Yes, both Windows 10 and 11 include a built-in command-line tool for packet capturing named “Packet Monitor” or pktmon. It was introduced in the Windows 10 May 2020 Update (version 2004) and is also present in Windows 11. It’s also included in Windows Server 2019/2022.
Here’s a brief overview of how to use pktmon:
- Start a capture:
To start capturing network traffic, open Command Prompt as an administrator and use the following command:
pktmon start --etw -m real-time
In this command:
– –etw stands for “Event Tracing for Windows” which is a mechanism for tracing and logging high-frequency events.
– -m real-time enables real-time monitoring.
- Stop a capture:
When you’re ready to stop capturing packets, use the following command:
pktmon stop
This will stop the packet capturing process.
- Filter a capture:
You can also filter the packets that pktmon captures. For example, to capture only the packets that involve a specific IP address, use the following command:
pktmon filter add -i <ip_address>
Replace <ip_address> with the IP address you’re interested in.
- Convert a capture to PCAP format:
By default, pktmon saves its captures in an ETL format, which isn’t compatible with common packet analysis tools like Wireshark. Fortunately, pktmon can convert its ETL captures to PCAP format, which is more broadly compatible. Here’s how:
pktmon etl2pcap {etlfile} --out {pcap name}.pcap
In this command, is the ETL file you want to convert and .pcap is the name you want to give to the converted file.
Please note that the pktmon tool provides quite basic packet capture capabilities. For more advanced network traffic analysis, third-party tools like Wireshark might be more suitable.
EXAMPLE PKTMON
In this example I’ll use my blog “cordero.me” and filter it down to HTTPS traffic.
pktmon filter add -i 74.207.230.63 -p 443
Verify filter:
pktmon filter list
Packet Filters:
# Name IP Address Port
- ---- ---------- ----
1 74.207.230.63 443
Start Packet Capture:
This option will actually be in real-time on your screen. You don’t have to do it this way. You could just save it to the local file.
pktmon start --etw -m real-time
Stop the Packet Capture:
pktmon stop
Convert the ETL file to a PCAP so you can view it in Wireshark:
pktmon etl2pcap PktMon.etl --out pktmonetl2pcap.pcap Processing... Packets total: 836 Packet drop count: 1 Packets formatted: 836 Formatted file: pktmonetl2pcap.pcap
PKTMON vs NETSH TRACE
Both pktmon and netsh trace are built-in tools in Windows for network troubleshooting, but they serve slightly different purposes and provide different levels of detail.
netsh trace is a part of netsh (Network Shell) utility which provides a powerful way to configure and monitor Windows networking components. The trace context of netsh provides simple packet capturing functionality, and it can output its captures in ETL format, which can then be converted to PCAP format using Microsoft’s netsh trace command or third-party tools.
On the other hand, pktmon (Packet Monitor) is a newer utility that provides a more user-friendly way to capture and analyze network traffic. It has a simpler command-line interface and can output its captures directly in PCAP format, making it easier to work with common packet analysis tools like Wireshark.
In terms of capabilities, both netsh trace and pktmon provide basic packet capture functionality. However, neither tool offers the same level of detail or flexibility as more specialized packet capture tools like Wireshark. For example, they don’t provide advanced filtering capabilities, and they don’t have graphical interfaces that make it easy to visualize and analyze network traffic.
So, to summarize, pktmon is a more modern and user-friendly tool than netsh trace, but both tools are suitable for basic packet capture tasks. For more advanced network analysis tasks, you might want to use a specialized tool like Wireshark.
EXAMPLE NETSH TRACE
To start the capture:
netsh trace start capture=yes overwrite=no maxSize=500 tracefile=c:\Users\capture1.etl Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\Users\capture1.etl Append: Off Circular: On Max Size: 500 MB Report: Off
To stop the capture:
netsh trace stop Correlating traces ... done Generating data collection ... done The trace file and additional troubleshooting information have been compiled as "c:\Users\capture1.cab". File location = c:\Users\capture1.etl Tracing session was successfully stopped.
The ETL file can be sent to anyone to convert it to a CAP file for Wireshark using Microsoft Message Analyzer. The default maxSize is 250MB but it can be changed just like I changed it above to 500MB. You can obviously change the capture name and location if you want.
There are more specific setting you can change. Below is the help output using the command “show capturefilterhelp” under “netsh trace”:
netsh trace>show capturefilterhelp
Capture Filters:
Capture filters are only supported when capture is explicitly
enabled with capture=yes. Supported capture filters are:
CaptureInterface=
Enables packet capture for the specified interface name or GUID. Use
'netsh trace show interfaces' to list available interfaces.
e.g. CaptureInterface={716A7812-4AEE-4545-9D00-C10EFD223551}
e.g. CaptureInterface=!{716A7812-4AEE-4545-9D00-C10EFD223551}
e.g. CaptureInterface="Local Area Connection"
Ethernet.Address=
Matches the specified filter against both source and destination
MAC addresses.
e.g. Ethernet.Address=00-0D-56-1F-73-64
Ethernet.SourceAddress=
Matches the specified filter against source MAC addresses.
e.g. Ethernet.SourceAddress=00-0D-56-1F-73-64
Ethernet.DestinationAddress=
Matches the specified filter against destination MAC addresses.
e.g. Ethernet.DestinationAddress=00-0D-56-1F-73-64
Ethernet.Type=
Matches the specified filter against the MAC ethertype.
e.g. Ethernet.Type=IPv4
e.g. Ethernet.Type=NOT(0x86DD)
e.g. Ethernet.Type=(IPv4,IPv6)
Wifi.Type=<management|Data>
Matches the specified filter against the Wifi type. Allowed values
are 'Management' and 'Data'. If not specified, the Wifi.Type filter
is not applied.
Note: This capture filter does not support ranges, lists or negation.
e.g. Wifi.Type=Management
Protocol=
Matches the specified filter against the IP protocol.
e.g. Protocol=6
e.g. Protocol=!(TCP,UDP)
e.g. Protocol=(4-10)
IPv4.Address=
Matches the specified filter against both source and destination
IPv4 addresses.
e.g. IPv4.Address=157.59.136.1
e.g. IPv4.Address=!(157.59.136.1)
e.g. IPv4.Address=(157.59.136.1,157.59.136.11)
IPv4.SourceAddress=
Matches the specified filter against source IPv4 addresses.
e.g. IPv4.SourceAddress=157.59.136.1
IPv4.DestinationAddress=
Matches the specified filter against destination IPv4 addresses.
e.g. IPv4.DestinationAddress=157.59.136.1
IPv6.Address=
Matches the specified filter against both source and destination
IPv6 addresses.
e.g. IPv6.Address=fe80::5038:3c4:35de:f4c3\%8
e.g. IPv6.Address=!(fe80::5038:3c4:35de:f4c3\%8)
IPv6.SourceAddress=
Matches the specified filter against source IPv6 addresses.
e.g. IPv6.SourceAddress=fe80::5038:3c4:35de:f4c3\%8
IPv6.DestinationAddress=
Matches the specified filter against destination IPv6 addresses.
e.g. IPv6.DestinationAddress=fe80::5038:3c4:35de:f4c3\%8
CustomMac=<type(offset,value)>
Matches the specified filter against the value at the specified
offset starting with the MAC header.
Note: This capture filter does not support ranges, lists or negation.
e.g. CustomMac=UINT8(0x1,0x23)
e.g. CustomMac=ASCIISTRING(3,test)
e.g. CustomMac=UNICODESTRING(2,test)
CustomIp=<type(offset,value)>
Matches the specified filter against the value at the specified
offset starting with the IP header.
Note: This capture filter does not support ranges, lists or negation.
e.g. CustomIp=UINT16(4,0x3201)
e.g. CustomIp=UINT32(0x2,18932)
CaptureMultiLayer=<yes|no>
Enables multi-layer packet capture.
Note: This capture filter does not support ranges, lists or negation.
PacketTruncateBytes=
Captures only the the specified number of bytes of each packet.
Note: This capture filter does not support ranges, lists or negation.
e.g. PacketTruncateBytes=40
Note:
Multiple filters may be used together. However the same filter may
not be repeated.
e.g. 'netsh trace start capture=yes Ethernet.Type=IPv4
IPv4.Address=157.59.136.1'
Filters need to be explicitly stated when required. If a filter is
not specified, it is treated as "don't-care".
e.g. 'netsh trace start capture=yes IPv4.SourceAddress=157.59.136.1'
This will capture IPv4 packets only from 157.59.136.1, and it
will also capture packets with non-IPv4 Ethernet Types, since
the Ethernet.Type filter is not explicitly specified.
e.g. 'netsh trace start capture=yes IPv4.SourceAddress=157.59.136.1
Ethernet.Type=IPv4'
This will capture IPv4 packets only from 157.59.136.1. Packets
with other Ethernet Types will be discarded since an explicit
filter has been specified.
Capture filters support ranges, lists and negation (unless stated
otherwise).
e.g. Range: 'netsh trace start capture=yes Ethernet.Type=IPv4
Protocol=(4-10)'
This will capture IPv4 packets with protocols between 4 and 10
inclusive.
e.g. List: 'netsh trace start capture=yes Ethernet.Type=(IPv4,IPv6)'
This will capture only IPv4 and IPv6 packets.
e.g. Negation: 'netsh trace start capture=yes Ethernet.Type=!IPv4'
This will capture all non-IPv4 packets.
Negation may be combined with lists in some cases.
e.g. 'netsh trace start capture=yes Ethernet.Type=!(IPv4,IPv6)'
This will capture all non-IPv4 and non-IPv6 packets.
'NOT' can be used instead of '!' to indicate negation. This requires
parentheses to be present around the values to be negated.
e.g. 'netsh trace start capture=yes Ethernet.Type=NOT(IPv4)'
Converting the ETL File
The ETL file can be sent to anyone to convert it to a PCAP file for Wireshark viewing. The default maxSize is 250MB but it can be changed. You can obviously change the capture name and location if you want.
1. Microsoft Message Analyzer
This ETL file is converted using Microsoft Message Analyzer:
1. First open the ETL in MMA
2. Go to File, Save As, All Messages, Export to export it as a CAP
Note:
This tool is retired by Microsoft, but if you have still have it, you can use it.
2. Microsoft Github Script ETL2PCAPNG
There’s now a free tool that will convert these ETL files to PCAPNG files.
https://github.com/microsoft/etl2pcapng/releases