How to Filter on TCP Header Information Using Microsoft Network Monitor

ID: Q231920

The information in this article applies to:

Microsoft Windows NT Server versions 3.1, 3.5, 3.51, 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4
Microsoft Windows NT Workstation versions 3.1, 3.5, 3.51, 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4
Microsoft Windows versions 3.11, 95, 98, 98 Second Edition

SUMMARY

This article describes how to apply filters in Microsoft Network Monitor to view Transmission Control Protocol (TCP) header information in the Capture Summary window.

MORE INFORMATION

When you view a capture using Network Monitor, the "Last Protocol In Frame" is displayed in the Capture Summary window by default. This is true even when you apply filters to view only TCP information. Therefore, a frame that contains Server Message Blocks (SMBs) shows SMB summary information. For example:


SMB C write spool file, FID = 0xc005, Write 48 bytes

To view the TCP header information, you need to open the frame.

In the following example, several protocols are actually a part of the entire frame:


+FRAME: Base frame properties
+ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol
+IP: ID = 0x7DEC; Proto = TCP; Len: 132
+TCP: .AP..., len:   92, seq: 175699528-175699619, ack: 227842390, win:16500, src: 3221  dst:  139 (NBT Session) 
+NBT: SS: Session Message, Len: 88
+SMB: C write spool file, FID = 0xc005, Write 48 bytes

When viewing a TCP trace, it is more convenient to have the TCP information displayed in the Capture Summary window. This lets you view the TCP header information without having to open the frame.

Use the following steps to view TCP header information in the Capture Summary window:

On the Display menu in the Capture Summary window, click Filter (or press F8).

In the Display Filter window, double-click Protocol==Any.

Click Disable All.

In the Disabled Protocols box, click TCP, click Enable, click OK, and then click OK.

On the Display menu in the Capture Summary window, click Options.

Click Auto (Based on protocols in display filter), and then click OK.

The following example shows the TCP information as viewed in the Capture Summary window after you perform these steps:


TCP .AP..., len:   92, seq: 175699528-175699619, ack: 227842390, win:16500, src: 3221  dst:  139 (NBT Session)

Additional query words: sniff trace netmon bloodhound


Keywords          : kbnetwork kbtool 
Version           : WINDOWS:3.11,95,98,98 Second Edition; winnt:3.1,3.5,3.51,4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4
Platform          : WINDOWS winnt 
Issue type        : kbinfo

Last Reviewed: July 26, 1999