Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET!
Windows Server 2019

How to Monitor Network Activity Using Windows 10 Packet Monitor (PKTMON)

Packet Monitor is a command-line tool that first appeared in Windows 10 version 1809. Although you could be forgiven for not noticing as Microsoft is only beginning to speak about it now. Packet Monitor is designed to help debug network issues, specifically those where network virtualization is involved.

Before the advent of Software Defined Networking (SDN) and virtualization, the network stack was much simpler. It had three layers: TCP/IP, filter drivers, and a network adapter. But as you can see in the diagram below, once you add SDN and virtualization, the stack becomes more complicated.

Image #1 Expand
How to Monitor Network Activity Using Windows 10 Packet Monitor (Image Credit: Microsoft)

 

Packet Monitor (PacketMon) can intercept packets at all the different layers of the network stack so that you can trace the packet route. In the latest version of Packet Monitor, when a packet is dropped by a supported network component in the stack, PacketMon reports it.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

PacketMon also provides extra information, like why a packet was dropped. This helps IT pros determine whether a packet was dropped, where it was dropped, or if it reached its destination. PacketMon also lets you perform a high-level packet flow analysis without need to look at log data.

Create PacketMon filters and start monitoring

Before you can use PacketMon, you need to open an elevated command-line prompt. You can then add some filters and start monitoring. It isn’t compulsory to add filters, but if you don’t, PacketMon will capture literally everything.

Let’s add two filters for ports 80 and 443.

pktmon filter add -p 80
pktmon filter add -p 443

Now let’s list the filters to see if they were successfully added:
pktmon filter list

To start monitoring on all network ports, and just the first 128 bytes of each packet, run:
pktmon start --etw

The resulting log (PktMon.etl) will be stored in C:\WINDOWS\system32. To stop monitoring, run:
pktmon stop

Image #2 Expand
How to Monitor Network Activity Using Windows 10 Packet Monitor (Image Credit: Russell Smith)

 

It’s not possible to read PktMon.etl directly, so you’ll need to format the file first. In the command below, we create a new formatted file (log.txt) in the c:\temp directory on the local computer:

pktmon format C:\WINDOWS\system32\PktMon.etl -o C:\temp\log.txt

Open the log.txt file to see the data recorded by PacketMon. If you want to capture entire packets instead of just the first 128 bytes, just add -p 0 to the command:
pktmon start --etw -p 0

Image #3 Expand
How to Monitor Network Activity Using Windows 10 Packet Monitor (Image Credit: Russell Smith)

 

Packet filters can be more complex. For example, PacketMon can be set up to filter MAC addresses, IP addresses, ports, EtherType, transport protocol, and VLAN Id. The command below sets up a filter to capture all SYN packets sent or received by the IP address 10.0.0.1.

pktmon filter add -i 10.0.0.1 -t tcp syn

Real time monitoring and converting ETL logs to Wireshark (PCAPNG) Format

Providing that you are using at least Windows 10 version 2004, you can enable real time packet monitoring in the command line window and convert the ETL logs to PCAPNG format, which is used by the popular Wireshark network monitor. ETL logs can be read by Microsoft’s Network Monitor, but the software is deprecated.

To enable real time monitoring, just add the -l parameter as shown below:

pktmon start --etw -p 0 -l real-time

To convert your ETL logs to PCAPNG format,
pktmon pcapng C:\WINDOWS\system32\PktMon.etl -o C:\temp\log.pcapng

Unload the PacketMon driver

And don’t forget when you are done with PacketMon, to unload the driver:

pktmon unload

PacketMon is slowly evolving

PacketMon isn’t a replacement for tools like Wireshark. But while PacketMon has limited capabilities, there’s enough here to help start debugging network issues, regardless of whether SDN or virtualization is involved. And unlike some other tools, you don’t need to set up two nodes on your network to work with PacketMon. It’s also nice to see the tool slowly evolve as Microsoft fleshes out its capabilities.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By