{"id":14480,"date":"2020-05-19T00:01:00","date_gmt":"2020-05-18T22:01:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=14480"},"modified":"2020-09-15T23:21:47","modified_gmt":"2020-09-15T21:21:47","slug":"windows-10-comes-with-network-sniffer-pktmgr","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/05\/19\/windows-10-comes-with-network-sniffer-pktmgr\/","title":{"rendered":"Windows 10 comes with Network Sniffer pktmgr"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/win102.jpg\" width=\"58\" height=\"58\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/05\/18\/windows-10-network-sniffer-pktmgr-integriert\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Microsoft ships a tool (Packet Monitor) in Windows 10 that allows administrators to monitor and record network traffic. This has only now become more widely known, possibly because the feature was described a few days ago for insiders.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg04.met.vgwort.de\/na\/85a1db735d2e412b8de30c3201e0e85a\" alt=\"\" width=\"1\" height=\"1\" \/>&gt;I didn't know about the tool <em>pktmon.exe<\/em> at all and I only got a bit blunt when I saw the tweet from Bleeping Computer on the weekend.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Windows 10 quietly got a built-in network sniffer, how to use &#8211; by <a href=\"https:\/\/twitter.com\/LawrenceAbrams?ref_src=twsrc%5Etfw\">@LawrenceAbrams<\/a><a href=\"https:\/\/t.co\/zHPKG7lXrU\">https:\/\/t.co\/zHPKG7lXrU<\/a><\/p>\n<p>\u2014 BleepingComputer (@BleepinComputer) <a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1261661449010765824?ref_src=twsrc%5Etfw\">May 16, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserved0ad743790b841dbbbf47bfcc5d96d02\" class=\"wlWriterPreserve\"><script src=\"https:\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>According to Bleeping Computer, Microsoft has integrated the tool since the Windows 10 October 2018 update (version 1809). So I took a look what this is all about. The program pktmon.exe can be found with other help files in the Windows subfolder:<\/p>\n<p>C:\\Windows\\system32\\<\/p>\n<p>There is also a driver file <em>pktmon.s<\/em>ys that can be registered by the tool in Windows.<\/p>\n<p><img decoding=\"async\" title=\"Windows 10-Programm pktmon.exe\" src=\"https:\/\/i.imgur.com\/9mbbrk8.jpg\" alt=\"Windows 10-Programm pktmon.exe \" \/><br \/>\n(Files of the Windows 10 program pktmon.exe)<\/p>\n<blockquote><p>Whether the tool is really integrated since the Windows 10 October 2018 Update (Version 1809), I can't check ad-hoc because of missing installation. But in Windows 10 version 1903 the tool is available in the install.wim.<\/p><\/blockquote>\n<h2>Packet monitor as console program<\/h2>\n<p>The <em>pktmon.exe<\/em> program is a command line application that can be called by administrators (the package monitor is not found in a command prompt opened with normal user permissions). If you run the pktmon command at an administrative command prompt, it displays the following help information.<\/p>\n<p><img decoding=\"async\" title=\"Hilfetext des Befehls pktmon \" src=\"https:\/\/i.imgur.com\/K4mijvt.jpg\" alt=\"Hilfetext des Befehls pktmon \" \/><br \/>\n(Help text of the command pktmon)<\/p>\n<p>The command reports as 'Internal packet forwarding and packet loss monitoring reports' and is used for network diagnostics. The help page lists the possible commands for the program.<\/p>\n<p>Bleeping Computer writes that the tool has not yet been described by Microsoft, they didn't find anything. But on Wednesday, May 13, 2020 Microsoft published the Techcommunity article <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/networking-blog\/windows-insiders-can-now-test-dns-over-https\/ba-p\/1381282\" target=\"_blank\" rel=\"noopener noreferrer\">Windows Insiders can now test DNS over HTTPS<\/a>. In this article, the command line utility pktmon.exe was described in detail for testing DOH functionality in Windows Insider build 19628 and later. The following command resets all network traffic filters that were already installed by PacketMon.<\/p>\n<pre><code>pktmon filter remove<\/code><\/pre>\n<p>The following command adds a network traffic filter for port 53. In the current example, this is the port used for classic DNS (with DNS over HTTPS, no more transmission should take place there).<\/p>\n<pre><code>pktmon filter add -p 53<\/code><\/pre>\n<p>The list of registered filters can be retrieved at the command prompt with the following command.<\/p>\n<pre><code>pktmon filter list<\/code><\/pre>\n<p>The following figure shows the output of the commands for registering the filter and the existing filters.<\/p>\n<p><img decoding=\"async\" title=\"pktmon.exe Befehle\" src=\"https:\/\/i.imgur.com\/9hn6owr.jpg\" alt=\"pktmon.exe Befehle\" \/><\/p>\n<p>To start real-time logging of the data traffic (at all network adapters of the machine), execute the following command:<\/p>\n<pre><code>pktmon start --etw -m real-time<\/code><\/pre>\n<p>All network packets from port 53 are output on the command line. You can also use the command:<\/p>\n<pre><code>pktmon start --etw<\/code><\/pre>\n<p>to save the data records into the file <em>PktMon.etl. <\/em>This file is created under:<\/p>\n<p>C:\\Windows\\system32\\<\/p>\n<p>By default, only the first 128 bytes of a packet are saved. The command reserves 512 megabytes of memory for the etl file and overwrites the oldest values if necessary.<\/p>\n<p>Bleeping Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/windows-10-quietly-got-a-built-in-network-sniffer-how-to-use\/\" target=\"_blank\" rel=\"noopener noreferrer\">writes<\/a>, that you can capture network packets with the arguments -p 0 (capture entire packet) and -c 13 (capture only from adapter with ID 13) specifically from a network adapter. The IDs of the existing network adapters can be listed with the command following command.<\/p>\n<pre><code>pktmon comp list<\/code><\/pre>\n<p>To stop recording the network packet, type the following command at the command prompt.<\/p>\n<pre><code>pktmon stop<\/code><\/pre>\n<p>The recording from the <em>PktMon.etl <\/em>file stored under <em>C:\\Windows\\system32\\<\/em> can be imported into the Windows Event Viewer and then viewed. Alternatively, the .etl file can be converted to a text file by using the following command.<\/p>\n<pre><code>pktmon format PktMon.etl \u2013o c:\\test.txt<\/code><\/pre>\n<p>This text file can then be loaded and evaluated in a text editor. The following is an excerpt of such a protocol (in compact form).<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/CjkJRsv.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" title=\"\" src=\"https:\/\/i.imgur.com\/CjkJRsv.jpg\" alt=\"Netzwerk-Protokolleintr\u00e4ge\" width=\"627\" height=\"358\" \/><\/a><\/p>\n<p>Bleeping Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/windows-10-quietly-got-a-built-in-network-sniffer-how-to-use\/\" target=\"_blank\" rel=\"noopener noreferrer\">suggests<\/a>, to install the Microsoft Network Monitor\u00a0 and use it to display the .etl file.<\/p>\n<p><em><a href=\"https:\/\/i.imgur.com\/dkZlg3R.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" title=\"Microsoft Network Monitor \" src=\"https:\/\/i.imgur.com\/dkZlg3R.jpg\" alt=\"Microsoft Network Monitor \" width=\"597\" height=\"386\" \/><\/a><\/em><\/p>\n<p>In the Windows 10 May 2020 Update (Version 2004) Microsoft extends the functionality of the Pktmon tool. Pktmon can then display monitored packets in real time and convert ETL files to PCAPNG format. Further details can be found at Bleeping Computer.<\/p>\n<p>At the moment I'm not sure how useful the whole thing really is. If you want to monitor the network traffic, you could use <a href=\"https:\/\/de.wikipedia.org\/wiki\/Wireshark\" target=\"_blank\" rel=\"noopener noreferrer\">Wireshark<\/a>. You can download the software for Windows and macOS on <a href=\"https:\/\/www.wireshark.org\/download.html\" target=\"_blank\" rel=\"noopener noreferrer\">this page<\/a>. And administrators can use the netsh trace command in Windows for the same purpose (see the article at <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/windows-10-quietly-got-a-built-in-network-sniffer-how-to-use\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bleeping Computer<\/a> and <a href=\"https:\/\/www.borncity.com\/blog\/2020\/05\/18\/windows-10-network-sniffer-pktmgr-integriert\/#comment-89337\" target=\"_blank\" rel=\"noopener noreferrer\">this comment<\/a>).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Microsoft ships a tool (Packet Monitor) in Windows 10 that allows administrators to monitor and record network traffic. This has only now become more widely known, possibly because the feature was described a few days ago for insiders.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[1776,76],"class_list":["post-14480","post","type-post","status-publish","format-standard","hentry","category-windows","tag-netzwork","tag-windows-10"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14480","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=14480"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14480\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=14480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=14480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=14480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}