Friday, April 16, 2021

Native Windows 10 packet Sniffer PKTMON

I had to troubleshoot connectivity issues from a Window 10 machine, and really did not want to install Wireshark.  Then I remember reading this document for the built in sniffer: pktmon | Microsoft Docs

 Basically here are the steps:

  • Change directory to where you want the results to be saved (I.E. c:\temp)
  • Add Filters for the IP you want to monitor for
    • pktmon filter add -i
    • pktmon filter add -i

  • Start pktmon
    • pktmon start –etw  (this will send to PktMon.etl file only)
    • pktmon start --etw -l real-time (Will send to PktMon.etl file and the screen)
  • Generate the traffic

  • Stop pktmon
    • pktmon stop

The native file PktMon.etl can only be read by Microsoft’s NetMon.  If you have WireShark installed you can run this command to convert it:

  • pktmon pcapng pktmon.etl -o log.pcapng


Also for reference, the on screen verbose (-l real-time) of opening nslookup and connecting to would look like this:




There are other options in the linked doc but to get a quick view of traffic, not bad….  Enjoy!

No comments: