can limit
the information that is presented to you at a very granular level - you can choose to filter your view based upon any field
inside a specific protocol parsed by NM3.
There are two types of filters in NM3:
- Display Filters - By defining such a filter, only the data that matches the filter will be displayed.
- Capture Filters - By defining such a filter, only the data that matches the filter will be captured.
To allow the filtering mechanism maximum flexibility the process of defining filters has become a bit more complex.
Do not be alarmed though, once the basics are learned it is relatively very simple to use them. The three main methods
for creating filters are:
- Standard Filters
- Right Click Filtering
Standard filters are predefined filters which can be customized to fit your needs. You can choose these predefined
filters by pushing the button with the yellow folder and green arrow. Then you can choose from the standard filters.
Once you have chosen a specific filter, it is placed in the filter windows and you can edit it (the '//' prefix is used
Once you have customized the filter you can verify it's syntax by pressing on the button that says 'verify'. If the
syntax is correct you will receive a green checkmark at the left of the screen.
At this stage you are ready to apply the filter by pressing the 'Apply' button.
In the following example I will filter the capture to display only information originating from 18.104.22.168:
Right Click Filtering
Right click filtering is (in my opinion) the simplest method. Once you have your capture, you can right click a specific
piece of information upon which you wish to base your filter,choose 'Copy Cell as Filter' and then paste it into the filter
In the following example I will try to achieve the same results we have achieved in the previous example.
Note that even though the syntax differs, the results are the same. In other words there are several ways to reach
a specific result.
Manual (or using Intelisense)
You can configure filters manually simply by writing them. The interesting part here is the ability to use Intelisense.
Intellisense enables you to start a specific phrase and have the system offer you with alternatives.
To start Intellisense you can start by entering a period (.). Once you are done you will be offered with possible verbs.
To follow up our previous examples, choose 'Protocol', then period again, choose IPv4, period, SourceAddress,then
the equal mark (twice) and the IP address. Apply the filter.
Building a complex filter (or defining several conditions)
In order to fine tune a specific filter, you can combine several conditions in a specific filter using the AND (&&) and OR (||)
logical operators. As an example, lets try to find the traffic originating from 10.0.0.2 (DC01) that is DNS related.
To further complicate matters we would like to use our previous filter but we would also like to identify ICMP traffic originating
from 10.0.0.2 (DC01).
If you are paying attention, you must have noticed that the previous screenshot is incorrect. The screenshot show traffic that
originates from additional hosts (we wanted to see DNS and ICMP traffic originating from 10.0.0.2 only).
If we look at the filter we have built we should be able to identify our error:
.Protocol.IPv4.SourceAddress==10.0.0.2 AND .Protocol.DNS OR .Protocol.ICMP
When evaluating the condition, the result achieved is one of a system with the address of 10.0.0.2 using DNS or any system
To be able to receive the result we are looking for we can use parentheses in the following manner:
.Protocol.IPv4.SourceAddress==10.0.0.2 AND (.Protocol.DNS OR .Protocol.ICMP)
An additional example of flexibility, if we would like to identify "Echo Request" traffic originating from a specific address we can build
a filter based on the ICMP protocol field 'Type':
This post is not intended to be an all inclusive document about NM3. I have tried to described the features that are used most
frequently. There are additional options (saving filters, defining aliases, wireless and using additional filtering verbs) that might come handy
and you might want to explore.
The huge advantage of being able to use NM3 or a similar tool is that you have the ability to see beyond standard error messages (that
may or may not exist). As mentioned earlier, knowledge of protocol structure is and function is very beneficial but it is not a must (seeing
an error is seeing an error).
When you tackle a problem, using NM3 you may be able to identify it's root by using the following principles:
- Identify the failing process
- Start capturing traffic with NM3
- Initiate the failing process
- After ample time stop the capture
- Filter the output and search the results for meaningful information
After tons of speculation it seems that it is finally on the way. According to a post on the Windows
Vista blog,SP1 will be released in a Beta version in a few days.
The posy also mentions that the service pack will be released in the first quarter of 2008.
And it says that the unlock will be released in the next 72 hours...
(they didn't mention next to what though...)
A new blog from Microsoft has been opened: hackers @ microsoft.
At this stage(obviously), it is unclear as to what direction it will take, yet it seems
interesting enough to follow:
The issues seem to have been fixed. Users that have been affected, should try to re-validate
and restart their system.
Windows Genuine Advantage blog post.
News of this has been popping up all around the Net. In addition to that I also received
a few e-mail about it from fellow MVPs. It seems that Microsoft is aware of the issue and
tech support say that it might be down for a couple of days(?!?!).
The problem is that if you attempt to update your system(Vista), it will go into reduced functionality
mode as it seems to be pirated.
Personally I haven't felt it yet...
It seems that the lawyers started working...
You know those inspirational posters that people used to(maybe still do) hang?
Well,when they are inspired by Star Trek they are that much funnier:
You can find the rest of them at: http://echosphere.net/star_trek_insp/star_trek_insp.html
There aren't many quizzes I like, but considering the fact that I grew up on these guys
I had to try it. Here are the results:
OPTIMUS PRIMETake the Transformers Quiz
Many people were disappointed by the fact that the iPhone could only be used with one
carrier,not only did this limit US owners to a specific carrier it also made it virtually impossible
for anyone outside the US to use the iPhone (think about the cost...).
A crack (or unlock) was inevitable. A hardware unlock surfaced a few days ago, yet it wasn't
for the faint hearted.
Yesterday (or so it seems) the first report of a software unlock finally surfaced on the Engadget
A few hours later a second unlock was reported.
Z-time to play...
Most systems that I install, have a directory with the source files for the operating system
and any service packs installed on the system. The reason for this is obvious: if someone at a later
stage would like to add additional components he shouldn't have to scramble for the installation
One small,yet very annoying (in my opinion), side effect of not having the source files in the same
location as they were during installation is a dialog box requesting you to point the system
to the new location (during the installation the systems saves the current location[in majority of
cases the CD drive] and it will look for the files there).
The information is saved inside the registry in the following locations:
"SourcePath"="C:\\" [Location of the OS source files,should point to one level above the actual directory]
"ServicePackSourcePath"="C:\\" [Location of the SP source files,should point to one level above the actual directory]
"SourcePath"="C:\\I386" [Location of the OS source files,should point to the actual directory]
The tools provided by Sysinternals are perceived as a supplement to the resource kit and in short they are like
a Swiss army knife of the IT department, and best of all they are freeware.
BGINFO - adds systems information to the desktop background (IP,host name etc.)
REGMON - Monitors changes in the registry
FILEMON - Monitors changes on the file system
PSEXEC - Enables the execution of commands on remote machines
For more information about the tools that are available you can view a short tour of the tools
Sysinternals is currently a part of Microsoft (the tools are still free at www.sysinternals.com ).
People that know me personally, are aware of the fact that I hate running. I just don't like it,
my philosophy in life is either wait for it as it will come to you or stand and fight-don't run.
Surprisingly enough this changed-and technology is to blame. I discovered Nike+ which allows you
to monitor your runs/walks and provides you with all the necessary statistics that will keep
The device is actually made up of two pieces, a small sensor placed inside or on your shoe and
a receiver connected to an iPod Nano). The sensor measures your pace and distance while
the receiver saves the information on the iPod.
[BTW-this might be old news to some/most of you-I just discovered it...]
After your run or walk, you can synchronize your information with a web site created by Nike. On
the web site you can set goals for yourself, join challenges and other cool stuff. The web site
also provides badges that can be added to personal blogs.
Now this may sound like a paid for advert, but it's not,I actually like this. I saw this about 9 month
ago on a trip to the states and I thought to myself, it won't sell-I was wrong(I just bought mine).
The coolest feature it sports is the ability to motivate you,by using goals and challenges you actually
get out there and run.
What baffles me is how does the sensor work?
It's accurate(without any need for calibration),it does not function as a pedometer (it can be tied to
your shoelaces)-so how this it work?
One rant-as usual,Israel is not included on the web site...
1000GB to fit on a disc, wow!
That's a lot of data.
In addition to that the company that has developed it is an Israeli company (which
makes me proud...). Hi-Tech is still strong over here.
The link at Engadget:
The companies web site:
Somewhat surprising but understandable. The question is how will Citrix size up against Microsoft
if Microsoft will see them as a competition and not a partner.
Official announcement by Citrix
Brian Maddens comments
A post about the interoperability of these two systems has been published on the Exchange team
The highlights are:
- Exchange 2007 (RTM) can not be installed on Windows 2008.
- Exchange 2007 SP1 (when released) will be supported on Windows 2008.
- Exchange 2007 and Exchange 2003 (SP2) are supported with Windows 2008 domains.
- Management tools for Exchange 2007 (RTM) and 2003 are not supported on Vista or/and Windows 2008.
- Management tools for Exchange 2007 SP1 (when released) will be supported on Vista or/and Windows 2008.
For the additional (somewhat confusing) details,take a look at the post:
The ISA server team has posted a guide on the subject (in three parts). The guide
covers most aspects of the subject including troubleshooting.
Hard to believe, 25 years have passed. My first music CD was from Queen...
Physical security of a system is one of the most important parts of a layered security plan.
You can invest a lot of money in protecting a system from being attacked through the network
but if you neglect physical security- a perpetrator just needs to walk up to a system (or a device)
that provides access to a system and access it...
According to Engadget, Raritan provides a KVM to be accessed by a smart card owner only:
Server core is an odd animal. Personally I find it to be an interesting option that provides a great
platform for a very specialized system,one that you install and then you forget that it exists.
I find it hard to believe that it will be adopted as a mainstream platform since it has a very steep
learning curve. I saw a comment to a post about it saying that we have left the black screen behind
for a reason, and there is no reason to embrace it again.
Server core provides a platform that has a minimal attack surface, the first thing to be encountered
is that the shell has been removed. EXPLORER.EXE is not used as the shell, it's replacement is CMD.EXE.
An additional difference is that Server Core can be deployed with a relatively limited arsenal:
Active Directory Domain Services
Active Directory Lightweight Directory Services (AD LDS)
Streaming Media Services
IIS (has been added according to the Server Core Blog)
BitLocker Drive Encryption
Network Load Balancing
Simple Network Management Protocol (SNMP)
Subsystem for UNIX-based applications
Windows Internet Name Service (WINS)
Preparing for Installation
There are a few points to keep in mind before installing, the main one is that Server Core has to be installed
as a clean installation(there is no option to upgrade or change versions to it). An additional point to keep in
mind is that once it's installed, it's here to stay (there is no way to upgrade it to a full installation).
The installation of Server Core is very similar to the installation of the standard product. You need to be either
equipped with a proper key(for Server Core) or you can choose the option manually.
Another option for installing server core is using the unattended installation. This option is actually a beneficial one
since it allows the installer to perform the post installation tasks using the answer file. This option will be covered
in a later post.
After the standard installation,since the standard shell is missing, the initial configuration must be handled manually
using command line interface (CLI) tools.
When the system starts up after the installation you are greeted with a logon window that allows you to choose
After choosing the "Other User" you are provided with a screen that has empty logon fields. Use the "Administrator"
account with a blank password. Once this is done you are prompted to change your password.
Then you have finally arrived, this is it-a Windows with CMD as a shell.
At this stage the interesting part begins- Configuring the server.
The basic things needed to be done on a standard server are also needed here-one big difference though, everything
(well almost) needs to be done using the CLI.
Configuring the IP address (or any other networking configuration has to be done using NETSH):
netsh interface ipv4 show interfaces - Displays network interfaces on the system.
netsh interface ipv4 set address name="<ID>" source=static address=<StaticIP>
mask=<SubnetMask> gateway=<DefaultGateway> - Will configure a static IP on the server.
Changing the systems name van be done by using the netdom command:
netdom renamecomputer <old name> /newname:<new name>
To restart the system you can use the shutdown -r command.
To change the time zone on a system use : control timedate.cpl
To change regional settings use: control intl.cpl
Since some settings on a Server Core installation can not be configured using local or remote tools
a script has been created to alter those settings. The scripts name is SCREGEDIT.SWF and it is located
· Enable automatic updates
· Enable Remote Desktop for Administration
· Enable Terminal Server clients on previous versions of Windows to connect to a server running a Server Core installation
· Configure DNS SRV record weight and priority
· Manage IPSec Monitor remotely
The task of installing roles and features is a bit more complicated as there is no GUI so the standard wizards are
absent. In addition to that the command line equivalent of server manager is missing too (servermanagercmd.exe).
To install features or roles on a Server Core installation use OCSETUP.EXE.
As an example if you are interested in installing the DHCP role, use the following syntax:
start /w ocsetup DHCPServerCore
*Using 'start /w' will make sure that the command prompt will only return after the installation has completed.
*Another interesting anecdote is that the role and feature names are case sensitive...Not sure how happy this
Considering the fact that role/feature names are case sensitive installation and removal may be problematic.
In addition to that you may also want to check what is installed on a server.
OCLIST to the rescue! With OCLIST you can list the name of available features and roles and their status.
This post about Server Core only touched the tip of the iceberg. The Server Core deployment is a good deployment
when a specialized system is needed,on the other hand I can't see system administrators working with it on a daily
basis for a couple of reasons:
- It does not have all the deployment options a full server has
- Using the command line only can be very unfriendly. Microsoft in general and Windows specifically has gained their
leading position due to the GUI, I can't see people going back to the command prompt only(I may be wrong though)....
To be able to manage Server Core a system administrator must be aware of all the command line tools that exist and
their options. To start learning about them you can download the Server Core Step by Step Guide from:
More Posts Next page »