Fast filtering netmon captures

Last week we talked about setting up a long running capture. In my case I had thousands files in a few days. Fortunately I had an extra 500GB disk to put them on. But now came the challenge of finding what I was looking for in those file.

I had the time of error so I would open a few captures around that time and look for an error. By error I mean a tcp reset. In netmon that is easy to find as you can pick each tcp session from the tree on the left and go to the last frame, see a tcp reset with no FIN then bingo. BTW be sure to have troulbleshooting color filters on, this makes finding problem packets easy. I think the latest parser package comes with some good color filters.

In my case it was pretty straightforward, there was a series of retransmits and then a connection reset. What you expect after five unanswered retransmits. The problem now was how to find and re-assembly the entire tcp session so I could see what was negotiated in the tcp setup. This is fast and easy with netmon blob filters.

Using nmcap with blob filters the capture file can be search in a couple of seconds. A blob filter is a hex pattern and length at a certain offset. So, lets assume that the ephemeral port number in the tcp session that was reset is  53487, or in hex 0xDOEF. My filter then would be Blob(FrameData, 34, 2) == 0xD0EF OR Blob(FrameData, 36, 2) == 0xD0EF where 34 is the offset in one direction (src to dst) and 36 is the offset in the other direction. The other number, 2, is the length. The filter is easy to build up using the Frame Details and Hex Details panel in netmon.

Once you have your blob filter (tested it in the gui) you are ready to run it. Lets assume you are interested in looking through files capfile(2735) to capfile(2765), 30 files. Then with the help of a batch for loop you would use something like this:

for  /l  %i in (2735,1,2765) do nmcap /UseProfile 2 /inputcapture e:\cap\capfile(%i).cap /disableconversations /capture Blob(FrameData, 34, 2) == 0xD0EF OR Blob(FrameData, 36, 2) == 0xD0EF  /file c:\tmp\error24\Oct25\Oct25_1132pm_port53487_%i:2G

Now I have a series of small files with just traffic to/from tcp port 53487. With this cmd I can stitch the files together to get one cap file that I can open in the netmon gui.

nmcap /UseProfile 2 /disableconversations /inputcapture Oct25_1132pm_port53487_(2762).cap Oct25_1132pm_port53487_(2763).cap Oct25_1132pm_port53487_(2764).cap Oct25_1132pm_port53487_(2765).cap /capture /file allPort53487_Oct25_1132pm.cap:2G

If I have a lot of files to stitch together then I usually put the dir /b output of the files in to Word  and do a find ^p and replace with ^s to remove all the hard returns. That puts them on a single line, ready for pasting into my cmd.

You do need a parser enabled for the Blob filter to work I have use the High Performance one in profile 2 above, Pure Capture won’t work.

Blob filters a great. I also use them for wild carding by change the length param. For ex. to and from a certain IP but with a length of 3 will give all the traffic from the subnet. 

Most of this I learned from the Netmon blog.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s