Using Network Monitor, you can perform some of the tasks that would otherwise be performed by a firewall or proxy program. Generally, software manufacturers frown on this because they want you to buy their products, and so they make it difficult to do, all the while prodding you towards the ease and functionality of the enhanced product. This particular tactic is prevalent within Network Monitor, as it is really a smaller version of the SMS Network Monitor. It is, however, possible to monitor for specific words, and perform other tasks based upon those triggers. For the sake of example, let’s assume that you want to monitor for any instances where someone on the computer might be viewing naughty information. While it’s not appropriate to use specific words here, let’s just get the point across by using the keyword Microsoft. Please note that we are not saying that Microsoft is naughty: far from it. We are just using the word as a means to create and test a trigger within Network Monitor. In the real world, you would replace the word Microsoft with whatever word or words that you would want to be aware of. In this case, let’s search for communications that include Microsoft, and log an event in the Event Log to ensure that there is a further record of the ‘transgression.’

1. Open Network Monitor.

2. Click on Capture on the Menu Bar, and select Trigger.
3. Select the Pattern Match radio button in the top area.
4. On the pattern line, type “microsoft” and select the ASCII radio button.
5. In the Trigger Action area, select the Audible Signal Only radio button, and select the Checkbox next to the area entitled Execute Command Line.
6. In the area for the executable, type in the following: eventcreate /l application /so netmon /t information /d “netmon triggered. Please view capture” /id 999
7. The Eventcreate command will generate an application log event whose title is netmon that is labeled as an information event. The description will appear as “netmon triggered. Please view capture” with an event ID of 999.
8. Click on the OK button.
9. Select Capture from the Menu Bar, and select Start Capture. The system will prompt to save the capture, which you can do if you wish. This is the only way to save a trigger and filter together.
10. Notice that nothing is happening with the realtime panes. As time goes by, you may notice a small amount of activity. There is a reason for this. Open Internet Explorer, and enter www.microsoft.com on the address line.
11. On the Capture Menu, select Stop and View. From here, you can double-click on any packet/frame to determine more information about its intent, its protocol, its source/destination, and its contents.
12. You may notice that there are some packets that do not have anything to do with your communications with www.microsoft.com. Other communications may include the occasional broadcast packet from other devices on the network, as well as broadcasts from your system to others. The only reason they show up on this capture is because of the inherent nature of the system you are using: it is, after all, a Microsoft server. Test the trigger capability a little bit: change the pattern from Microsoft to a less-frequent word that you can associate exclusively with a specific website. Keep in mind that you have limited characters to work with, and that the system searches for patterns - not words, so a trigger with the word ‘for’ will yield packets containing the words forth, fore, forehead, fortune, etc.
13. Open Event Viewer: Administrative Tools | Event Viewer.
14. Select the Application section in the left pane. Select the event in the right pane where the source is labeled as netmon, and double-click on it.