How to Monitor Network Activity Using Windows 10 Packet Monitor (PKTMON)
Packet Monitor is a command-line tool that first appeared in Windows 10 version 1809. Although you could be forgiven for not noticing as Microsoft is only beginning to speak about it now. Packet Monitor is designed to help debug network issues, specifically those where network virtualization is involved.
Before the advent of Software Defined Networking (SDN) and virtualization, the network stack was much simpler. It had three layers: TCP/IP, filter drivers, and a network adapter. But as you can see in the diagram below, once you add SDN and virtualization, the stack becomes more complicated.
Packet Monitor (PacketMon) can intercept packets at all the different layers of the network stack so that you can trace the packet route. In the latest version of Packet Monitor, when a packet is dropped by a supported network component in the stack, PacketMon reports it.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
PacketMon also provides extra information, like why a packet was dropped. This helps IT pros determine whether a packet was dropped, where it was dropped, or if it reached its destination. PacketMon also lets you perform a high-level packet flow analysis without need to look at log data.
Create PacketMon filters and start monitoring
Before you can use PacketMon, you need to open an elevated command-line prompt. You can then add some filters and start monitoring. It isn’t compulsory to add filters, but if you don’t, PacketMon will capture literally everything.
Let’s add two filters for ports 80 and 443.
pktmon filter add -p 80 pktmon filter add -p 443
Now let’s list the filters to see if they were successfully added:
pktmon filter list
To start monitoring on all network ports, and just the first 128 bytes of each packet, run:
pktmon start --etw
The resulting log (PktMon.etl) will be stored in C:\WINDOWS\system32. To stop monitoring, run:
It’s not possible to read PktMon.etl directly, so you’ll need to format the file first. In the command below, we create a new formatted file (log.txt) in the c:\temp directory on the local computer:
pktmon format C:\WINDOWS\system32\PktMon.etl -o C:\temp\log.txt
Open the log.txt file to see the data recorded by PacketMon. If you want to capture entire packets instead of just the first 128 bytes, just add -p 0 to the command:
pktmon start --etw -p 0
Packet filters can be more complex. For example, PacketMon can be set up to filter MAC addresses, IP addresses, ports, EtherType, transport protocol, and VLAN Id. The command below sets up a filter to capture all SYN packets sent or received by the IP address 10.0.0.1.
pktmon filter add -i 10.0.0.1 -t tcp syn
Real time monitoring and converting ETL logs to Wireshark (PCAPNG) Format
Providing that you are using at least Windows 10 version 2004, you can enable real time packet monitoring in the command line window and convert the ETL logs to PCAPNG format, which is used by the popular Wireshark network monitor. ETL logs can be read by Microsoft’s Network Monitor, but the software is deprecated.
To enable real time monitoring, just add the -l parameter as shown below:
pktmon start --etw -p 0 -l real-time
To convert your ETL logs to PCAPNG format,
pktmon pcapng C:\WINDOWS\system32\PktMon.etl -o C:\temp\log.pcapng
Unload the PacketMon driver
And don’t forget when you are done with PacketMon, to unload the driver:
PacketMon is slowly evolving
PacketMon isn’t a replacement for tools like Wireshark. But while PacketMon has limited capabilities, there’s enough here to help start debugging network issues, regardless of whether SDN or virtualization is involved. And unlike some other tools, you don’t need to set up two nodes on your network to work with PacketMon. It’s also nice to see the tool slowly evolve as Microsoft fleshes out its capabilities.