A packet sniffer is a program that monitors the network activity on a computer down to an individual packet level. This is often used by network administrators for monitoring network traffic and troubleshooting network issues. It works by intercepting the network traffic and capturing the raw data packets as they are sent to and from a given computer.
Most often when we think of packet sniffers we think of tcpdump. On Linux systems tcpdump is installed by default but on Windows systems you traditionally had to install a third-party program such as windump or Wireshark.
What many people don’t know is that Microsoft quietly added a built-in network packet sniffer to the Windows 10 October 2018 Update called pktmon.exe (located at C:\Windows\system32\pktmon.exe) Much like the ‘netsh trace’ command, pktmon.exe can be used to perform full packet inspection.
Help to the rescue
Surprisingly, there’s no documentation on Microsoft’s website about this application (at the time of this writing) but as with most windows commands, it does come with a handy help menu that you can access by typing ‘pktmon [command] help’
How to use PktMon
We’re going to look at an example where we’ll use pktmon to monitor HTTP traffic from the local computer. In order to do so we will create a filter to tell pktmon to monitor traffic on port 80.
This is performed in 3 steps:
Create a Filter to monitor a port
Export Log into a readable format
First things first, we first need to launch an elevated command prompt as pktmon does require administrator privileges.
Step 1. create our filter.
The primary option that allows you to monitor traffic is ‘—filter’. This option allows us to create a filter to control which packets are reported based on Ethernet Frame, IP header, TCP header, and Encapsulation.
For our example we are going to monitor HTTP traffic on port 80 using the ‘pktmon filter add -p [port]’ command. If you wanted to give the filter a name you can do so with the addition of the ‘name’ parameter. For our example we’re going to name it ‘HTTP’ but you can name it anything you like.
pktmon filter add HTTP -p 80
We can then run the ‘pktmon filter list’ command to see a list of all filters that have been added.
Step 2. Monitoring
Now that we have created our filter, we want to start monitoring. It is important to note that this is not an automated program running in the background but rather it works on-demand, so you do need to start monitoring manually.
By default, pktmon will log ALL packets on ALL network interfaces on the local system and log them to a file called PktMon.etl and only record the first 128 bytes of each packet. If you want to log the entire packet you can use the ‘-p 0’ option to tell pktmon to capture the entire packet. In addition you can tell pktmon to capture from a specific network adapter using the ‘-c ID’ argument. In order to determine the ID for the adapter you want to monitor, us the ‘pktmon comp list’ command. For our example we’re going to monitor the adapter with ID 3 and we want to capture the entire packet.
To start monitoring packets we use the ‘pktmon start –etw’ command.
pktmon start --etw -p 0 -c 3
Pktmon will now quietly run in the background while capturing all packets that match our filter and create a log file at the mentioned location in a log file called PktMon.etl. This log file will have been created in the same folder that contains the raw captured data.
You will have to manually stop monitoring using the ‘stop’ argument.
3. Export Log into a readable format
Now that we have our log file you can with download the Microsoft Network Monitor application to view the ETL file directly, or you can convert it into a human-readable format using the following command:
pktmon format PktMon.etl -o port-monitor-HTTP.txt
One thing of note, even when converted into text, it still is not going to show you the full packets, it will only show you a summary of the network traffic as shown below.
When we’re all done capturing traffic we then remove our filter:
pktmon filter remove
Real-time monitoring and pcapng support
In versions of Windows 10 1903 and 1909 you were only able to log to a file. However, with Windows 10 2004, Microsoft has added a couple of new abilities.
First off, they added the ability to monitor packets in real-time. You can enable real-time monitoring using the ‘-l real-time' argument. This will cause the captured packets to be displayed directly to the screen while also saving it to the ETL file.
The second thing Microsoft added was the ability to convert the ETL files into the PCAP format so they can be viewed in Wireshark.
Once the file has been converted into the PCAPNG format, they can be opened into Wireshark.
pktmon pcapng PktMon.etl -o PktMon.pcapng
This brings up the obvious question, “why wouldn’t you just use wireshark to capture the network traffic?” Wireshark would be the ideal option if it was already installed. However, there are situations where Wireshark is not already installed and perhaps you’re not allowed to install it due to Corporate policy.
In cases where you're forced to live off the land, Pktmon is a great alternative.