Q: How do I search packets for line of text in Netmon 3.4?
A: I was recently performing some monitoring testing and wanted to see when a particular text file had been opened, but it was hard to find the actual TCP packet that represented the content of the file being read.
I found a great solution using the ContainsBin filter that enables packet frame data to be searched for an ASCII string. For example, to search for SavillText I used
ContainsBin(FrameData, ASCII, "SavillText")
This enabled me to quickly find my packet, as the figure shows below.
Note that I performed this monitoring within a Windows Server 2012 Hyper-V virtual machine (VM) that was on the same host as the target file server VM. To enable this promiscuous monitoring to work, three configurations were required.
On the file server VM, under the advanced features of the network adapter, its Port mirroring mode was set to Source.
This could also be set with Windows PowerShell:
On the VM running network monitor, under the advanced features of the network adapter, its Port mirroring mode was set to Destination.
This could also be set with PowerShell:
- In Network Monitor, under Capture Settings, the network adapter that is being listened on (Ethernet) is set to P-Mode (promiscuous, which means it can see traffic of other network addresses).