Internet Security Blog - Hackology
    Internet Security Blog - Hackology
    PktMon Network Packet Sniffer in Windows 10
    How To'sWindows

    Network Packet Sniffer in Windows 10

    ABDK
    May 23, 2020
    Add comment
    3 min read

    Microsoft has secretly added a packet sniffer into system files during Windows 10 October 2018 update, which remained unnoticed until now.

    The packet sniffer or network monitor is named PktMon and it resides in system files at c:/windows/system23/. To use it, you need an elevated command prompt or process shell. 

    PktMon can monitor the network traffic from a computer to the packet level. It may be used to troubleshoot network issues, check where traffic is going from the network or even extract information and services in plain text.

    How to Monitor Network Traffic in Windows 10

    • Press Windows key and write cmd
    • Right-click cmd and click run as an administrator (a command prompt will open at c:/windows/system32)
    • Now, run following command
    pktmon
    Pktmon Windows 10
    pktmon command will show the available commands
    • Add a port for monitoring using the following command such as 80, 21, 53 and so on. You can add multiple ports by executing command for each port
    pktmon filter add -p 80

pktmon filter add -p 21

pktmon filter add -p 53
    • The added port can be retrieved by
    pktmon filter list
    PktMon Port Filter List
    pktmon filter will add ports to sniff network packet
    • To start the monitoring 
    pktmon start --etw
    PktMon Sniffing
    pktmon sniffing the network packets
    • Use the following command to stop the monitoring
    pktmon stop
    • You can also convert the etl file (which is the default format) to text so that you can easily view it
    pktmon format PktMon1.etl –o c:\packets.txt
    PktMon convert etl to txt
    pktmon convert etl to txt to make it readable

    or use Microsoft network monitor to read the etl file directly.

    PktMon can be used on the specific adapter of choice by specifying the ID of the adapter and ID can be found by using the PktMon command

    pktmon comp list

    and then start pktmon with -c parameter to specify an adapter ID

    pktmon start --etw -c 1

    PktMon can also be used in real-time in the latest version of Windows 10. If you have got Windows 10 May 2020 update (version 2004), you can use the following command to sniff network packets in real-time.

    pktmon start --etw -m real-time

    Conclusion

    PktMon is similar to tcpdump in Linux, but it cannot be compared with Wireshark. PktMon is a CLI tool to capture network traffic. For now, its output is only limited to etl and txt formats.

    However, when it gets pcap support then it would become a useful app and might be used to capture network packets on servers and remote machines without installing any third-party software.

    There isn’t any documentation or mention of PktMon packet sniffer on Microsoft site, which makes this utility suspicious and it is still not clear what Microsoft wants from this utility and why it is added.

    Add comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    You may also like

    Get Wise

    Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
    Utopia p2p Ecosystem