Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET!

Microsoft Network Monitor - Part 1

Microsoft offers a network diagnostic/monitoring tool that allows you to perform network trouble-shooting tasks. Aptly named Microsoft Network Monitor, this tool collects information from a network’s data stream and displays different types of information, including:

  • the source address of the computer that sent a frame onto a network
  • the destination address of the computer that received the frame
  • the protocols used to send the frame
  • the data, or portion of the message being sent
  • and many others

(Instructional video below provides a walkthrough of the steps contained in this article.)


Microsoft Network Monitor collects information using a process known as capturing. You can use this tool to capture statistics on all frames it detects on the network or on a specific subset of frames. In this post, we’ll show you:

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

  • where to take a capture,
  • how to gather documentation and use a cheat sheet,
  • how to customize what information should be captured,
  • how to customize the user interface,
  • how to make sense of the captured data,
  • how to get more information out of the data that’s captured, and
  • how to view specific frames in an XML format and in a window by themselves.

Where to take a capture

The decision on where you need to take a capture from will depend on certain conditions like say, the number of machines involved or whether firewalls are in place.

For example, if you have two machines, there can be two possible scenarios: 1) when there are no firewalls involved and 2) when there are.

In the first scenario, you can take a trace on either machine. However, in the second scenario, you might want to take a trace on both machines at the same time.

The first trace on the first machine is to determine whether there are any data packets that are being dropped due to existing outbound firewall rules. The trace on the second machine, on the other hand, is to determine whether there are any inbound firewall rules that are preventing data from coming in.

Microsoft Network Monitor

In a real world scenario like the one below, you can take traces on the following locations:

  1. On the Windows 7 Client’s network interface
  2. On the internal side of the firewall
  3. On the external side of the firewall, and
  4. On the inbound network adapter on the Exchange Server
Microsoft Network Monitor

The trace on the external side of the firewall should be there just in case the firewall has been configured with rules that drop packets which you are not aware of. With these four traces, you can tell whether the packets left the Windows Client, went through the firewall, and entered the Exchange Server.

How to gather documentation and use a cheat sheet

When your network starts to grow and you start having multiple machines (some probably spanning different time zones and continents), you will need to use a cheat sheet to record data regarding issues you encounter along the way.

Many of these issues take days or even weeks to resolve and often involve traces with hundreds of thousands packets in them. Oftentimes, you won’t be troubleshooting a single trace in just one troubleshooting session.

So if you don’t keep any documentation, chances are, you’ll forget the details of certain issues in a trace and when it’s time to resume troubleshooting on it, you will be forced to start all over again.

Some of the things you will want to record are:

  • the issues themselves
  • IP addresses of the machines between which the information you’re looking for is located
  • packet numbers you’ve already analyzed or still have to analyze

Here’s an example where we show you how a typical cheat sheet is used.

Let’s assume we have two domain controllers. One domain controller, say DC1, has an IP address of The other domain controller, say DC2, has an IP address of

Let’s also assume that we just mapped a network drive on DC1.

Here’s a typical Frame Summary that includes the traffic generated when the network drive was mapped.

Microsoft Network Monitor

The data packets related to drive mapping are the ones that begin with SMBs (Small Message Block) packets. If, upon mapping the network drive an error occurred and we received an “Access denied” notification, we would have to document the issue.

Your cheat sheet may be a simple Notepad file wherein, for this particular issue, you would jot down the following information:

network drive mapping
error message - access denied

source ip address =
destination ip address =

For more complicated setups, like one where you may be dealing with multiple machines, you may add as many information as you think is necessary. For example, you may want to add a rudimentary graph illustrating what should have happened and where you think the problem might be residing at.

That way, when you get back to this issue in the future, you’ll know what it was all about.

How to customize what information should be captured

You may specify what information should be captured by choosing a Parser Profile. There are five ready-made parser profiles that you can initially choose from. But if you want, you may also create customized parser profiles.

The 5 ready-made parser profiles are namely:

Pure – performs no parsing and very limited filtering;
HPC (High Performance Capture) – provides optimized filtering speeds but its filtering capability is limited to TCP and UDP protocols and some protocols related to these two.
Faster Pasing – parses more protocols like: ARP, HTTP, DNS, and NBTNS but doesn’t include SMB and SMB2.
Default – This is the default profile, which parses all the protocols mentioned previously as well as SMB, SMB2, and RPC.
Windows – parses every Windows-based protocol plus SQL. It is considered the heavyweight in terms of parsing cost.

Generally speaking, the more data packet details a packet profile has, the slower the trace will be and the longer it will take to generate its view.

Packet profiles are typically set before you begin your trace. To choose a packet profile, just go to Parser Profiles > NetworkMonitor Parsers. There you’ll find the parser profiles enumerated above.

Microsoft Network Monitor

How to customize the user interface

Some of you might want to organize your Network Monitor user interface in a particular way so that only the information you’re interested in are shown and so that they are positioned where they can help you work more efficiently.

Some of the things you can do to organize the user interface include:

  • docking and un-docking panes
  • hiding unwanted panes
  • showing the panes you often need,
  • getting the default display settings back, and
  • changing the layout of the panes to Simple, Diagnostic, Developer, and the default layout

To un-dock a pane, just click on that pane’s title bar, press and hold the SHIFT button, then click and drag the pane out of its docked position. You can then move it to where you want it to be.

Microsoft Network Monitor

To hide a pane, just click the ‘x’ button on its upper-right corner.

Microsoft Network Monitor

To bring a hidden pane back into view, navigate to the View menu and select the pane you want to show. You will also see a menu item named Restore Default Layout under that menu. Clicking that will restore the layout back to its default settings. You’ll need this if you’ve moved a lot of things around and later on realize you don’t want the new layout after all.

Microsoft Network Monitor

Here’s how the Default Layout looks like.

Microsoft Network Monitor

In addition to the Default Layout, there are also other pre-configured layouts to choose from. To use those layouts, just navigate to the Layout menu and select a layout from there. Notice that the Restore Default Layout can also be selected from that menu.

Microsoft Network Monitor

Here’s how the Diagnostic layout looks like. This layout is normally used if, in addition to other information, you want to see as many frames as possible.

Microsoft Network Monitor

Here’s the Developer layout.

Microsoft Network Monitor

If, after moving panes, removing the ones you don’t like, showing the ones you do, and changing their sizes, you’ve arrived at a customized layout that you really like, you can save that layout for future use. To do that, just click the Save As button.

Microsoft Network Monitor

In the Save As window, give the layout a name (e.g. cap3) and click the Save button.

Microsoft Network Monitor

So the next time you launch Network Monitor, you’ll see that file displayed as a link and ready for use.

Microsoft Network Monitor


You’ve reached the end of Part 1 of Microsoft Network Monitor. In Part 2, you’ll learn:

  • How to make sense of the captured data
  • How to get more information out of the data that’s captured
  • How to view specific frames in an XML format and in a window by themselves

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (6)

6 responses to “Microsoft Network Monitor – Part 1”

  1. Networking

    [...] Microsoft Network Monitoring Training - Available Now at TrainSignal.Want to learn to make sense of your network data? Microsoft Network Monitor assists you in capturing and analyzing network data in real time. In this course Rhonda Layfield teaches you to use Microsoft Network Monitor to effectively troubleshoot your network's traffic. [...]
  2. Hour Online Forex – Improve Your Online Forex Trading With Real Time Information

    [...] #split {}#single {}#splitalign {margin-left: auto; margin-right: auto;}#singlealign {margin-left: auto; margin-right: auto;}#splittitlebox {text-align: center;}#singletitlebox {text-align: center;}.linkboxtext {line-height: 1.4em;}.linkboxcontainer {padding: 7px 7px 7px 7px;background-color:#eeeeee;border-color:#000000;border-width:0px; border-style:solid;}.linkboxdisplay {padding: 7px 7px 7px 7px;}.linkboxdisplay td {text-align: center;}.linkboxdisplay a:link {text-decoration: none;}.linkboxdisplay a:hover {text-decoration: underline;} function opensingledropdown() { document.getElementById('singletablelinks').style.display = ''; document.getElementById('singlemouse').style.display = 'none'; } function closesingledropdown() { document.getElementById('singletablelinks').style.display = 'none'; document.getElementById('singlemouse').style.display = ''; } Engaging Your Twitter Followers So They Stick AroundMicrosoft Network Monitor - Overview of Network Monitor [...]
  3. Microsoft Network Monitor - Data Capturing Tutorial

    [...] In Part 1 of this post, we talked about: [...]
  4. Microsoft Network Monitor – Part 2

    [...] In Part 1 of this post, we talked about: [...]
  5. Download Microsoft Network Monitor 3.0

    […] Microsoft Network Monitor 3.0 is a brand new protocol analysis tool. It has been under development for about 2 years at Microsoft. You are welcome to try it out and provide feedback to us. Key features of Microsoft Network Monitor 3.0 include: […]

Leave a Reply

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By