Q: How do I search packets for line of text in Netmon 3.4?
A: I was recently performing some monitoring testing and wanted to see when a particular text file had been opened, but it was hard to find the actual TCP packet that represented the content of the file being read.
I found a great solution using the ContainsBin filter that enables packet frame data to be searched for an ASCII string. For example, to search for SavillText I used
ContainsBin(FrameData, ASCII, "SavillText")
This enabled me to quickly find my packet, as the figure shows below.
Note that I performed this monitoring within a Windows Server 2012 Hyper-V virtual machine (VM) that was on the same host as the target file server VM. To enable this promiscuous monitoring to work, three configurations were required.
-
On the file server VM, under the advanced features of the network adapter, its Port mirroring mode was set to Source.
This could also be set with Windows PowerShell:Set-VMNetworkAdapter -VMName-PortMirroring Source
-
On the VM running network monitor, under the advanced features of the network adapter, its Port mirroring mode was set to Destination.
This could also be set with PowerShell:Set-VMNetworkAdapter -VMName-PortMirroring Destination
- In Network Monitor, under Capture Settings, the network adapter that is being listened on (Ethernet) is set to P-Mode (promiscuous, which means it can see traffic of other network addresses).
