Windows 10 packet monitor tool “pktmon” will allow real-time monitoring

Since October 2018 Update, Windows 10 comes with a “Packet Monitor” tool called pktmon.exe.
With the upcoming release of the Windows 10 May 2020 Update, Microsoft will update the pktmon tool to allow real-time visualization of monitored packets.


How to use pktmon.exe

Below, some basic example of pktmon [1] usage.

First, start a Windows 10 elevated command prompt as pktmon.exe requires administrator privileges.

Capture the traffic

In order to monitor, for example, HTTP traffic you need to create a packet filter to monitor traffic on TCP port 80, using this command:

pktmon filter add -p 80

Then, identify the network adapter number with this command

pktmon comp list

Finally, start the monitoring with:

pktmon start --etw -p 0 -c [Adapter ID]

in order to log all traffic matching the rules on a file called PktMon.etl.

To stop capturing packets, enter

pktmon stop

and the log file PktMon.etl will have been created in the current folder.


Read the data

This captured data in the log file are not directly usable, so you need to convert the log to a text format with the following command:

pktmon format PktMon.etl -o ftp.txt

However, even converted into text, the log shows only a summary of the network traffic: you need and install the Microsoft Network Monitor [2] and use it to view the full packets in the ETL file including any clear-text information.

Finally, you can remove the created filter using the command:

pktmon filter remove

Real-time monitoring

With the upcoming release of the Windows 10 May 2020 Update [2], Microsoft has updated the pktmon.exe to allow you to display monitored packets in real-time: using this version, you can enable real-time monitoring using the -l real-time argument.

pktmon start --etw -p 0 -c 13 -l real-time

This will cause the captured packets to be displayed directly to the screen while also saving it to the ETL file.


References

  1. Getting the May 2020 Update Ready for Release – UPDATED | Windows Experience Blog
  2. Download Microsoft Network Monitor 3.4 (archive) from Official Microsoft Download Center

Related posts

  1. Wietze Beukema: almost 300 Windows 10 executables are vulnerable to DLL hijacking
  2. Weekly Tech Roundup #8
  3. How to install WSL on Windows 10 Enterprise LTSC
  4. Weekly Privacy Roundup #7
  5. Beware! A fully functional SMBGhost exploit will be coming soon!