Microsoft Message Analyzer Operating Guide
https://technet.microsoft.com/en-us/library/jj649776.aspx
https://blogs.technet.microsoft.com/networking/
https://blogs.technet.microsoft.com/messageanalyzer/
https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/
https://blogs.technet.microsoft.com/netmon/2010/02/24/measuring-response-times/
https://blogs.technet.microsoft.com/netmon/2010/12/21/filtering-on-timestamps/
Network Monitor TCP Filtering
Data Fields:
|
Field |
Description |
Example |
| TCP.Port | Filters on the Source or Destination port. Used to find traffic based on port which is often associated with an application. | TCP.Port==80 |
| TCP.Flags.Reset | Can be used to test and see if the reset flag is set. | TCP.Flags.Reset==1 |
| TCP.Window | Window Size of the current TCP frame, but ignoring the scale factor. See Property.TCPWindowSize below. | TCP.Window == 0 |
Properties:
| Property | Description | Example |
| TCPRetransmit | A property that is set when a TCP retransmit is found. Retransmits are often an indication of a network infrastructure problem and network congestion. | Property.TCPRetransmit == 1 |
| TCPPayloadLength | Represents the TCP Payload Size. | TCPPayloadLength == 0 |
| TCPCheckSumStatus | This is a string that represents if the check sum is valid or not. This could be "Good" or "Bad". | TCPCheckSumStatus != "Good" |
| TCPDescription | A property to show the TCP Description for the current frame as opposed to the top most protocol description. This is useful as a frame summary column. You can also use it to search for specific retransmitted frames by searching for the text in the TCP summary, as the example shows. | TCPDescription.Contains("#472") |
| TCPAckNumber | The current frame's Acknowledgement Number | TCPAckNumber==1234 |
| TCPSeqNumber | The current frame's Sequence Number | TCPSeqNumber==1234 |
| TCPSeqeunceRange | The TCP Sequence range, as a string, which is the current seq number to the current seq plus the length of the TCP payload. | TCPSequenceRange.Contains("1234") |
| TCPShortAckNumber | A WORD representation of the Ack number to make it easy to compare and remember. | TCPShortAckNumber==1000 |
| TCPShortSeqNumber | A WORD representation of the Seq number to make it easy to compare and remember. | TCPShortSeqNumber==1000 |
| TCPFlags | A string representation of the various TCP flags for the frame: CWR, ECE, Urgent, Ack, Push, Reset, Syn, Fin. | TCPFlags.Contains("R") |
| TCPWindowSize | The Window Size for the current frame including the scaling factor if the 3 way handshake is available in the same trace. | TCPWindowSize==0 |