Everyone knows about wireshark, which is a tool to capture packets on Windows OS. Until now this was the only easy way you could do packet capture on Windows for troubleshooting or analyzing traffic.

Recently Microsoft has added a native took to do packet capture on Windows that comes built in to the OS. This article will touch on the basic commands you can use to run packet capture on Windows 10.

The packet capture tool on Windows is called pktmon.exe. You can run the tool from your command prompt. Just type pktmon in your command prompt to see the basic usage commands.

It comes with a builtin help to check what each command and switch does. To check details of any command type

pktmon <command> help

Capture packets in realtime

We will create a simple filter to capture icmp traffic and show it on the screen as the packets are captured by pktmon.

Note: Please make sure the Command Prompt is running as administrator to be able to capture packets. If command prompts is not running as administrator you will get <strong>access denied error</strong> while starting a capture.

First, create a filter to tell pktmon what type of packets you want to capture.

We will be capturing any type of icmp packets so set the filter using below command.

pktmon filter add PingFilter -t ICMP

In the above command PingFilter is the name of the filter and ICMP is the type of the packets we want to capture.

To show all the options available to set up capture filter use the below command

pktmon filter add help

Check if the filter is added successfully using filter list command

pktmon filter list

Once the capture filter is set start capture using pktmon start command

pktmon start –etw –log-mode real-time

In the above command –etw –log-mode real-time is to show the packet commands matching the filter on screen in realtime.

After starting the capture, ping some device in your network or on the internet and pktmon should show the captured packets on the command prompt

This was a simple packet capture filter. You can also configure complex packet capture filter like

pktmon filter add DNS-PACKETS –data-link IPv4 –ip-address 8.8.8.8 –transport-protocol udp –port 53

This capture filter will capture all the dns queries and responses to/from 8.8.8.8

To remove all capture filter use the command

pktmon filter remove

This were the basic commands to do a simple packet capture using windows 10 pktmon tool.

Microsoft has released an out of band patch to fix the “Meltdown” vulnerability on 3rd of Jan 2018. More details of the patch can be found on the official KB4056892 page.

This patch is available only for Windows 10 OS. The patch will install automatically once the PC connects to internet.

 

There has been multiple reports of some application not being compatible with this latest patch. Certain Antiviruses are causing blue-screen after installing the Meltdown patch.

There has been reports of some SSL VPN applications not connecting to the server after the patch is applied

Antivirus vendors are releasing patch to fix the compatibility issues but it may take a few days for all of them to be available.

I would recommend you to update all the important application installed on the PC before applying this patch to prevent any incompatibility issues.

If you the patch is already installed and there is some critical application causing issues, you can try to uninstall the patch and check if the application works without this patch.

 

To find the your public IP address from command line (CLI) you can use the below commands for Linux and Windows Operating systems.

Linux

curl icanhazip.com

curl canihazip.com/s

These 2 commands will generate web request and show the ip address as the response of the request.

 

dig myip.opendns.com. @resolver1.opendns.com +nocomments +noquestion +noauthority +noadditional +nostats | grep -oE “\b([0-9]{1,3}\.){3}[0-9]{1,3}\b”

This command runs DNS query and show the resolved ip address. The dns query to myip.opendns.com. using the resolver1.opendns.com DNS resolver outputs the public IP address from where the DNS query is generated.

Please note the period (.) at the end of the myip.opendns.com., this makes sure that the DNS suffix is not added to the query and query is absolute.

Windows

nslookup myip.opendns.com. resolver1.opendns.com | find “Address”

This outputs two IP addresses and the second IP address will be your public IP address