Monitoring Virtual Traffic
Readers may be familiar with the Network Monitor (NetMon) tool that Microsoft has
made available for many years as a method to monitor traffic. When it is installed on a
machine, this tool can monitor the network in promiscuous mode to view all of the
traffic sent over the link. This is still an option. It can even be installed inside a virtual
machine, and the port-mirroring feature of the network adapter could be used to send
network traffic from one virtual machine to another for monitoring.
However, Microsoft has replaced NetMon with a new tool, Message Analyzer, which is
available from the following location: www.microsoft.com/en-
us/download/details.aspx?id=44226
Going into detail about Message Analyzer is beyond the scope of this book. However, I
want to focus on one new powerful feature: the capability to perform remote capture
of a Windows Server 2012 server or Windows client, including specific virtual
machines running on a Windows Server 2012 Hyper-V host. The ability to perform
remote capture is a key requirement when you consider that many production servers
now run Server Core, which has no ability to run graphical management tools, such as
the NetMon tool, and that would block performing network analysis.
Remote capture is made possible because the driver used by Message Analyzer,
NDISCAP, is now built into the Windows 8.1 and above and the Windows Server 2012
R2 and above operating systems. It was specifically written to enable remote capture,
sending packets over the network to the box that is running the Message Analyzer
tool. Message Analyzer can still be used on Windows 7 (with WMI 3 installed),
Windows 8, Windows 2008 R2 (with WMI 3), and Windows Server 2012, and it will
install a capture driver, PEFNDIS, but it does not allow remote capturing of network
data. When a remote capture is initially performed, a WMI call is made to the remote
server to collect the information about what can be captured, and then RPC is used to
send packets over the network to the Message Analyzer. Note that it’s possible to
configure only certain types of traffic to be sent to Message Analyzer, and by default,
traffic is truncated to show only the first 128 bytes of each packet to minimize the
amount of traffic sent over the network from the source to the analyzer machine.
Message Analyzer features a completely new interface, and I will walk through the
basic steps to start a remote capture of a virtual machine on a remote Hyper-V host.
Before running this process, add the remote host to the list of trusted WMI machines
by running the following command from an elevated command prompt:
WinRM set winrm/config/client @{TrustedHosts="RemoteHostName"}
Now you can continue with the remote capture:
1 . Launch Message Analyzer.
2 . Select New Session.