AutoNetOps

Cover Image for A Network Engineer's Tale: Uncovering the Power of Pktmon on Windows

A Network Engineer's Tale: Uncovering the Power of Pktmon on Windows

pDamasceno's photo
pDamasceno
·

5 min read

It was a typical morning, and I, a network engineer, found myself staring at a user’s PC that was acting up. The network was sluggish, connections were dropping, and I needed to get to the bottom of it—fast. My go-to tool, Wireshark, was nowhere to be found on this machine. Installing it would’ve meant jumping through hoops: change management approvals, security scans, and probably a coffee-fueled wait for IT to give the green light. In a quick research I stumbled upon a hidden gem tucked away in Windows—Pktmon

The Discovery: Pktmon to the Rescue

Picture this: you’re deep in the trenches of troubleshooting, and you realize the system you’re working on is bare-bones. No third-party tools, no fancy GUI sniffers. But then, like finding a forgotten tool in the back of a shed, I discovered Pktmon, a built-in packet sniffer introduced in Windows 10. It’s not flashy—no sleek interface like Wireshark—but it’s powerful, lightweight, and, best of all, already there just waiting to be used.

I opened an elevated Command Prompt (because Pktmon demands admin privileges, naturally) and typed pktmon help to get the lay of the land. The help menu was like a treasure map, revealing commands for capturing packets, setting filters, and even converting logs for later analysis. I was ready to dive in.

Step 1: Setting the Stage

First things first, I needed to know what network interfaces were available. I typed:

pktmon comp list

This command listed all the network adapters on the system, each with an ID. For example:

Network Adapters:
Id  MAC Address        Name
--  -----------        ----
9   00-50-56-BD-C1-83  Ethernet Adapter
12  E8-6A-64-44-7B-00  Wi-Fi Adapter

My target was the Ethernet adapter (ID 9). Knowing the interface ID is crucial if you want to focus your capture on a specific NIC to avoid drowning in irrelevant data.

Step 2: Crafting Filters Like a Pro

Pktmon’s filtering capabilities are where it shines. I needed to zero in on specific traffic—say, HTTP traffic on port 80. To set this up, I added a filter:

pktmon filter add -p 80 -t tcp

This told Pktmon to capture TCP traffic on port 80. Want to capture ICMP pings instead? Easy:

pktmon filter add -t icmp

You can stack up to 32 filters to get granular. For instance, to monitor traffic to a specific IP (like 192.168.1.100):

pktmon filter add -i 192.168.1.100

To check your filters, run:

pktmon filter list

If you mess up, clear them with:

pktmon filter remove

Pro tip: Always set filters before capturing. Unfiltered captures are like trying to find a needle in a haystack of network traffic.

Step 3: Starting the Capture

With filters in place, it was time to start capturing. I wanted to save the packets to a file for later analysis, so I ran:

pktmon start --etw --pkt-size 0 --file-name C:\Temp\traffic.etl --comp 9

Here’s what each part does:

  • --etw: Enables Event Tracing for Windows, saving packets to an ETL file.

  • --pkt-size 0: Captures full packets (default is just the first 128 bytes).

  • --file-name C:\Temp\traffic.etl: Specifies the output file.

  • --comp 9: Targets the Ethernet adapter (ID 9).

The capture started, silently logging packets in the background. To monitor in real-time (available in Windows 10 version 2004 and later), I could’ve added -l real-time, but I wanted a file for deeper analysis.

Step 4: Stopping and Converting

After reproducing the issue (a quick browser refresh to a problematic website), I stopped the capture:

pktmon stop

This saved the data to C:\Temp\traffic.etl. But ETL files aren’t exactly user-friendly. To make them compatible with Wireshark, I converted the file to PCAPNG format:

pktmon etl2pcap C:\Temp\traffic.etl --out C:\Temp\traffic.pcapng

Now I had a traffic.pcapng file I could transfer to my workstation, where Wireshark was ready to dissect it with all its graphical glory.

Step 5: Analyzing the Results

On my own machine, I opened traffic.pcapng in Wireshark. The HTTP traffic I filtered for was there, clear as day, helping me pinpoint a misconfigured server response causing the slowdown. Pktmon’s ability to identify packet drops (with reasons like “MTU Mismatch” or “Filtered VLAN”) also gave me clues about potential network issues.

Bonus: Real-Time Monitoring

For quick checks, Pktmon’s real-time mode is a lifesaver. Try:

pktmon start --etw -l real-time -p 0

This displays packets on the command line as they’re captured. Hit Ctrl+C to stop. It’s not as pretty as Wireshark, but it gets the job done when you’re in a bind.

Why Pktmon Rocks

  • No Installation Needed: It’s built into Windows 10

  • Lightweight: Perfect for servers where installing third-party tools is a no-go.

  • Flexible Filters: Filter by IP, port, protocol, MAC, and more.

  • Wireshark Compatibility: Convert to PCAPNG for detailed analysis.

Caveats

  • No GUI: It’s command-line only, so expect to get cozy with CMD or PowerShell.

  • Basic Analysis: For deep packet inspection, you’ll still want Wireshark or similar tools.

  • Admin Privileges: You need elevated access to run Pktmon.

The Victory Lap

Back to my story: with Pktmon, I captured the problematic traffic, converted it to PCAPNG, and analyzed it later on my own machine. The issue? An old DNS server that was taking forever to answer. Thanks to Pktmon’s filters, I isolated the culprit without sifting through gigabytes of data.

It is a nice tool to have on the tool belt. Leaving here for further reference and for those who might also leverage it.

;