Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows 10 / Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

February 10, 2021 Windows 10Windows Server 2019

Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

Packet Monitor (PktMon.exe) is a built-in network traffic analyzer (sniffer) that was introduced in Windows 10 1809 and Windows Server 2019. In the Windows 10 May 2020 Update (version 2004), many new features of the Packet Monitor were implemented (real-time packet capture is now supported, PCAPNG format support to easily import to Wireshark traffic analyzer). Thus, Windows has got a feature to capture network packets similar to that of tcpdump, and system or network administrators can use it to diagnose network operation and performance.

Packet Monitor allows you to get all network activity passing through the computer’s network interface on the network packet level.

Ealier, the netsh trace command was used to capture network traffic and inspect packets in Windows.

You can get help on pktmon.exe options and syntax by running the tool in the command prompt.

syntax of Packet Monitor tool (pktmon.exe) on windows 10

Here are the basic Packet Monitor commands:

  • filter —manage packet filters
  • comp –manage registered components
  • reset —reset packet counters
  • start –start packet monitoring
  • stop —stop packet monitoring
  • format –convert the traffic log file to a text format
  • pcapng –convert to the pcapng format
  • unload –unload the PktMon driver

To get help on a subcommand, enter its name:

pktmon filter

pcktmon using filters

Let’s try to collect a dump of the traffic coming to some running services on a Windows 10 device. Suppose, we want to analyze the FTP (TCP ports 20, 21) and HTTP (Ports 80 and 443) traffic.

Create a packet filter for TCP ports (also, you can track UDP and ICMP traffic):

pktmon filter add -p 20 21
pktmon filter add HTTPFilter –p 80 443

Display the list of active filters:

pktmon filter list

pktmon add TCP port filters

To run background traffic capture, run this command:

pktmon start –etw

Log file name: C:\Windows\System32\PktMon.etl
Logging mode: Circular
Maximum file size: 512 MB
Active measurement started.

pktmon start packet capture

In this mode, pktmon collects data from all network interfaces, but only the first 128 bytes of a packet are logged. To capture the packets entirely on the specific computer interface, the following command is used:

pktmon start --etw -p 0 -c 9

where c value is the ID of the network interface you can get using this command:

pktmon comp list

pktmon comp list - network interfaces

The packet filter will write all traffic matching to the filters you have set to C:\Windows\System32\PktMon.etl (its maximum file size is 512 MB). To stop dump recording, run the following command:

pktmon stop

Also, network packets stop being collected after a Windows reboot.

Then you can convert the traffic dump file from ETL to the plain text format:

pktmon format PktMon.etl -o c:\ps\packetsniffer.txt

or

pktmon PCAPNG PktMon.etl -o c:\ps\packetsniffer.pcapng

You can analyze the traffic dump in the text format or import the ETL file to the Microsoft Network Monitor or WireShark (in the PCAPNG format) installed on the administrator’s computer.

using pktmon log file in microsoft network monitor

To remove all Packet Monitor filters you have created, run this command:

pktmon filter remove

You can use PktMon to track network traffic in the real time. To do it, use the -l real-time parameter. In this mode, the captured packets are displayed in the console and are not written to the log file in the background.

pktmon start --etw -p 0 -l real-time

pktmon real time traffic monitoring on windows 10

To stop traffic collection, press Ctrl+C.

If you see a packet loss (drop) in your network interface, PacketMon can show you the reason (for example, incorrect MTU or VLAN).

You can also use PktMon in Windows Admin Center using the extensions. The data you collect from computers or servers when diagnosing network issues may be used in more powerful software analyzing network traffic, like Microsoft Network Monitor or Wireshark.

0 comment
1
Facebook Twitter Google + Pinterest
previous post
Fixing “Winload.efi is Missing or Contains Errors” in Windows 10
next post
Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021
  • How to Move (Clone) Windows to a New Hard Drive (HDD/SSD)?

    February 4, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Allow Multiple RDP Sessions in Windows 10?
  • How to Repair EFI/GPT Bootloader on Windows 10?
  • How to Restore Deleted EFI System Partition in Windows 10?
  • Network Computers are not Showing Up in Windows 10
  • Start Menu and Taskbar Search Not Working in Windows 10
  • Configuring Port Forwarding on Windows
  • Reset Local Group Policy Settings in Windows
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top