This article describes how to apply filters in Microsoft Network Monitor to view Transmission Control Protocol (TCP) header information in the Capture Summary window.
When you view a capture using Network Monitor, the "Last Protocol In Frame" is displayed in the Capture Summary window by default. This is true even when you apply filters to view only TCP information. Therefore, a frame that contains Server Message Blocks (SMBs) shows SMB summary information. For example:
SMB C write spool file, FID = 0xc005, Write 48 bytes
To view the TCP header information, you need to open the frame.
In the following example, several protocols are actually a part of the entire frame:
+FRAME: Base frame properties
+ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
+IP: ID = 0x7DEC; Proto = TCP; Len: 132
+TCP: .AP..., len: 92, seq: 175699528-175699619, ack: 227842390, win:16500, src: 3221 dst: 139 (NBT Session)
+NBT: SS: Session Message, Len: 88
+SMB: C write spool file, FID = 0xc005, Write 48 bytes
When viewing a TCP trace, it is more convenient to have the TCP information displayed in the Capture Summary window. This lets you view the TCP header information without having to open the frame.
Use the following steps to view TCP header information in the Capture Summary window:
- On the Display menu in the Capture Summary window, click Filter (or press F8).
- In the Display Filter window, double-click Protocol==Any.
- Click Disable All.
- In the Disabled Protocols box, click TCP, click Enable, click OK, and then click OK.
- On the Display menu in the Capture Summary window, click Options.
- Click Auto (Based on protocols in display filter), and then click OK.
The following example shows the TCP information as viewed in the Capture Summary window after you perform these steps:
TCP .AP..., len: 92, seq: 175699528-175699619, ack: 227842390, win:16500, src: 3221 dst: 139 (NBT Session)