[German]Microsoft ships a tool (Packet Monitor) in Windows 10 that allows administrators to monitor and record network traffic. This has only now become more widely known, possibly because the feature was described a few days ago for insiders.
>I didn’t know about the tool pktmon.exe at all and I only got a bit blunt when I saw the tweet from Bleeping Computer on the weekend.
— BleepingComputer (@BleepinComputer) May 16, 2020
According to Bleeping Computer, Microsoft has integrated the tool since the Windows 10 October 2018 update (version 1809). So I took a look what this is all about. The program pktmon.exe can be found with other help files in the Windows subfolder:
There is also a driver file pktmon.sys that can be registered by the tool in Windows.
(Files of the Windows 10 program pktmon.exe)
Whether the tool is really integrated since the Windows 10 October 2018 Update (Version 1809), I can’t check ad-hoc because of missing installation. But in Windows 10 version 1903 the tool is available in the install.wim.
Packet monitor as console program
The pktmon.exe program is a command line application that can be called by administrators (the package monitor is not found in a command prompt opened with normal user permissions). If you run the pktmon command at an administrative command prompt, it displays the following help information.
(Help text of the command pktmon)
The command reports as ‘Internal packet forwarding and packet loss monitoring reports’ and is used for network diagnostics. The help page lists the possible commands for the program.
Bleeping Computer writes that the tool has not yet been described by Microsoft, they didn’t find anything. But on Wednesday, May 13, 2020 Microsoft published the Techcommunity article Windows Insiders can now test DNS over HTTPS. In this article, the command line utility pktmon.exe was described in detail for testing DOH functionality in Windows Insider build 19628 and later. The following command resets all network traffic filters that were already installed by PacketMon.
pktmon filter remove
The following command adds a network traffic filter for port 53. In the current example, this is the port used for classic DNS (with DNS over HTTPS, no more transmission should take place there).
pktmon filter add -p 53
The list of registered filters can be retrieved at the command prompt with the following command.
pktmon filter list
The following figure shows the output of the commands for registering the filter and the existing filters.
To start real-time logging of the data traffic (at all network adapters of the machine), execute the following command:
pktmon start --etw -m real-time
All network packets from port 53 are output on the command line. You can also use the command:
pktmon start --etw
to save the data records into the file PktMon.etl. This file is created under:
By default, only the first 128 bytes of a packet are saved. The command reserves 512 megabytes of memory for the etl file and overwrites the oldest values if necessary.
Bleeping Computer writes, that you can capture network packets with the arguments -p 0 (capture entire packet) and -c 13 (capture only from adapter with ID 13) specifically from a network adapter. The IDs of the existing network adapters can be listed with the command following command.
pktmon comp list
To stop recording the network packet, type the following command at the command prompt.
The recording from the PktMon.etl file stored under C:\Windows\system32\ can be imported into the Windows Event Viewer and then viewed. Alternatively, the .etl file can be converted to a text file by using the following command.
pktmon format PktMon.etl –o c:\test.txt
This text file can then be loaded and evaluated in a text editor. The following is an excerpt of such a protocol (in compact form).
Bleeping Computer suggests, to install the Microsoft Network Monitor and use it to display the .etl file.
In the Windows 10 May 2020 Update (Version 2004) Microsoft extends the functionality of the Pktmon tool. Pktmon can then display monitored packets in real time and convert ETL files to PCAPNG format. Further details can be found at Bleeping Computer.
At the moment I’m not sure how useful the whole thing really is. If you want to monitor the network traffic, you could use Wireshark. You can download the software for Windows and macOS on this page. And administrators can use the netsh trace command in Windows for the same purpose (see the article at Bleeping Computer and this comment).
Cookies helps to fund this blog: Cookie settings