Share via


Network Monitor Property Filtering

Data Fields:

We will consider Property members as properties because data fields represent data on the wire for a frame.

Properties:

To avoid [[Network Monitor Name Collisions | name collisions]], each field should be prefaced by "Property.".  To save space, we've left this out in the Field column.

Field

Description

Example

Description The highest level protocol summary description.  If TCP is the highest level protocol that is parsed, this property will contain it's description.  We've culminated feedback on these over the years from various experts in specific protocols, but if you have suggestions, we're always happy to hear them.  Best to file feedback on our parser site at http://nmparsers.codeplex.com/.
Description.Contains("error")
Destination The Ethernet, IPv4, or IPv6 Address of the frame's origin.  Note that both the Source and Destination columns can have aliases applied to them to show a friendly name for a machine based on your configuration or a DNS lookup.  Aliases will take precedence, followed by resolved names, and IP address, and finally Ethernet.  If you want to show Ethernet or IP address, you can add a column for those properties specifically. Destination.Contains("192.68")
Source Similar to Destination.
Source.Contains("srv")
UTProcessID With unified tracing, process names and IDs are stored in a different property as it's contained with in the packet.  ProcessID and ProcessName, on the other hand, are derived outside the scope of the network traffic and therefore have different names and scopes.
Property.UTProcessID == 1234
UTProcessName See UTProcessID above. Property.UTProcessName.Contains("exp")

Return to the List of Top Level Protocols

Network Monitor Blog