Microsoft has secretly added a packet sniffer into system files during Windows 10 October 2018 update, which remained unnoticed until now.
The packet sniffer or network monitor is named PktMon and it resides in system files at c:/windows/system23/. To use it, you need an elevated command prompt or process shell.
PktMon can monitor the network traffic from a computer to the packet level. It may be used to troubleshoot network issues, check where traffic is going from the network or even extract information and services in plain text.
How to Monitor Network Traffic in Windows 10
- Press Windows key and write cmd
- Right-click cmd and click run as an administrator (a command prompt will open at c:/windows/system32)
- Now, run following command
- Add a port for monitoring using the following command such as 80, 21, 53 and so on. You can add multiple ports by executing command for each port
pktmon filter add -p 80 pktmon filter add -p 21 pktmon filter add -p 53
- The added port can be retrieved by
pktmon filter list
- To start the monitoring
pktmon start --etw
- Use the following command to stop the monitoring
- You can also convert the etl file (which is the default format) to text so that you can easily view it
pktmon format PktMon1.etl –o c:\packets.txt
or use Microsoft network monitor to read the etl file directly.
PktMon can be used on the specific adapter of choice by specifying the ID of the adapter and ID can be found by using the PktMon command
pktmon comp list
and then start pktmon with -c parameter to specify an adapter ID
pktmon start --etw -c 1
PktMon can also be used in real-time in the latest version of Windows 10. If you have got Windows 10 May 2020 update (version 2004), you can use the following command to sniff network packets in real-time.
pktmon start --etw -m real-time
PktMon is similar to tcpdump in Linux, but it cannot be compared with Wireshark. PktMon is a CLI tool to capture network traffic. For now, its output is only limited to etl and txt formats.
However, when it gets pcap support then it would become a useful app and might be used to capture network packets on servers and remote machines without installing any third-party software.
There isn’t any documentation or mention of PktMon packet sniffer on Microsoft site, which makes this utility suspicious and it is still not clear what Microsoft wants from this utility and why it is added.