How To Use Pktmon, Windows 10 Native And Inbuilt Packet Capture Tool

Everyone knows about wireshark, which is a tool to capture packets on Windows OS. Until now this was the only easy way you could do packet capture on Windows for troubleshooting or analyzing traffic.

Recently Microsoft has added a native took to do packet capture on Windows that comes built in to the OS. This article will touch on the basic commands you can use to run packet capture on Windows 10.

The packet capture tool on Windows is called pktmon.exe. You can run the tool from your command prompt. Just type pktmon in your command prompt to see the basic usage commands.

It comes with a builtin help to check what each command and switch does. To check details of any command type

pktmon <command> help

Capture packets in realtime

We will create a simple filter to capture icmp traffic and show it on the screen as the packets are captured by pktmon.

Note: Please make sure the Command Prompt is running as administrator to be able to capture packets. If command prompts is not running as administrator you will get <strong>access denied error</strong> while starting a capture.

First, create a filter to tell pktmon what type of packets you want to capture.

We will be capturing any type of icmp packets so set the filter using below command.

pktmon filter add PingFilter -t ICMP

In the above command PingFilter is the name of the filter and ICMP is the type of the packets we want to capture.

To show all the options available to set up capture filter use the below command

pktmon filter add help

Check if the filter is added successfully using filter list command

pktmon filter list

Once the capture filter is set start capture using pktmon start command

pktmon start –etw –log-mode real-time

In the above command –etw –log-mode real-time is to show the packet commands matching the filter on screen in realtime.

After starting the capture, ping some device in your network or on the internet and pktmon should show the captured packets on the command prompt

This was a simple packet capture filter. You can also configure complex packet capture filter like

pktmon filter add DNS-PACKETS –data-link IPv4 –ip-address 8.8.8.8 –transport-protocol udp –port 53

This capture filter will capture all the dns queries and responses to/from 8.8.8.8

To remove all capture filter use the command

pktmon filter remove

This were the basic commands to do a simple packet capture using windows 10 pktmon tool.

Leave a Reply

Your email address will not be published. Required fields are marked *