How to use the new Network Sniffer Tool PktMon.exe in Windows 10
Windows 10 offers an integrated network sniffer tool – PktMon.exe – to monitor internal packet propagation and packet loss reports. This tool can help you snoop around. The network and helps you resolve the cause of network latency, identify impacted applications and, when used with an additional set of tools, can provide an overview of key metrics. In this article, we are going to show how you can use the new Network Sniffer Tool (PktMon.exe) in Windows 10.
Network Sniffer Tool pktmon.exe in Windows 10
PktMon.exe or Packet Monitor is the new network detection or network diagnostic and packet monitoring tool. It is in the Systems folder, which means you can invoke it from Run or Command Prompt or PowerShell.
If the program reminds you Netsh trace Order, then you are right. The Netsh Trace command helps you enable and configure network tracing to help you when troubleshooting network connectivity issues.
What can PktMon do?
If you are running PktMon.exe Help at the command prompt. Here’s what you get:
- filtered: Manage packet filters.
- comp: Manage registered components.
- reset: Reset the counters.
- start: Start monitoring packages.
- Stop: Stop monitoring.
- format: Convert the log file to text.
- unload: Download the PktMon driver.
And if you want help with a specific command, you can run help with that command. Here’s what it looks like:
pktmon filter help
pktmon filter { list | add | remove } [OPTIONS | help]
Commands list Display active packet filters. add Add a filter to control which packets are reported. remove Removes all filters.
How to use PktMon to monitor network traffic
Here is an example of use with a simple example.
- Create a filter to monitor a port
- Start monitoring
- Export the log in a readable format
This example assumes that you want to monitor a port number on the computer, which can often have problems.
1. Create a filter
The main option that allows you to monitor traffic is —filter. Using this option, you can create a filter to control which packets are signaled based on the Ethernet frame, IP header, TCP header and encapsulation. If you run the program mentioned below, you will get all the details on what you can do with the filter.
pktmon filter add help
So let’s go back to our subject, suppose we are going to monitor TCP port # 1088. It may be a port used by your custom application, which crashes, and PktMon can help you determine if the network is the problem .
Open Command Prompt or PowerShell with Administrator Privileges
Create a packet filter using the command: “pktmon filter add -p [port]”
pktmon filter add -p 1088
You can then run the “pktmon filter list” command to see a list of added filters.
To remove all filters, execute the command “pktmon filter remove”
2. Start monitoring
Since it is not an automated program running in the background but works on demand, you must start monitoring manually. Run the following command to start monitoring packets
pktmon start --etw - p 0
It will start monitoring and create a log file in the location mentioned. You will have to manually stop using the “stop” argument to stop logging, or it will end when the computer shuts down. If you execute the command with “-p 0”, it will only capture 128 bytes of a packet.
Log filename: C:Windowssystem32PktMon.etl Logging mode: Circular Maximum file size: 512 MB
3. Export the log in a readable format
The log file is saved in the PktMon.ETL file which can be converted to human readable format using the following command
pktmon format PktMon.etl -o port-monitor-1088.txtThat done, while you open the file in Notepad and read it, to make sense, you’ll have to use Microsoft Network Monitor. It can directly read the ETL file.
That said, Microsoft should start rolling out real-time monitoring support, which was planned in Windows 10 2004 – but I don’t see that option yet.
Related Reading: Free package sniffing tools for Windows 10.