Windows 10’s Pktmon sniffer gets real-time monitoring, PCAP support
by Lawrence Abrams
Windows 10's built-in network packet sniffer Pktmon has been updated with real-time monitoring and PCAPNG capture file format support with today's release of Windows 10 2004.
Since the October 2018 update, Microsoft has quietly included a built-in packet sniffer called Pktmon in Windows 10.
Today, Microsoft released Windows 10 2004, the May 2020 Update, and with it, Pktmon has been upgraded to include two essential features; real-time monitoring and support for the PCAPNG file format.
Pktmon gets real-time monitoring
With today's release of Pktmon, you can now perform real-time packet monitoring from the command line.
If you type pktmon start help, you will now see a new -l flag that allows you to specify the log mode used by the sniffer. One of these new modes is real-time, which has a description of:
Display events and packets on screen at real time. No log file is created.
Press Ctrl+C to stop monitoring.
While the above description states that no log file will be created, this is not true, as in our tests, a PktMon.etl file was also created when using the real-time logging mode.
To test this feature, we used the following commands to create two filters to monitor FTP traffic.
pktmon filter add FTP -p 20
pktmon filter add FTP -p 21
We then started Pktmon with the following command, which enables real-time logging, the logging of the entire packet, and to only monitor packets on my ethernet card. More information on these commands can be found in our more detailed pktmon article.
pktmon start --etw -p 0 -c 9 -l real-time
As you can see below, once I made an FTP connection, Pktmon began displaying packets in real-time directly to the console.
Unfortunately, other than showing that traffic is occurring, this information does not provide detailed information as to what is in the packet.
This is where the ability to convert to the PCAPNG capture file format becomes useful.
Can now convert ETL logs to PCAPNG
With this release, Pktmon has a new 'pcapng' command that allows you to convert an ETL file into the more widely supported PCAPNG capture file format.
When capturing packets with Pktmon, they will be stored in Microsoft's trace log ETL file format. By default, the name of this log file will be called PktMon.etl
Unfortunately, many network monitoring applications, including the popular Wireshark, are unable to open ETL logs. Instead, you need to use a Microsoft program like Network Monitor.
To illustrate how to convert an ETL file to a PCAPNG file, we will use the PktMon.etl log created from our previous FTP real-time monitoring example.
To convert a file, the command is pktmon pcapng [logfile.etl] -o [logfile.pcapng].
So, to convert our previous Pktmon.etl log to a log called ftp.pcapng, we would use the following command:
pktmon pcapng PktMon.etl -o ftp.pcapng
Now that we have a PCAPNG log file, we can open it in Wireshark or other network monitoring tools to perform deep packet inspection of our FTP traffic.
You may now be asking yourself why you would use Pktmon if Wireshark offers better real-time monitoring.
In my opinion, if you have Wireshark already installed, it makes more sense at this point to use that for packet monitoring.
On the other hand, if you are on a Windows 10 machine and need instant network monitoring to debug an issue or suspicious activity, having the built-in Pktmon command makes it very useful when needing to log network traffic.
When you have more time, you can then convert it to a PCAPNG file and view it in a tool like WireShark.