Microsoft Network Monitor or NetMon is a free network diagnostic tool for Windows used to record and analyze all incoming and outgoing traffic on a computer.
Although this product has not been developed or updated for more than 3 years, it is often used by administrators when they need to diagnose a network's connections.
NetMon offers fewer features than the popular WireShark logging and analysis tool, and is not as good at complex packet analysis tasks.
However, Network Monitor's graphical interface is much simpler and more intuitive, and the product itself is lightweight. So its use is justified and practical in certain circumstances.
You can download the free Microsoft Network Monitor 3.4 (NM34_x64.exe) from the Microsoft website or install it using the WinGet package manager with the command from the Command prompt: winget install Microsoft.NetMon
How to work with Network Monitor
First run Network Monitor as administrator. In the main NetMon window, click New Capture.
By default, Network Monitor collects all traffic passing through a computer's network interfaces. The size of such a network trace can be important if you are logging network traffic over a long period of time. Of course you can set filters to capture only part of the traffic either inbound or outbound.
Filters
Before pressing the “Start” button, as suggested by the program, you can set a filter. For this click on the “Carture settings” button.
Here you can configure filters of the traffic that NetMon will collect. There are several filter templates for standard tasks in the Load filter > Standard filters menu.
For example, if you set Load filter > Standard filters > TCP > TCP ports the program will enter as a filter:// Filter frames by TCP port number.
tcp.port == 80
OR
Payloadheader.LowerProtocol.port == 80
// Filter finds all TCP traffic on port 80. This
// also includes reassembled port data since for
// reassembled frames the TCP Transport layer is
// replaced.
You can change port 80 to whatever you want or more by rewriting tcp.port == and adding another port.
You can also add below the AND command by putting a second term in your search, let's say for example that we want the traffic on port 80 and from the device with IP 192.168.1.10
AND
IPv4.SourceAddress == 192.168.1.10
Network monitoring filters can be combined using brackets as well as the logical expressions OR, AND, NOT, or you can use ||, &&, and !
Click the Apply” button to save the filter.
Start logging
Then go to Tools > Options > Parser profiles. Select Windows and click the “Set as active” button, then click the OK button.
You are now ready to start capturing network traffic. Click the “Start” button on the toolbar.
Now let NetMon run for a day or so until it gathers a good list of moves. Depending on the problem you have and if you create it randomly, it may take more time.
Note that depending on the download filter settings, downloading network traffic for a long time will require a significant amount of RAM and disk space.
Work with the results
The “Network conversations” field on the left, as well as the “Process Name” in the right panel in the middle, show the name of the process that initiated a network connection.
Although it tells us Unvaliable, if you let it run for a while you'll see below it write the name of every program that goes online.
Click the “Stop” button to stop recording network traffic. The list you captured can be saved as a *.CAP file for offline analysis.