Netmon capabilities for Skype for Business online troubleshooting
Many times we need to do network trace using tools like wireshark, netmon or Message analyzer.
i find wireshark overwhelming since it doesnt filter the by process, Netmon and Message analyzer provide a way more efficient user interface and filtering based on process as shown on the picture below from netmon:
but even when you sort by process still you get some noise and i will help you have a clean fast look on by the following capabilities in netmon.
1- Display Filters
First we need to know that SfB online use pre defined source ports based on modality; unlike SfB on-premises where you can configure and change source ports as you wish (reference https://technet.microsoft.com/en-us/library/jj204760(v=ocs.15).aspx)
The pre-defined source ports are listed here https://support.microsoft.com/en-us/help/2409256/you-can-t-connect-to-skype-for-business-online,-or-certain-features-don-t-work,-because-an-on-premises-firewall-blocks-the-connection
| Modality | Source | Destination | Source Port | Destination port |
| Audio | Client | Office 365 | 50000 - 50019 UDP and TCP | 443 TCP, 3478 UDP, 50000 - 59999 UDP and TCP |
| Video | Client | Office 365 | 50020 - 50039 UDP and TCP | 443 TCP, 3478 UDP, 50000 - 59999 UDP and TCP |
| Desktop Sharing | Client | Office 365 | 50040 - 50059 UDP and TCP | 443 TCP, 50000 - 59999 TCP |
so based on these ports we can have the following display filters to narrow down on which network capture we need.
//INBOUND SfB // Source ports: 50000 - 50019 Audio (tcp.dstPort>=50000 AND tcp.dstPort<=50019) OR (udp.dstPort>=50000 AND udp.dstPort<=50019) // Source ports: 50020 - 50039 Video or (tcp.dstPort>=50020 AND tcp.dstPort<=50039) OR (udp.dstPort>=50020 AND udp.dstPort<=50039) // Source ports: 50040 - 50060 VBSS and AppShare or (tcp.dstPort>=50040 AND tcp.dstPort<=50060) OR (udp.dstPort>=50040 AND udp.dstPort<=50060) OR //OUTBOUND SfB // Source ports: 50000 - 50019 Audio (tcp.SrcPort>=50000 AND tcp.SrcPort<=50019) OR (udp.SrcPort>=50000 AND udp.SrcPort<=50019) // Source ports: 50020 - 50039 Video or (tcp.SrcPort>=50020 AND tcp.SrcPort<=50039) OR (udp.SrcPort>=50020 AND udp.SrcPort<=50039) // Source ports: 50040 - 50060 VBSS and AppShare or (tcp.SrcPort>=50040 AND tcp.SrcPort<=50060) OR (udp.SrcPort>=50040 AND udp.SrcPort<=50060)
All you need is to past the above code in the display filter and Apply then "Save Filter" like in the below picture
2- Color Rules
now we would need to do some color coding for easy reading of these traffic, like below screen shot; i filtered the voice packets on green color, video on red, RDP traffic on grey and VBSS traffic on grey with bold fonts
you can use import the following color rules to match these setting by doing the following:
1- Create a new file named color.nmcr
2- Paste the following in the file using notepad
Version = 1
BEGIN_RULE
BEGIN_FILTER_TEXT
(tcp.SrcPort>=50000 AND tcp.SrcPort<=50019) OR (udp.SrcPort>=50000 AND udp.SrcPort<=50019)
or
(tcp.dstPort>=50000 AND tcp.dstPort<=50019) OR (udp.dstPort>=50000 AND udp.dstPort<=50019)
END_FILTER_TEXT
Active = 1
Foreground = 0, 0, 0
Background = 128, 255, 128
Bold = 0
Italic = 0
Underline = 0
END_RULE
BEGIN_RULE
BEGIN_FILTER_TEXT
(tcp.SrcPort>=50020 AND tcp.SrcPort<=50039) OR (udp.SrcPort>=50020 AND udp.SrcPort<=50039)
or (tcp.dstPort>=50020 AND tcp.dstPort<=50039) OR (udp.dstPort>=50020 AND udp.dstPort<=50039)
END_FILTER_TEXT
Active = 1
Foreground = 0, 0, 0
Background = 255, 0, 128
Bold = 0
Italic = 0
Underline = 0
END_RULE
BEGIN_RULE
BEGIN_FILTER_TEXT
(tcp.SrcPort>=50040 AND tcp.SrcPort<=50059)
or (tcp.dstPort>=50040 AND tcp.dstPort<=50059)
END_FILTER_TEXT
Active = 1
Foreground = 0, 0, 0
Background = 192, 192, 192
Bold = 0
Italic = 0
Underline = 0
END_RULE
BEGIN_RULE
BEGIN_FILTER_TEXT
(udp.SrcPort>=50040 AND udp.SrcPort<=50059)
OR(udp.dstPort>=50040 AND Udp.dstPort<=50059)
END_FILTER_TEXT
Active = 1
Foreground = 0, 0, 0
Background = 192, 192, 192
Bold = 1
Italic = 0
Underline = 0
END_RULE
3- from the color rules click Open and browse and select that file.