Windows 10 has a secret network packet sniffer -- here's where to find it and how to use it
With Windows 10 having been with us for a number of years, you would think that all of its secrets had been discovered by now. Of course, Microsoft has released numerous updates to the operating system but it's hard to imagine anything included in these going unnoticed, right?
Maybe not. You may not be aware that with Windows 10 October 2018 Update, Microsoft added a network packet sniffer, Packet Monitor or Pktmon. No one seemed to notice... until now.
- How to use DNS over HTTPS in Windows 10
- Microsoft shifts the focus of Windows 10X to single-screen devices
- Microsoft is going to release Windows 10 May 2020 Update knowing it contains a bug
Over the weekend Lawrence Abrams from BleepingComputer wrote about the Pktmon tool which Microsoft has said nothing about. When Windows 10 October 2018 Update was released, there was no mention of the network packet sniffer, it does not appear to be mentioned on the Microsoft website, and no documentation appears to have been produced.
You can find the utility at C:\Windows\system32\pktmon.exe, and if you run it from the Command Prompt you will see a list of command you can use.
You can use the help parameter to learn more about each of the commands; for example:
pktmon comp help
If you want to monitor, for instance, port 80, you can add a filter with the command:
pktmon filter add -p 80
You can then start monitoring using the command:
pktmon start --etw -m real-time
You can stop monitoring with the command:
Details of what has been captured are saved in a file called PktMon.etl. You can convert this to plain text with the command:
pktmon format PktMon.etl -o packetlog.txt
Alternatively, as Abrams points out, you could download the Microsoft Network Monitor which can read .etl files.