Everyone knows about wireshark, which is a tool to capture packets on Windows OS. Until now this was the only easy way you could do packet capture on Windows for troubleshooting or analyzing traffic.

Recently Microsoft has added a native took to do packet capture on Windows that comes built in to the OS. This article will touch on the basic commands you can use to run packet capture on Windows 10.

The packet capture tool on Windows is called pktmon.exe. You can run the tool from your command prompt. Just type pktmon in your command prompt to see the basic usage commands.

It comes with a builtin help to check what each command and switch does. To check details of any command type

pktmon <command> help

Capture packets in realtime

We will create a simple filter to capture icmp traffic and show it on the screen as the packets are captured by pktmon.

Note: Please make sure the Command Prompt is running as administrator to be able to capture packets. If command prompts is not running as administrator you will get <strong>access denied error</strong> while starting a capture.

First, create a filter to tell pktmon what type of packets you want to capture.

We will be capturing any type of icmp packets so set the filter using below command.

pktmon filter add PingFilter -t ICMP

In the above command PingFilter is the name of the filter and ICMP is the type of the packets we want to capture.

To show all the options available to set up capture filter use the below command

pktmon filter add help

Check if the filter is added successfully using filter list command

pktmon filter list

Once the capture filter is set start capture using pktmon start command

pktmon start –etw –log-mode real-time

In the above command –etw –log-mode real-time is to show the packet commands matching the filter on screen in realtime.

After starting the capture, ping some device in your network or on the internet and pktmon should show the captured packets on the command prompt

This was a simple packet capture filter. You can also configure complex packet capture filter like

pktmon filter add DNS-PACKETS –data-link IPv4 –ip-address 8.8.8.8 –transport-protocol udp –port 53

This capture filter will capture all the dns queries and responses to/from 8.8.8.8

To remove all capture filter use the command

pktmon filter remove

This were the basic commands to do a simple packet capture using windows 10 pktmon tool.

DNS Stands for Domain Name System. DNS is one of the most important part of internet. All the computers on the internet are connected to each other and each one of them has a unique IP address and DNS maps these IP address with their Domain names. It is easier to remember and recall names than a bunch of numbers.

Whenever you try to browse a website on a browser like http://45.76.161.5, the browser uses DNS to get the IP address of the website asknetsec.com and then connects to that IP address and downloads the webpage.

DNS communication works in a server-client model where the client is the computer that needs to resolve a domain name to an ip address and the server is a computer which has the information about Domain name to IP address mappings.

A typical DNS transaction is made up of 2 packets. A request from the client to the server and a response from the server to the client. The request packet consists dns query for the domain name and the response packet consists of answer to that query in the form of IP address for the requested domain name.

Below is a typical DNS request and response packets taken from Wireshark that shows more info on the content of the DNS transaction.

DNS Query

Dns Query packet

 

DNS Response

Dns Response packet

 

 

The DNS query contains the domain name and DNS response contains the IP address associated with that domain name.