Skip to Content

How to Monitor and Diagnose Windows Network Traffic?

By: Author Alex Lim

Posted on

Categories Networking

Microsoft Network Monitor 3.4 is a lightweight, straightforward tool for capturing and analyzing network traffic on Windows systems. Though deprecated and less feature-rich compared to Wireshark, it excels in specific tasks due to its simplicity and ease of use.

How to Monitor and Diagnose Windows Network Traffic?

Key Features and Limitations

Advantages

  • User-friendly graphical interface.
  • Minimal resource consumption.

Drawbacks

  • Limited packet analysis capabilities.
  • No updates in recent years.

When to Use Network Monitor? It is particularly useful for diagnosing straightforward issues, such as tracking outgoing traffic to SMTP servers or troubleshooting network anomalies.

Practical Steps to Capture Network Traffic

  1. Download the installer from Microsoft’s website or use the WinGet command: 
    winget install Microsoft.NetMon
  2. Launch the application with admin privileges to access all network interfaces.
  3. Open “Capture Settings.”
  4. Apply a filter to monitor specific ports (e.g., SMTP ports 25, 587, 465): 
    tcp.port == 25 OR tcp.port == 587 OR tcp.port == 465
  5. Optional: Add source IP filters to narrow down traffic further.
  6. Click “Start” and reproduce the issue or let the tool run over time.
  7. Ensure adequate RAM and disk space for long-term captures.
  8. Identify problematic traffic by reviewing packet details. For example, SMTP packets may reveal the sender’s process (e.g., blat.exe).
  9. Save traffic logs as *.CAP files for offline analysis.
  10. Use display filters to isolate specific IPs or protocols during review.

Advanced Tips

  • Expand Filtering: Combine logical expressions (AND, OR) for nuanced filtering.
  • Utilize Built-in Parsers: Select the “Windows” parser profile to decode captured traffic effectively.
  • Leverage Other Tools: Consider using PktMon for lightweight command-line traffic captures, then analyze results with Network Monitor or Wireshark.

Network Monitor remains a valuable, albeit outdated, diagnostic tool for network administrators. For advanced needs, alternatives like Wireshark or native Windows tools (e.g., PktMon) may provide additional utility. Following a systematic approach, as outlined above, ensures precise and actionable insights into network traffic.