Beginner’s Guide to Windows 10 built-in Packet Sniffer ‘PktMon’

Microsoft silently added a Packet sniffer to Windows 10 in the October 2018 Update. The tool is called PktMon.exe and it works in the same way as any other Packer or Network sniffer including WireShark and Microsoft Network Monitor.

For IT professionals and Tech support professionals it’s a good news because they won’t have to rely on third-party software to capture and inspect the network traffic.

The usage is not as user-friendly as Wireshark or other similar software because it does not have a GUI. You have to operate it through the command-line.

The location of the exe file of Windows 10 Packer Monitor is:

C:\Windows\system32\pktmon.exe

If you check the File Description in the properties, it describes it as “Packet Monitor”.

New Additions after the May 2020 Update

Microsoft has introduced a couple of additional features in PktMon in the May 2020 update:

  • Real-time monitoring
  • PCAPNG file support

These two features were not included in the initial package. With these features, you can leverage the full features of a conventional packet sniffer. PCAPNG conversion support will allow you to open and view the log files in other packet capturing tools like Wireshark.

How to Use the Windows Built-in Packet Monitor

As mentioned above, the usage of PktMon is a bit tricky compared to other GUI based tools. You will have to learn a few command to be fully operational with it.

In this guide I am going to show you how to run the basic commands and export the packet capture log file in ETL and PCAPNG formats.

The first step is to open your command prompt with Administrative privileges.

To start using Pktmon, simply type:

pktmon help
Pktmon help

This command will show the different options for using it. We are obviously interested in using it as a Packet filter. To check the different options for filtering here’s the command:

pktmon filter help
Pktmon filter help

Monitoring FTP traffic with Pktmon

Let’s assume that you want to filter monitor the FTP traffic on port 20 and 21. Here are the commands:

pktmon filter add -p 20
pktmon filter add -p 21

To view the packet filters you just created, use this command:

pktmon filter list
PktMon filter list

To start monitoring and logging the network packets going through FTP ports 20 and 21, use the pktmon start --etw command.

Once you execute this command, it will monitor and log all the packets in a file called Pktmon.etl. Note that it will only record the first 128 bytes of a packet.

In order to capture the entire packet, you can use the -p 0 arguments:

pktmon start --etw -p 0
Pktmon capture entire packet

To stop the packet capturing process you will need to enter the pktmon stop command.

You can also convert the Pktmon.etl file to a human reable format like .txt file using this command:

pktmon format PktMon.etl -o filename.txt

How to capture packets for a specific Network interface:

If you want to capture the packet for a specific network interface, let’s say your ethernet card, you can use the pktmon comp list command to list all the network interfaces.

Pktmon network interface list

Now, to capture the packets on this specific network interface you will have to use the -c 9 argument. ‘9’ is the Id of the network interface.

pktmon start --etw -p 0 -c 10

How to perform real-time packet monitoring

As mentioned earlier, Microsoft May 2020 update has added two very useful features to the Windows Packet monitor. One of them is real-time packet monitoring. To enable real-time packet monitor, you need to pass the -l real-time argument in the command.

pktmon start --etw -p 0 -l real-time

How to convert to PCAPNG file format

If you want your log files to be read in other third-party packet filtering tools then you need to convert them to the PCAPNG file format.

Microsoft has included this feature in pktmon on the May 2020 update. To covert your .etl file to .pcapng, it you simply need to execute the command:

pktmon pcapng [filename.etl] -o [filename.pcapng]

Of course there are more advanced options that you can use to further customize the results of packet filtering. However, this tool is great if you don’t want to use external tools and software and make use of Windows internal tools to monitor the IN / OUT network traffic to your PC.

Spread the Word

You May Also Like

About the Author: Umair

A self-learned Javascript developer specializing in Frontend and Backend frameworks including React.js, Redux, Node.js, Express, MongoDB. He has extensive industry experience as a Tech Support lead and System Administrator. Currently learning Web3, (Solidity, Hardhat, Ethers.js) Smart contracts development, testing and auditing.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.