netmon，messageanalyzer

Microsoft Message Analyzer Operating Guide

https://technet.microsoft.com/en-us/library/jj649776.aspx

https://blogs.technet.microsoft.com/networking/

https://blogs.technet.microsoft.com/messageanalyzer/2012/09/17/meet-the-successor-to-microsoft-network-monitor/

https://blogs.technet.microsoft.com/messageanalyzer/

https://blogs.technet.microsoft.com/netmon/2007/01/26/part-2-tcp-performance-expert-and-general-trouble-shooting/

https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/

https://blogs.technet.microsoft.com/netmon/2007/12/21/understanding-http-flow-with-netmon-3-by-yuri-diogenes/

https://blogs.technet.microsoft.com/netmon/2010/02/24/measuring-response-times/

https://blogs.technet.microsoft.com/netmon/2010/12/21/filtering-on-timestamps/

https://blogs.technet.microsoft.com/netmon/2010/12/01/new-videos-for-advanced-filtering-and-3-4-ui-features/

 

Network Monitor TCP Filtering

Data Fields:

Field	Description	Example
TCP.Port	Filters on the Source or Destination port.  Used to find traffic based on port which is often associated with an application.	TCP.Port==80
TCP.Flags.Reset	Can be used to test and see if the reset flag is set.	TCP.Flags.Reset==1
TCP.Window	Window Size of the current TCP frame, but ignoring the scale factor. See Property.TCPWindowSize below.	TCP.Window == 0

 Properties:

Property	Description	Example
TCPRetransmit	A property that is set when a TCP retransmit is found.  Retransmits are often an indication of a network infrastructure problem and network congestion.	Property.TCPRetransmit == 1
TCPPayloadLength	Represents the TCP Payload Size.	TCPPayloadLength == 0
TCPCheckSumStatus	This is a string that represents if the check sum is valid or not.  This could be "Good" or "Bad".	TCPCheckSumStatus != "Good"
TCPDescription	A property to show the TCP Description for the current frame as opposed to the top most protocol description.  This is useful as a frame summary column.  You can also use it to search for specific retransmitted frames by searching for the text in the TCP summary, as the example shows.	TCPDescription.Contains("#472")
TCPAckNumber	The current frame's Acknowledgement Number	TCPAckNumber==1234
TCPSeqNumber	The current frame's Sequence Number	TCPSeqNumber==1234
TCPSeqeunceRange	The TCP Sequence range, as a string, which is the current seq number to the current seq plus the length of the TCP payload.	TCPSequenceRange.Contains("1234")
TCPShortAckNumber	A WORD representation of the Ack number to make it easy to compare and remember.	TCPShortAckNumber==1000
TCPShortSeqNumber	A WORD representation of the Seq number to make it easy to compare and remember.	TCPShortSeqNumber==1000
TCPFlags	A string representation of the various TCP flags for the frame: CWR, ECE, Urgent, Ack, Push, Reset, Syn, Fin.	TCPFlags.Contains("R")
TCPWindowSize	The Window Size for the current frame including the scaling factor if the 3 way handshake is available in the same trace.	TCPWindowSize==0

Return to the List of Top Level Protocols