Microsoft Network Monitor 3.4 Network capture filters

I’m a big fan of WireShark but recently found myself using Microsoft Network Monitor more as we have it installed on a lot of Web servers. Here is a list of filters that i found useful. Some of these filters can be found on the Microsoft blog.

IPV4 Filters:

//Filter to show only ICMP packets from a source IP
ipv4.SourceAddress == 192.168.11.44 AND ICMP

//Filter on source IPv4 address.
IPv4.SourceAddress == 192.168.11.1

//Filter on IPv4 address (source or destination).
IPv4.Address == 192.168.0.1

//View IPv4 traffic between a source and a destination node.
IPv4.Address==10.0.0.1 and IPv4.Address==10.0.0.222

//Show Retransmits
Property.TCPRetransmit == 1
Property.TCPSynRetransmit == 1

//Find a Web page string (URI or URL).
Contains(Http.Request.URI,”msn.com”)

//Hide RDP if the network trace was captured in a terminal session.
!(tcp.port==3389)

TLS/SSL Filters:

//Filter frames with SSL Handshake
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0x1

//TLS 1.x Client Hello filter, determine client and server
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello

//Show TLS Alerts
TLS.TlsRecLayer.TlsRecordLayer.ContentType== 0x15

//This filter will show packets which contain certificates exchanged in TLS negotiation <–View certificate filter
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.HandShakeType == 0xb

Filter to show you a 3 way handshake
//Show all TCP SYN ACK Frames
TCP.Flags.Ack == 1 AND TCP.Flags.Syn == 1

Cipher Filters:

List of TLS Ciphers that can be used in the below:
https://testssl.sh/openssl-iana.mapping.html

//Filter to find TLS Client Hello’s which are offering ECDHE_RSA_WITH_AES_256_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher == 0xc014

//Filter to find TLS Client Hello’s which are offering ECDHE_RSA_WITH_AES_128_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher == 0xc013

//Filter to find TLS Client Hello’s which are offering ECDHE_ECDSA_WITH_AES_256_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher == 0xc0A

//Filter to find TLS Client Hello’s which are offering ECDHE_ECDSA_WITH_AES_256_CBC_SHA as an available cipher
TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello.TLSCipherSuites.Cipher == 0xc09

This entry was posted in Microsoft, Networking and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *