Quick Tip: Filter on IP in Network Monitor 3.4

Published on Wednesday, April 16, 2014 in

[Update 2014-04-17] Thanks to Steve’s comment I learned that the HEX notation is absolutely not a must. You can just use the IP address but unlike simple filters like Destination or Source you must not use quotes around the IP! Using quotes for the IP will give you a valid filter but no matches will be found. So there’s absolutely no benefit in using the HEX notation. Makes by post a bit useless, but at least I learned something out of it!

In the past I often used Wireshark to debug all kinds of issues. The last year I’ve been using Microsoft Network Monitor 3.4 more and more. I don’t think Network Monitor is better or worse than Wireshark, but Network Monitor has the capabilities to use a trace file generated by the built-in tracing engine of Windows ( See Network Tracing Awesomeness) That means I don’t have to install Wireshark allover the place!

Small side note: Network Monitor 3.4 has been out for a while and I’ve often wondered when a newer version would be released. I wasn’t missing any particular features, but hey I’m an IT guy, I like new stuff! And today I happen to stumble upon this: http://blogs.technet.com/b/messageanalyzer/ Seems like Microsoft does have a successor: Message Analyzer. I installed it an did some quick tests and it seems like there’s a lot of fancy stuff in there! Using it will take some time to learn though. Some fancy features: graphs (e.g. SMB performance) and remote live capturing!!! Awesome!

Either way, back to my good old Network Monitor. One of the things I often do is blindly capture everything and then I try to filter the data that is displayed. One thing I often require is to ensure only traffic with a particular host is displayed. Typically I did this by adding a filter which is of the format “Source == IP and Destination == IP”. This does work mostly, but sometimes it doesn’t when the IP is translated to the actual DNS name. Besides that, it always bothered me I had to type such a long filter.

Next to “Source” and “Destination” there’s also IPv4.SourceAddress, IPv4.DestinationAddress and IPv4.Address. I tried those in the past a few time: e.g. IPv4.Address == “” and although the filter is accepted, no traffic is shown. Today I accidentally found out that those IPv4.XYZ filters expect an IP in HEX format!

If you got some captured data and you want to filter you can simply drill down the IP packet information, right-click sourceAddress and choose add to display filter. That will give you the hex notation.


Now this works perfectly if you want to do it for a display filter. But what if you want to limit the amount of data captured by using a capture filter?


Sample filter:


Well you can just use a simple IP to HEX converter site like this: http://www.miniwebtool.com/ip-address-to-hex-converter/?ip=

Or you can use the following PowerShell oneliner:

"$(([Net.IPAddress]"").GetAddressBytes() | ForEach-Object { '{0:x2}' -f $_ })" -Replace '\s'


The PowerShell oneliner will require you to add an x after the first 0 though.

Happy tracing!


Windows 7 and the RemoteApp Connection URL Issue

Published on Wednesday, April 9, 2014 in ,

Some weeks ago I had a customer which experienced issues with RemoteApp on Windows 8: Setspn: Windows 8.1 and the RemoteApp Connection URL GPO Setting Issue Now I had another customer with a similar issue. This one was working with Windows 7 and we were entering the URL manually (for now). Upon entering the URL we got greeted with an error:


In order to find out what was going on I thought I’d run a process monitor alongside with it. After filtering most of the success/harmless messages, here’s what’s left:


The one that got my attention was the “NOT IMPLEMENTED” one. It got me thinking. The users logging on to Windows 7 have their appDataRoaming redirected to a folder in their home share. And we use offline files and folders as well. Due to the fact that I was messing around with Direct Access I had my home folder as "work offline”:

Workspace2 - Copy

After transitioning to “work online”:

Workspace3 - Copy

All seemed to go well:


Seems a pretty specific case, but as usual, if I ran into it, perhaps other people will as well.


Generate a SAN Certificate Request File

Published on in

Recently I had to generate a request file for a SAN (Subject Alternative Name) certificate. Using the GUI this is pretty straight forward, but I wanted to use the command line as this allows to be repeated for other certificates way faster. The tool to be used, which is installed by default on Windows, is certreq.exe. Typically certreq.exe uses an inf file to gather most of the input. For the actual parameters I started googling around. I quickly stumbled upon: KB931351: How to add a subject alternative name to a secure LDAP certificate

The relevant section:


The generation of the request file went flawless with this parameter. However upon verification using an online CSR decoder (https://www.sslshopper.com/csr-decoder.html ) I couldn’t find my SAN attribute. So I googled a bit more and finally came up with the following contents for certreq.ini:


Signature="$Windows NT$"

Subject = "CN=name.contoso.com,O=CSR Demo,OU=IT,L=Brussels,S=Brussels,E=certificates@contoso.com,C=BE"

;EncipherOnly = FALSE
Exportable = TRUE   ; TRUE = Private key is exportable
KeyLength = 2048     ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1          ; Key Exchange – Required for encryption
KeyUsage = 0xA0      ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

RequestType = PKCS10 ; or CMC.

OID= ; Server Authentication
;OID= ; Client Authentication  // Uncomment if you need a mutual TLS authentication

[Extensions] = "{text}"
_continue_ = "dns=name.contoso.com&"
_continue_ = "dns=othername.contoso.com"

As you can see the SAN properties are now specified in an other way, and these seem to make it to the certificate request. I also highlighted Exportable (Private Key) = TRUE but that’s entirely personally and dependent on your scenario. To conclude the parameter required to actually perform the procedure:

  • Generate the request file: Certreq.exe –new certreq.ini certreq.req
  • Accept and Install certificate: Certreq.exe –accept certificate.cer


Direct Access: Error Loading Configuration

Published on in , ,

Recently I worked together with some Microsoft consultants to implement a Direct Access proof of concept. Initially the configuration went just fine. However, the operational state page showed that we had an issue with the IPSEC certificate. Initially we thought the problem had to do with our DA server being unable to reach the internet in order to download the CRL (Certificate Revocation List). So we had two options: either ask the network team to open up the DA’s external interface connectivity towards the internet or configure the DA server so it could use a proxy.

Due to the workload of the network team, not the best reasoning though, we choose option two: the proxy. We configured the proxy in IE and we were able to successfully download the CRL file. The error didn’t go away though. So we figured we had to configure the system to use the proxy. This can be done using netsh:

  • netsh winhttp set proxy

The error didn’t went away and it was time for lunch so we thought we’d give the DA server a reboot and some time. When we came back there was something weird with the operation state page. It just said Name_Of_DA_Server is not working properly. We tried rerunning the configuration wizard but we got greeted with the following error:


In words: The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. Suddenly we figured out that our netsh winhttp proxy might have broken things a bit. So we gave the command a little twist:

  • netsh winhttp set proxy bypass-list="<local>;*.contoso.local"

Now that we used this command our DA console was back to normal, but our IPSEC certificate was still in error. The solution was actually quite simple: just make sure the DA server also has a certificate based upon the Computer (or your custom computer) template. Such a certificate can be used for both client and server authentication. This certificate should be issued by the same CA that issues certificates for your clients and that is configured in the DA configuration wizard. After enrolling a certificate we now had a working DA setup. We could see our clients setting up a connection successfully.

One thing that bothered us though: on the operation state page we had an error on the availability of the IPHTTPS interface of the DA server. Now that was odd. netsh showed it as available and after all we had several clients connected to it. When we removed the proxy (netsh winhttp reset proxy) and then the status page went all green!

So for now I’m not even sure if the DA server needs to check the CRL’s of the certificate used by IPHTTPS. But I guess we’ll find out soon if DA stops working. All I can say: the netsh winhttp set proxy doesn’t seems a really good idea to use. Things started breaking in weird and unpredictable ways.

I’m not sure whether there will be another person ever running into this, but if you do I hope this saves you some time.