Hey Paul,
Up until I found out about Microsoft Network Monitor, I was using another network packet capture/analyzer called Wireshark, which is also a free program. It is pretty much the Gold Standard when it comes to network packet capture analysis. What it does is that it allows you to choose which network interface(s) on your machine that you want to analyze packets and it will capture all of them. When you click on an individual packet in a trace, it separates all of layers according to the Internet/OSI model (i.e. Physical Layer, Data-Link Layer, Network Layer, Transport Layer, and Application Layer). It recognizes pretty much every known protocol in the market today, and if it detects it, you can add a filter to show only packets from that protocol. What's even more impressive for me as a VoIP specialist, is that it has a "VoIP Calls" option which allows you to view all VoIP calls that passed through the interface, and it will show a graph of the message and media transactions between all nodes involved.
However, There are a couple of flaws with Wireshark. They are:
1) Does not support all interfaces types on a Windows Machine, ie. VPN connections, Some IPv6 Tunnel Broker client interfaces
2) Choosing a network interface to capture is not always entirely clear as it shows it's Device ID rather than what is named in Windows Network Connections
For example: In Network Connections, one interface is named "Wireless Network Connection". In Wireshark, it's shown as "Microsoft: \Device\NPF_{4C968491-1244-4B63-916D-62EAD36268DE}". Message Analyzer (and NetMon) also did this, and I would like to see at least some kind of clear-cut correlation of the two.
3) You cannot separate traffic via the application that used it in Wireshark. For example: In Microsoft Network Monitor, with my VoIP Phone client program, I was able to see all transactions between the VoIP client and the VoIP server. This cannot be done in Wireshark, and I have not seen it in Message Analyzer. This is a feature that should have been passed over from Network Monitor to Message Analyzer, so please bring it back!
4) Packet capture sizes can become quite large over small periods of time and you may not even be able to open a capture that you made if it becomes too big.
Overall, if Wireshark addressed these issues, it would be perfect. In my opinion, if you can model the network analysis portion of Message Analyzer to mirror Wireshark while addressing all of Wiresharks short-comings as mentioned above, there's no question I would use Message Analyzer. But for now, I'll continue to use the combination of Wireshark and Network Monitor for my packet analysis needs! I'll say this though, Network Monitor was on the right track, it just lacked the protocol support (ie. Skinny, MGCP, EIGRP) and didn't have the graph options or VoIP call options.
I hope this helps. Let me know if you need any more opinions. I am glad to help!
Thanks,
John
Up until I found out about Microsoft Network Monitor, I was using another network packet capture/analyzer called Wireshark, which is also a free program. It is pretty much the Gold Standard when it comes to network packet capture analysis. What it does is that it allows you to choose which network interface(s) on your machine that you want to analyze packets and it will capture all of them. When you click on an individual packet in a trace, it separates all of layers according to the Internet/OSI model (i.e. Physical Layer, Data-Link Layer, Network Layer, Transport Layer, and Application Layer). It recognizes pretty much every known protocol in the market today, and if it detects it, you can add a filter to show only packets from that protocol. What's even more impressive for me as a VoIP specialist, is that it has a "VoIP Calls" option which allows you to view all VoIP calls that passed through the interface, and it will show a graph of the message and media transactions between all nodes involved.
However, There are a couple of flaws with Wireshark. They are:
1) Does not support all interfaces types on a Windows Machine, ie. VPN connections, Some IPv6 Tunnel Broker client interfaces
2) Choosing a network interface to capture is not always entirely clear as it shows it's Device ID rather than what is named in Windows Network Connections
For example: In Network Connections, one interface is named "Wireless Network Connection". In Wireshark, it's shown as "Microsoft: \Device\NPF_{4C968491-1244-4B63-916D-62EAD36268DE}". Message Analyzer (and NetMon) also did this, and I would like to see at least some kind of clear-cut correlation of the two.
3) You cannot separate traffic via the application that used it in Wireshark. For example: In Microsoft Network Monitor, with my VoIP Phone client program, I was able to see all transactions between the VoIP client and the VoIP server. This cannot be done in Wireshark, and I have not seen it in Message Analyzer. This is a feature that should have been passed over from Network Monitor to Message Analyzer, so please bring it back!
4) Packet capture sizes can become quite large over small periods of time and you may not even be able to open a capture that you made if it becomes too big.
Overall, if Wireshark addressed these issues, it would be perfect. In my opinion, if you can model the network analysis portion of Message Analyzer to mirror Wireshark while addressing all of Wiresharks short-comings as mentioned above, there's no question I would use Message Analyzer. But for now, I'll continue to use the combination of Wireshark and Network Monitor for my packet analysis needs! I'll say this though, Network Monitor was on the right track, it just lacked the protocol support (ie. Skinny, MGCP, EIGRP) and didn't have the graph options or VoIP call options.
I hope this helps. Let me know if you need any more opinions. I am glad to help!
Thanks,
John