Everyone knows about wireshark, which is a tool to capture packets on Windows OS. Until now this was the only easy way you could do packet capture on Windows for troubleshooting or analyzing traffic.
Recently Microsoft has added a native took to do packet capture on Windows that comes built in to the OS. This article will touch on the basic commands you can use to run packet capture on Windows 10.
The packet capture tool on Windows is called pktmon.exe. You can run the tool from your command prompt. Just type pktmon in your command prompt to see the basic usage commands.
It comes with a builtin help to check what each command and switch does. To check details of any command type
pktmon <command> help
Capture packets in realtime
We will create a simple filter to capture icmp traffic and show it on the screen as the packets are captured by pktmon.
Note: Please make sure the Command Prompt is running as administrator to be able to capture packets. If command prompts is not running as administrator you will get <strong>access denied error</strong> while starting a capture.
First, create a filter to tell pktmon what type of packets you want to capture.
We will be capturing any type of icmp packets so set the filter using below command.
pktmon filter add PingFilter -t ICMP
In the above command PingFilter is the name of the filter and ICMP is the type of the packets we want to capture.
To show all the options available to set up capture filter use the below command
pktmon filter add help
Check if the filter is added successfully using filter list command
pktmon filter list
Once the capture filter is set start capture using pktmon start command
pktmon start –etw –log-mode real-time
In the above command –etw –log-mode real-time is to show the packet commands matching the filter on screen in realtime.
After starting the capture, ping some device in your network or on the internet and pktmon should show the captured packets on the command prompt
This was a simple packet capture filter. You can also configure complex packet capture filter like
pktmon filter add DNS-PACKETS –data-link IPv4 –ip-address 22.214.171.124 –transport-protocol udp –port 53
This capture filter will capture all the dns queries and responses to/from 126.96.36.199
To remove all capture filter use the command
pktmon filter remove
This were the basic commands to do a simple packet capture using windows 10 pktmon tool.