Network Monitor 3.2 has arrived!

I’m so excited about this release I had to commandeer Paul’s blog for the day and write about it. My name is Tawanda Sibanda and I am the lead program manager for Network Monitor. The team put a lot of effort into this version, adding many of the requests we heard from our customers, while simultaneously fixing bugs and stabilizing the product. We hope you enjoy this release! Please feel free to leave feedback on Paul’s blog or participate in our Network Monitor survey

Now, let’s deep dive into some of the details of Network Monitor 3.2

Where are the bits?

Network Monitor 3.2 is available on The link is:

Network Monitor 3.2 will also be offered as an optional feature package in the next few weeks via Microsoft Update if you have a previous version of Network Monitor 3.x installed. To check for updates, click on Help>Check for Updates from the product menu (versions 3.1 and higher) or visit the site

So What’s New in Network Monitor 3.2?

  • Process Tracking: Now you can identify rogue applications sending network data! View all the processes on your machine generating network traffic (process name and PID).  Use the conversation tree to view frames associated with each process.

  • Capture engine re-architecture to improve capture rate in high-speed networks.   Network Monitor 3.2 drops significantly fewer frames that Network Monitor 3.1.

  • Find conversations:  You asked for this. Many of our users found conversation tracking to be difficult to use as the view grew hard to manage, and it was difficult to correlate the frames they were seeing with the conversation nodes in the tree. Now, you can quickly isolate frames in the same network conversation.  Just right-click on a frame and select a conversation to track, and you will see all the frames in that conversation. View TCP streams, HTTP flows etc.

  • Extensive parser set:  Parsers for over 300 protocols!  As before, the parsers are fully customizable.

  • Better parser management:  By default only a subset of parsers are loaded.  You can load the full parser set by going to Tools>Options>Parser and choose Full vs. Stub implementations.

  • CodePlex Ready:  In the upcoming months, we plan to place all our Windows parsers on the Microsoft open-source CodePlex site and allow the community to modify and contribute parsers.  You can find out more information on this here. This version of Network Monitor seamlessly integrates new parser packages.

  • Network Monitor API: Create your own applications that capture, parse and analyze network traffic!

  • More extensive documentation of the API and NPL.  Access the documentation from Help > NPL and API Documentation.

  • IA64 builds.

  • PCAP capture file support*.

  • ContainsBin Plug-in:  Search frames for arbitrary byte sequences or strings.

  • … and more.  See our Release Notes in the Help directory of the installation folder for a complete list of new features and known issues.


*This feature includes software developed by the University of California, Berkeley and its contributors.
  This feature includes software developed by the Kungliga Tekniska Hogskolan and its contributors.
  This feature includes software developed by Yen Yen Lim and North Dakota State University.

Comments (24)

  1. Anonymous says:

    Kdo používáte oblíbený Network Monitor, možná jste zaregistrovali, že je dostupná nová verze s označením

  2. Anonymous says:

    when i try to install network monitor 3.2,

    the install program killed automatically.

    but 3.1 version installed very well.

    please send me a anwser…

  3. Paul E Long says:

    The forums on is probably a better place to discuss these types of problems, but I will send you some email to try and t-shoot this.

    You can start by extracting the files and running the netmon setup with logging.

    netmon.msi /l*v mylogfile.txt


  4. Anonymous says:

    Wie bereits angekündigt, befand sich die aktuelle Version des Microsoft Netzwerkmonitor seit Juni in

  5. Anonymous says:

    There were 214 articles from the Microsoft Team Blogs and feeds last week. Here is my summary of interesting

  6. Anonymous says:

    Hey, Scripting Guy! We are having name resolution issues at work. It is so bad that when my wife calls

  7. Paul E Long says:

    When we rewrote NM3, we didn’t include the summrized information containing throughput and such.  

    With the API, it should be possible to recalculate this information and create a separate app that does this, but at this point something like this doens’t exist in NM3.

    You could also export your data to Excel, using Cut&Paste, and create something that calculates the data there.


  8. Anonymous says:

    最近ご無沙汰で何気に寂しかった 😉 親愛なるマメン ( my men ) X-WORKS さんが先日ようやくパブリック公開となったネットワークキャプチャ NM…

  9. Anonymous says:

    Network Monitor 3.2 is a protocol analyzer. It allows you to capture network traffic, view and analyze

  10. Anonymous says:

    The addition of process identification is nice, but I’m trying to troubleshoot the source of some "rogue" DNS queries and none of them are showing up….when I use Process Explorer they pop up very briefly.

    Is this a weakness in the current incarnation of Netmon?

  11. Anonymous says:


    Is there a forum somewhere with support for netmon3.2 ??. Been using Netmon2 for YEARS and recently found 3.2 :-O.

    I now have a large capture (7 x 20MB tmp files) and it won’t let me save the capture :-((.

    Keeps saying ‘Not enough storage is available to process this command’.

    Running on a hosted server 2003 web edition and have 1GB RAM and 30GB free space on drive with tmp files in :-O.



  12. Paul E Long says:

    Новая версия, can you write your question in English?  I tried to translate your question.  It said that you missed out on the new version.

    Are you saying that a feature is missing?

    Are you saying that you weren’t notified of a new update from Microsoft Update?


  13. Paul E Long says:

    NM3.2 will poll the current state of processes when it detects UDP or TCP traffic that has not been associated.  It’s possible a process has disappeared by the time we query the state.  

    We do some caching and the timing may be further tunable, but there may be some situations where we miss the process because it is no longer around when we query the state.

    I’ll have to play around with DNS in general, but I think there should be some situations where it does capture DNS traffic to a process.


  14. Paul E Long says:

    There’s no built in way to get total network traffic.  You could, however, add a column for Frame length, then filter on the process in question, then export that data to Excel and add up the total data sent.

    You would also be able to modify the NPL to add a property to show the total length if you wanted to.  You’d have to do this in IPv4 or IPv6 and create a conversation variable to hold the value.  But you could then add this as a column.  Due to the way properties work, the column would have the total ammount.


  15. Anonymous says:

    The latest build for Netmon is not available for download. I strongly recommend you to download this

  16. Anonymous says:

    Что-то я пропустил выход новой версии анализатора протоколов от Microsoft Network Monitor 3.2…

  17. Paul E Long says:

    Basically it’s based on a driver that passes WLK certification.  I beleive the latest driver from Intel has worked properly for me.

    Look at this blog for more info

  18. Anonymous says:

    Hey Guys.

    What happened to the "Graph" pane that had all the information such as network utilisation, bits per second etc.

    Why do I ask? Well, I have a project where I am supposed to conduct capacity analysis using Network Monitor 3.2.

    However, with this new version, there does not appear to be a way to actually measure the bits associated with the captured traffic. So, I cant see how I could for instance measure average network utilisation.

    I am pretty sure the older lite version that came bundled with Server 2003 had this ability, as seen in this link here:

    So in summary, does this recent version of Network Monitor allow for quantitative measurements as opposed to just qualitative ones?


  19. Anonymous says:

    If you’re into troubleshooting network traffic, and are a real “packet-head”, then this news is for you..

  20. Paul E Long says:

    The support forums are currently on Microsoft Connects (

    To answer your question, the UI is not ideal for capturing for a long time.  Use of UI elements for conversations and other things pile up over time and given enough traffic or a long enough period you may get in a situation where you can’t save the trace.

    For long running traces, use the command line utility instead, NMCap, which is included with NM3.2 when you install.  Type NMCap /examples for some different ways to run NMCap.



  21. Anonymous says:

    Does the Process Tracking feature of NM 3.2 allow to somehow measure the total network traffic of particular process (both incoming and outgoing) and/or particular conversation within process? For example, to display how much network traffic was consumed by iexplore.exe or outlook.exe processes on the screenshot in the blog post…

  22. Anonymous says:

    Do you have a list of NDIS 6 802.11 drivers that support monitor mode?  Also, have you noticed that the Intel 4965AGN adds 4 bytes to the end each received frame?

  23. Anonymous says:

    when i try to install network monitor 3.2,

    the install program killed automatically.

    but 3.1 version installed very well.

    please send me a anwser…

Skip to main content