Microsoft silently added a Packet sniffer to Windows 10 in the October 2018 Update. The tool is called PktMon.exe and it works in the same way as any other Packer or Network sniffer including WireShark and Microsoft Network Monitor.
For IT professionals and Tech support professionals it’s a good news because they won’t have to rely on third-party software to capture and inspect the network traffic.
The usage is not as user-friendly as Wireshark or other similar software because it does not have a GUI. You have to operate it through the command-line.
The location of the exe file of Windows 10 Packer Monitor is:
If you check the File Description in the properties, it describes it as “Packet Monitor”.
New Additions after the May 2020 Update
Microsoft has introduced a couple of additional features in PktMon in the May 2020 update:
- Real-time monitoring
- PCAPNG file support
These two features were not included in the initial package. With these features, you can leverage the full features of a conventional packet sniffer. PCAPNG conversion support will allow you to open and view the log files in other packet capturing tools like Wireshark.
How to Use the Windows Built-in Packet Monitor
As mentioned above, the usage of PktMon is a bit tricky compared to other GUI based tools. You will have to learn a few command to be fully operational with it.
In this guide I am going to show you how to run the basic commands and export the packet capture log file in ETL and PCAPNG formats.
The first step is to open your command prompt with Administrative privileges.
To start using Pktmon, simply type:
This command will show the different options for using it. We are obviously interested in using it as a Packet filter. To check the different options for filtering here’s the command:
pktmon filter help
Monitoring FTP traffic with Pktmon
Let’s assume that you want to filter monitor the FTP traffic on port 20 and 21. Here are the commands:
pktmon filter add -p 20 pktmon filter add -p 21
To view the packet filters you just created, use this command:
pktmon filter list
To start monitoring and logging the network packets going through FTP ports 20 and 21, use the
pktmon start --etw command.
Once you execute this command, it will monitor and log all the packets in a file called Pktmon.etl. Note that it will only record the first 128 bytes of a packet.
In order to capture the entire packet, you can use the
-p 0 arguments:
pktmon start --etw -p 0
To stop the packet capturing process you will need to enter the
pktmon stop command.
You can also convert the Pktmon.etl file to a human reable format like .txt file using this command:
pktmon format PktMon.etl -o filename.txt
How to capture packets for a specific Network interface:
If you want to capture the packet for a specific network interface, let’s say your ethernet card, you can use the
pktmon comp list command to list all the network interfaces.
Now, to capture the packets on this specific network interface you will have to use the
-c 9 argument. ‘9’ is the Id of the network interface.
pktmon start --etw -p 0 -c 10
How to perform real-time packet monitoring
As mentioned earlier, Microsoft May 2020 update has added two very useful features to the Windows Packet monitor. One of them is real-time packet monitoring. To enable real-time packet monitor, you need to pass the
-l real-time argument in the command.
pktmon start --etw -p 0 -l real-time
How to convert to PCAPNG file format
If you want your log files to be read in other third-party packet filtering tools then you need to convert them to the PCAPNG file format.
Microsoft has included this feature in pktmon on the May 2020 update. To covert your .etl file to .pcapng, it you simply need to execute the command:
pktmon pcapng [filename.etl] -o [filename.pcapng]
Of course there are more advanced options that you can use to further customize the results of packet filtering. However, this tool is great if you don’t want to use external tools and software and make use of Windows internal tools to monitor the IN / OUT network traffic to your PC.