I had to troubleshoot connectivity issues from a Window 10 machine, and really did not want to install Wireshark. Then I remember reading this document for the built in sniffer: pktmon | Microsoft Docs
- Change directory to
where you want the results to be saved (I.E. c:\temp)
- Add Filters for the IP
you want to monitor for
- pktmon filter add -i
8.8.8.8
- pktmon filter add -i 9.9.9.9
- Start pktmon
- pktmon start –etw
(this will send to PktMon.etl file only)
- pktmon start --etw -l
real-time (Will send to PktMon.etl file and the screen)
- Generate the traffic
- Stop pktmon
- pktmon stop
The native file PktMon.etl can only be read by Microsoft’s
NetMon. If you have WireShark installed you can run this command to
convert it:
- pktmon pcapng pktmon.etl -o log.pcapng
Also for reference, the on screen verbose (-l real-time) of
opening nslookup and connecting to 8.8.8.8 would look like this:
There are other options in the linked doc but to get a quick
view of traffic, not bad…. Enjoy!
No comments:
Post a Comment