Internet Security Blog - Hackology
PktMon Network Packet Sniffer in Windows 10

Network Packet Sniffer in Windows 10

Microsoft has secretly added a packet sniffer into system files during Windows 10 October 2018 update, which remained unnoticed until now.

The packet sniffer or network monitor is named PktMon and it resides in system files at c:/windows/system23/. To use it, you need an elevated command prompt or process shell. 

PktMon can monitor the network traffic from a computer to the packet level. It may be used to troubleshoot network issues, check where traffic is going from the network or even extract information and services in plain text.

How to Monitor Network Traffic in Windows 10

  • Press Windows key and write cmd
  • Right-click cmd and click run as an administrator (a command prompt will open at c:/windows/system32)
  • Now, run following command
Pktmon Windows 10
pktmon command will show the available commands
  • Add a port for monitoring using the following command such as 80, 21, 53 and so on. You can add multiple ports by executing command for each port
pktmon filter add -p 80

pktmon filter add -p 21

pktmon filter add -p 53
  • The added port can be retrieved by
pktmon filter list
PktMon Port Filter List
pktmon filter will add ports to sniff network packet
  • To start the monitoring 
pktmon start --etw 
PktMon Sniffing
pktmon sniffing the network packets
  • Use the following command to stop the monitoring
pktmon stop
  • You can also convert the etl file (which is the default format) to text so that you can easily view it
pktmon format PktMon1.etl –o c:\packets.txt
PktMon convert etl to txt
pktmon convert etl to txt to make it readable

or use Microsoft network monitor to read the etl file directly.

PktMon can be used on the specific adapter of choice by specifying the ID of the adapter and ID can be found by using the PktMon command

pktmon comp list

and then start pktmon with -c parameter to specify an adapter ID

pktmon start --etw -c 1

PktMon can also be used in real-time in the latest version of Windows 10. If you have got Windows 10 May 2020 update (version 2004), you can use the following command to sniff network packets in real-time.

pktmon start --etw -m real-time


PktMon is similar to tcpdump in Linux, but it cannot be compared with Wireshark. PktMon is a CLI tool to capture network traffic. For now, its output is only limited to etl and txt formats.

However, when it gets pcap support then it would become a useful app and might be used to capture network packets on servers and remote machines without installing any third-party software.

There isn’t any documentation or mention of PktMon packet sniffer on Microsoft site, which makes this utility suspicious and it is still not clear what Microsoft wants from this utility and why it is added.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem

Discover more from Internet Security Blog - Hackology

Subscribe now to keep reading and get access to the full archive.

Continue reading