locked
Monitor generating only 'Unknown' traffic RRS feed

  • Question

  • Currently I am only getting 'unknown' conversations in 'My Traffic' and in 'Other Traffic'. Is there a configuration
    issue I should be aware of in order to resolve this problem?

    I am using the updated version 3.3. Initially I had both TCP Analyser 1.2 and Microsoft Parsers 3.4 installed, when the
    problem first appeared. After reinstalling just the 3.3 monitor w/o Microsoft Parsers 3.4 (or TCP Analyser 1.2) and setting
    it to the default configuration ... the problem still persists.

    TIA.
    Friday, February 5, 2010 1:45 AM

Answers

  • One reason is processes that occur under another credential will show up as unknown.  You can resolve that by running Network Monitor as admin.

    Also any traffic that is not directed to your machine will show up as unknown.  For instance any p-mode traffic can't be associated with a process since it's not visiable to your machine.

    Paul
    • Marked as answer by Paul E Long Monday, March 1, 2010 5:20 PM
    Wednesday, February 24, 2010 3:33 PM

All replies

  • Hi,

    We usually use the "<Unknown>" tag for data we can't associate with a process (either it only exists briefly or is a system process).  We've made some improvements on this, but if you run something like Internet Explorer, you should still see "iexplorer.exe" in the conversation tree.

    Can you provide any more details about what sort of system you have?  Such as OS and 32/64 bit?  Did it used to work before you upgraded your parsers?

    Thanks,


    Michael Hawker | Program Manager | Network Monitor
    Saturday, February 6, 2010 12:52 AM
  • Greetings Mr. Hawker,

    Thank you for your response. I apologize for my tardy reply. I am running Windows 7 on an Acer Aspire 5517 AMD64 dual core notebook. 
    The network monitor initially worked fine w/o any problems (in fact I have a capture file that demostrates this). So I am
    at a lose as to a possible 'before & after'  explanation that may indicate the source of the malfunction. other than the fact that I upgraded
    the parsers.     
    Tuesday, February 9, 2010 2:21 AM
  • What kind of traffic are you capturing?  Is it from iexplorer?  Do you see more than one Unknown application?  Does this change if you run Netmon as administrator?

    Thanks,

    Paul
    Tuesday, February 9, 2010 6:25 PM
  • I am running Windows 7 now, when I run netmon 3.3 on my computer, I found a lot of other traffic marked as unknown.What is the possible reason?
    Maximize your network value. http://networkmonitor.blog.com
    Wednesday, February 24, 2010 8:37 AM
  • One reason is processes that occur under another credential will show up as unknown.  You can resolve that by running Network Monitor as admin.

    Also any traffic that is not directed to your machine will show up as unknown.  For instance any p-mode traffic can't be associated with a process since it's not visiable to your machine.

    Paul
    • Marked as answer by Paul E Long Monday, March 1, 2010 5:20 PM
    Wednesday, February 24, 2010 3:33 PM
  • Thanks, Paul, good answer!

    For some reason, my previous desktop shortcut icon had reverted back to running as a user, instead of running as an administrator.

    Perhaps this would be good to include in the help/troubleshooting file?

    -marc (MSFT Netmon 1.0 tester and UE reviewer)

    Monday, June 7, 2010 11:52 PM
  • Good morning

    I am having the same issue and I am logged in as the domain admin account. Is there another tool you know of that traces the upper levels of OSI? Specifically, the presentation layer? I assume the "process" is the layer 7 referent, but wanted to make sure.

    Wednesday, July 18, 2012 2:09 PM
  • Hi Moe,

    We're discussing the process tracking feature of Network Monitor which attempts to record which machine process was generating/receiving the traffic captured from the network.  We're not talking about a specific protocol or presentation layer in the OSI.

    Based on this, I'm not sure what type of issue you're having.  Is it that we're not parsing data you're seeing or expecting to see in the frame list or is it indeed related to seeing an 'unknown' process in the conversation tree?

    If you could clarify your issue a bit more, we'll be better able to assist you and either continue this thread of the solution above didn't work for you or split this off in it's own thread to address your particular problem.

    Thanks,


    Michael Hawker | Program Manager | Network Monitor

    Wednesday, July 18, 2012 4:45 PM