Release: Microsoft Network Monitor 3.0

After years Microsoft finally release an update for its sniffer: Network Monitor (aka NetMon) 3.0.

As already said at beta 2 time, this new major release (build 3.0.372) doesn't have limitations network professionals use to damn in 2.x versions: it works in promiscous mode and is released as stand alone package. And it's free of charge.

Plus NetMon 3 introduces several improvements:

• Real time capture and display of frames


• Simultaneous capture on multiple network adapters


• Multiple simultaneous capture sessions


• Network conversations and a tree view displaying frames by conversation


• Enhanced capture/display filtering (with boolean expressions and intelli-sense)


• A new script-based protocol parser language (NPL), and script-based parsers


• Scriptable execution (and packets capture) through NMcap command line tool

The new filtering system is pretty flexible and allows to write filters in similar you do with Wireshark (formerly Ethereal).
For example filtering HTTP traffic reaching or departing from IP address 192.168.0.1 can be written:

• ip.addr==192.168.0.1 and http (Wireshark)


• ipv4.Address==192.168.0.1 && protocol.HTTP (NetMon)

Filters can be written on multiple lines and comments are allowed, permitting to write complex analysis on packets in an easy way.

Download it here (it's unclead why Microsoft is still hosting it on Connect instead of Download website).
Check the development team blog here.