Learn Pktmon: Windows 10's built-in network monitoring tool

Learn Pktmon: Windows 10's built-in network monitoring tool

When it released the Windows 10 October 2018 update, Microsoft silently added a packet sniffer in the form of an integrated command line called Pktmon to Windows 10. After that, Microsoft added more. Some features for this tool to make it easier for users to use.

A packet monitor, or network analyzer, is a program that allows you to monitor the network traffic that travels through your computer’s network devices up to the individual packet level.

Pktmon: Windows 10’s built-in network monitoring tool

When released, Pktmon only supported the Event Trace Log (ETL) format, a proprietary journal format created by Microsoft. Later, Microsoft added support for PCAPNG log files and real-time monitoring, which we will learn about in this article.

To use Pktmon, you need to launch Command Prompt with admin rights on Windows 10, as the program requires admin rights. To get instructions on how to use the program, enter the command pktmon help in the Command Prompt.

The pktmon help document

To get more help instructions on a particular command, enter the command pktmon [command name] help . For example, to view the documentation on the “comp” command, you would type:

pktmon comp help
Use the help command

You can use help to see instructions for subcommands, for example:

pktmon comp list help

To get familiar with Pktmon, watching the tutorial is the most helpful way, so you should try to find out before actually using the tool.

  • Monitor and save internet space on Windows 10

How to use the Pktmon network monitoring tool

Compared to a network monitoring tool with a graphical user interface, it may take longer to get used to Pktmon’s command line interface.

Before you can track packets, you need to first create a filter using the pktmon filter add command, which specifies the traffic you want to track.

For example, you can monitor all network traffic on your network with the command:

pktmon filter add -i 192.168.1.0/24

… or monitor DNS traffic by:

pktmon filter add -t UDP -p 53

If you have not figured out how to do it, you should use the pktmon filter add help command to learn how to create a filter.

In this article, the author created a filter to track DNS traffic as described above. To see the filters you’ve created, enter the command:

pktmon filter list
The created monitoring filter is listed

To start monitoring DNS traffic on all network interfaces and to display activity in real time, you would use the following command:

pktmon start --etw -p 0 -l real-time

The example above uses the -p argument 0 , so it captures the entire packet. You can also specify a specific network interface to monitor using the -c argument followed by the interface’s index ID. To get a list of network interfaces and index ID (ifIndex), you can use the command:

pktmon comp list

When you start monitoring traffic, you should see the captured DNS packets displayed in real time in the Command Prompt, like below.

Real-time monitoring of DNS traffic

To stop tracking traffic, press Ctrl + C. When done, there will be the PktMon.etl log file created in the directory where you ran Pktmon.

However, ETL files are not a good choice as many applications do not support them. You can convert the ETL file into a PCAPNG file with the command pktmon pcapng . For example, to convert PktMon.etl to a PCAPNG file named PktMon.pcapng , type the following command:

pktmon pcapng PktMon.etl -o PktMon.pcapng

After the log file is converted to PCANPNG format, you can load the file into a program like Wireshark to get detailed information about each DNS request.

Analyze the Pktmon diary with Wireshark

As you can see, Pktmon is an extremely powerful tool, allowing you to gain insight into the type of traffic flowing through your network.

  • Comprehensive set of network monitoring tools

Also, Pktmon can be tricky to use, so it’s a good idea to familiarize yourself with the help documentation before running the command.