Microsoft Network Monitor 3.3 is a protocol analyzer that you can use to capture network traffic, as well as view and analyze it. Network Monitor 3.3 is compatible with the Windows XP, Windows Server 2003, and Windows Vista operating systems. It is a free, licensed component that is not provided with Windows operating systems on client computers, so use of the tool is limited to computers on which it is installed. Network Monitor 3.3 is available as a free download at the Microsoft Download Center. For more information and to download the tool, see KB Article 933741, Information about Network Monitor 3 at .

The following example code is for a display filter that may be useful in capturing network traffic for troubleshooting issues with Enterprise Voice.

Copy Code
// Network Monitor 3.x display filter for Office Communications
Server troubleshooting.
   tcp.port==5061  // SIP over TLS.  This is used by most functions
of OCS
// Uncomment any additional protocols you wish to monitor.
&& = logical AND
// && tcp.port==5060  // SIP over TCP
// && tcp.port==5062  // Default SIP for the  A/V edge
// && tcp.port==5063  // Default SIP for the A/V
Conferencing server
// && tcp.port==443   // HTTPS, TCP STUN
// && udp.port==3478  // UDP STUN
// && tcp.port==8057  // PSOM
// && tcp.port==135   // RPC endpoint mapper used on front
end servers for WMI and DCOM
// && dns			 // DNS

// Media port ranges.  These ranges may be commonly used by non OCS
devices on the network.
// && (udp.Port>=50000 && udp.port<=59999) 
// RTP media port range on outside A/V edge
// && (tcp.Port>=49152 && tcp.port<=65535) 
// RTP media port range for A/V MCU
// && ((tcp.port>=1024 && tcp.port<=65535) ||
(udp.port>=1024 && udp.port<=65535)) // External
Communicator media port range

// These are additional filters that may be useful.  Add a
&& token if they are to be used in combination with the

// The following will show the start of TCP conversations (SYN) as
well as resets
// TCP.Flags.Reset == 1 || TCP.Flags.Syn == 1

// The following will show retransmits if conversations are enabled
// (Property.TCPRetransmit == 1 || Property.TCPSynRetransmit == 1)

// The following will hide RDP if the network trace was captured in
a terminal session.
// !(tcp.port==3389)