Hi, my name is Avril Salter and welcome to this short video. What we are going to do today is take a look at how I can apply filters to data that I have captured across my network.
What I am going to do is I am actually going to use a tool called the Microsoft Network Monitor 3.4 to do this. Often referred to simply at NetMon and I am going to capture packets from my computer and we are going to apply various filters to them. The first thing I want to do is actually select my adaptor. I am going to come down here to the bottom and deselect these and leave my Local Area Connection highlighted because that is the one I really want to capture data on. Then I click the button New Capture and Start and you can see that I am starting to collect packets.
Now what I am going to do is stop the recording and I am going to go away and make a couple of Skype calls and I am going to surf the Web so we can collect some meaningful data in order to apply our filters. What I am going to do is just pause the Packet Capture for a moment. You can apply the filters even while you are capturing the data. I am going to pause it to stop the screen refreshing itself. The first one I want to do is quite simple, I just want to apply an IP address. I can type in IPv4 and I want to take a look at the address. I want that equal to my address which is 192.168.0.19. I hit Apply.
Now you can see in the Frame Summary Section of the window that now all I am looking at is packets that either have this IP address as the source or as the destination address. Of course if I highlight one of these you can see the detail in the windows below that show the hex format should I want to look inside the packet as well. That is filtering based on the IP address.
What if I want to look at some specific traffic? Let’s assume I want to take a look at all the HTTP traffic that is going across my Network. The best way to look at something like HTTP traffic would be to sort based on the TCP port number. Let me just clear the text here and now I am going to type in a new filter tcp.Port == 80. I apply this filter and you can now see if you follow across these frames now you can see that they are all now HTTP port 80.
You can see now that I have sorted based on IP address and I can sort based on the type of traffic. You can see that I have got quite a lot of Skype traffic. Why don’t we just now filter and see if we can just look at our Skype traffic. Let me just remove these filters here and one way of setting up a filter is rather than typing it in, I am actually going to select the frame with the process type that I want. I will right click it and select this option here, add “Process Name” to Display Filter. You can see here now it is saying select all the Conversations.ProcessName == “Skype.exe”. Let’s apply that filter and now you can see I have all of my Skype traffic selected.
To finish up on this little video, I wanted to show you a technique that I use when I want to put more sophisticated filters together. This is specifically for NetMon. What I do is come here to where is says Load Filters and enter my Standard Filters here and you can see the different types of filters that I can have. So, for instance we did one with TCP ports and you can see that it will actually drop in for me information about these filters and then I can actually go ahead and order these filters. So rather than creating my own, I can look at these standard filters and then decide how I actually want to filter things out. I can do lots of different things TCP, NetBIOS, my Wi-Fi traffic, Authentication Traffic, etc. Just by looking at these it really helps you understand and get in to more sophisticated field techniques that are really very valuable.
I hope you enjoyed this short video and come back to join me for the next one.