A packet monitor, or network monitor, is a program that allows you to track the network traffic that travels through your computer's network devices down to the level of individual packets.
Pktmon: Windows 10's built-in network monitoring tool
When released, Pktmon only supported the Event Trace Log (ETL) format, a proprietary log format created by Microsoft. Later, Microsoft added support for PCAPNG log files and real-time monitoring, which we will learn about in this article.
To use Pktmon, you need to launch Command Prompt with admin rights on Windows 10, as the program requires admin rights. Then you can get instructions on how to use the program by typing pktmon help in Command Prompt.
To get more help instructions on a particular command, you can enter pktmon [command] help . For example, to view the documentation on the "comp" command , you would type:
pktmon comp help
For each sub-command, you can continue to use the help function to see its instructions, for example:
pktmon comp list helpUsing the built-in help feature is a great way to learn how to use Pktmon, and all users should check out the documentation before using the program.
How to use the Pktmon network monitoring tool
Compared with a network monitoring tool with a graphical user interface, the Pktmon command line interface takes longer to get used to it.
Before you can track packets, you first need to create a filter using the command add pktmon filter, which specifies the traffic you want to track.
For example, you can monitor all network traffic on your network with the command:
pktmon filter add -i 192.168.1.0/24. or monitor DNS traffic with:
pktmon filter add -t UDP -p 53Again, the article recommends that you review the pktmon filter add help documentation to learn how to create filters.
For this example, I've created a filter to track DNS traffic as described above. To see filters made to monitor traffic, you would enter the command:
pktmon filter list
To start monitoring DNS traffic on all network interfaces and displaying activity in real time, you would use the following command:
pktmon start --etw -p 0 -l real-timeNote that the example used the -p 0 argument , so it captures the entire packet. You can also specify a specific network interface to monitor using the -c argument followed by the interface's index ID. To get a list of network interfaces and index ID (ifIndex), you can use the command:
pktmon comp listWhen you start monitoring traffic, you should see captured DNS packets displayed in real time in the Command Prompt, as shown below.
When you're ready to stop traffic monitoring, press Ctrl + C . When done, there will be the PktMon.etl log file created in the directory where you ran Pktmon.
Unfortunately, ETL files are not a good choice as many applications don't support them. You can convert the ETL file into a PCAPNG file with the command pktmon pcapng . For example, to convert PktMon.etl to a PCAPNG file named PktMon.pcapng , type the following command:
pktmon pcapng PktMon.etl -o PktMon.pcapngAfter the log file is converted to PCANPNG format, you can load the file into a program like Wireshark to get detailed information about each DNS request.
As you can see, Pktmon is an extremely powerful tool, allowing you to gain insight into the type of traffic flowing through your network.
Also, Pktmon can be tricky to use, so it's a good idea to familiarize yourself with the help documentation before running the command.
network monitor network packet monitoringncG1vNJzZmismaXArq3KnmWcp51kuaat0adkqaOkoryvedaipZ2np6h6cnzSZpmuoZyptq95zZ6rsKeioHquu82iq6iqmaO0bsDOqKM%3D