Windows 10 has a secret network packet sniffer -- here's where to find it and how to use it

Networked computers

With Windows 10 having been with us for a number of years, you would think that all of its secrets had been discovered by now. Of course, Microsoft has released numerous updates to the operating system but it's hard to imagine anything included in these going unnoticed, right?

Maybe not. You may not be aware that with Windows 10 October 2018 Update, Microsoft added a network packet sniffer, Packet Monitor or Pktmon. No one seemed to notice... until now.

See also:

Over the weekend Lawrence Abrams from BleepingComputer wrote about the Pktmon tool which Microsoft has said nothing about. When Windows 10 October 2018 Update was released, there was no mention of the network packet sniffer, it does not appear to be mentioned on the Microsoft website, and no documentation appears to have been produced.

You can find the utility at C:\Windows\system32\pktmon.exe, and if you run it from the Command Prompt you will see a list of command you can use.

Packet Monitor

You can use the help parameter to learn more about each of the commands; for example:

pktmon comp help

If you want to monitor, for instance, port 80, you can add a filter with the command:

pktmon filter add -p 80

You can then start monitoring using the command:

pktmon start --etw -m real-time

You can stop monitoring with the command:

pktmon stop

Details of what has been captured are saved in a file called PktMon.etl. You can convert this to plain text with the command:

pktmon format PktMon.etl -o packetlog.txt

Alternatively, as Abrams points out, you could download the Microsoft Network Monitor which can read .etl files.

Image credit: bluebay / Shutterstock

92 Responses to Windows 10 has a secret network packet sniffer -- here's where to find it and how to use it

  1. M Q says:

    If you want to monitor, for instance, port 80, you can add a filter with the command:

    pktmon filter add -p 20

    Doesn't anyone proofread these articles? Or even try out this stuff?

  2. DH says:

    And for us not techies what is a packet sniffer and why would we need to use it?

    • dasdboot says:

      This tool records network packets in and out of your computer in to a log file so you can monitor which processes in your system access what network resources or you can spot an unusual network activity, say identifying malware running on your computer

      • DH says:

        Thank you sir.

      • Kyle Nally says:

        I used another popular packet sniffer called Wireshark to find a botnet operating from Pakistan on my PC once upon a time. It was sending and receiving data on some absurd port number or other to and from overseas IP addresses. Nuked it immediately by blocking the port.

        Wireshark is free, but it's a bit intimidating for new users. If you get it, read the guide and tutorials. It's kind of fun, though, to see just what happens on your network when you, say, open Chrome or something.

    • Peter Griffin says:

      Non techies wouldn't and won't. If you don't know what a packet is then there's additional reading you'll want on how tcp/ip works.

      • DH says:


      • Adrian S says:

        It is very interesting, well if you are into that sort of thing. Your best bet to be honest would be to find you Tube video about it. some of them are excellent and i learnt a fair bit over the years from YouTube.

        But to be honest, most people would not need a packet sniffer, but I do wonder what else is hiding in Windows that we do not know about?

      • Joe Black says:

        But requires 2 or 3 example of what is abnormal activities.

  3. Ted says:

    Oh lovely... Now M$ is burying spy tools deep into the system again. Wonder if N$A issued a grant for this key hole.

    • TechFan says:

      I wish you knew more about this topic before you posted...
      It's just a tool to help admins solve some issues. It's super basic, if you where spying on someone, there are a dozen free open source products that make 'spying' so much easier than the tool this article talks about.

    • Than Droo says:

      The very fact that you use M$ to show how much you "know" about Microsoft really shows how brainwashed you are. "burying spy tools"...oh sweet Jesus! What is your OS of choice? Sorry, to use your twisted and abbreviated vernacular... what is you O$ of choice?

      • Rick Hantz says:

        Not a spy tool. It is started on your computer by you in order to troubleshoot network issues. And it's really basic.

      • BROKEN says:

        You replied to the wrong person

      • Andreas Klein says:

        This is called contempt.
        Ted is right afterall because this is a tool which users should have know about.

    • BROKEN says:

      Sorry man, but you sound extremely stupid right now.

      • lance G says:

        Na, see, what Ted said is called “Satire”. Everyone is Ted, whether they want to admit or not. Satire. It humor is in the fact that, not only do people believe that MS is spying on us for the Govts of the world, but MS is actually spying on us for the Govts of the world whether they know it or not. Laugh, laugh, laugh, laugh. What a lovely tea party.

      • psycros says:

        Microsoft DID spy on us on behalf of the NSA and its a matter of record. Educate yourself FFS, you sound like an idiot.

      • Bengt Nilsen says:

        Thank you psycros, -please educate us with some links to non-conspiriative websites. :)

      • confirmed_kill says:

        Wow how lazy can you get? This is very common knowledge since like 2013.

      • BROKEN says:

        It's hard to know if that is actually satire since most people actually say stuff like that.

        He could have well meant every word.

      • Bengt Nilsen says:

        Yes, some people just want the world to be a bad place, fortunately they are not alone. But some actually have an actual reason, and that is difficult to sniff out with command: pktmon format reason

    • Adrian S says:

      I knew someone would say this, even I know that it needs to be started with a command, that is not to say that maybe some software could not use it without us knowing.

  4. whitefooted says:

    What does it all mean?

    • dasdboot says:

      Used to record network traffic in and out of your computer in a log file

      • whitefooted says:

        Thanks dasdboot. Is this log file sent to someplace without our permission?

      • ウォピアン says:

        No. It's a tool used by system admins to inspect network traffic on their device (or client if it's an organisation etc).

        The log is only created when you run the command, which records all the packets (data) sent/received on the specified ports to that log file stored on the device.

      • whitefooted says:

        Thank you

      • Mark Stewart says:

        I occasionally use the open source packet capture tool WireShark (Name given for the 1%) for networking issues and performance issues. Also discovered 20+ years ago that one of my co-workers spent most his/her work day surfing a photo sharing site.... (Yes he/she was on the same network segment!)

        Learning how to decipher the data as noted by others is a huge task.

      • anchovylover says:

        Why would you give @disqus_6mwBxrorMQ:disqus a down vote for politely asking a legitimate question?

      • Adrian S says:

        Because some people just like giving down votes, It makes me wonder some times it really does. Oh well, it is not important.

    • Peter Michael Cieply says:

      Not much until your PC has malware which has revealed critical info to an unwanted intruder bent on stealing your bank account info to feed his empty wallet and maybe a homeless kiitten he found on the street.But honestly...there's just to much kittens right now in my backyard.

      • whitefooted says:

        Thanks Peter.. I'm just trying to learn things here.

      • ProphetZarquon says:

        Too many kittens.
        "too much" implies parts or pieces of a whole.
        "too much apple", versus "too many apples".

      • The Werewolf says:

        Or.. to be even more pedantic..

        "much/more/less" are used for continuous attributes like volume or flow
        "many/greater/fewer" are used for discrete attributes like kittens
        (and, "too" not "to", which you autocorrected... but I digress :) )

  5. Disparky says:

    I always have coffee when I watch port monitoring.

  6. disqus_1Dk26r2Z1i says:

    I don't want to know what my packet smells like

  7. Jeff Stokes says:

    This is just a new easy button for netsh trace

  8. Jeff Stokes says:

    Microsoft has a converter from etl to pcap. It's in GitHub

    • Kotobuya Prosper says:

      MMA does it too

    • BAoxymoron says:

      If I'm reading the help menu right, then it looks like this has an etl to pcapng converter command option. I'm not really sure why no one seems to be mentioning it because that command option seems way more useful than the format command.

  9. Thomas Lake says:

    What does a packet smell like?

  10. Jeff Dyer says:

    Why enter -p 20 to monitor Port 80? Bizarre.

    • świerzop says:

      Simple. Windows version is 10. Add another 0 because "Windows" is plural. Then it's 100. Minus 20 from "-p 20" equals 80. Any questions?

  11. Steve Holpet says:

    So does that mean Microsoft is monitoring your activity on net? Not that I'm using a VPN to download illegal software or anything....just sayin...

  12. 🇬🇷 Ταξίαρχος says:

    Can it sniff coronavirus infected packets?

  13. Keith P. says:

    I’d just be happy if MS didn’t break my home network with every update and brought home group back.

    • Sullen D says:

      Stop being a complaining neckbeard and switch operating systems if you're unhappy

      • Adrian S says:

        Sometimes that is difficult if the person have software that only work on Windows and is not available on say Linux. Sure a lot of it is available on Mac Os, but the prices of those machines are over the top.
        One day i may have a muck around with setting up a Hackingtosh

  14. Son Luong Nguyen says:

    This is not snipper, anyone reserve the right to any thing going in and out of their properties. Snipper mean to place the network card in promiscuous mode, by which user can scam the traffic coming in and out of any networked devices.

    • Chris Phillips says:

      You, my friend, are just plain incorrect.

      Plenty of different ways to sniff packets at different levels.

      In any scenario though, you will only be able to sniff packets on the same network segment.

  15. John Doe says:

    I loaded up on my wife before going a business trip as an extra security precaution!!

  16. Jim Barrett says:

    More line commands brought to you by Microsoft. So 1980's it's no wonder users flock to Apple.

    • Adrian S says:

      A mate of mine says the WIMP system is for Wimps, that is his little joke :). He uses Linux 99% of the time and only one of the computers has a GUI on and that is for his Wife, he does everything via a command line. There are software where a WIMP system is needed,

      The Game of Thrones Author still use Wordstar on a dos machine.
      My mate still use the command line on his one and only windows based computer as well, by all accounts it is quicker than pointing and clicking, myself I prefer pointing and clicking, I had enough of dos on the Amiga

      • roborodent says:

        Now we know why he hasn't finished the book.

      • Adrian S says:

        LOL, this is what he says about it, this was taken from the Lifehacker site

        I have my writing computer which is a DOS machine not connected to the Internet . . . I use WordStar 4.0 as my word processor. I actually like it. It does everything I want a word processing program to do, and it doesn't do anything else. I don't want any help. I hate some of these modern systems where you type a lower-case letter and it becomes a capital. I don't want a capital; if I wanted a capital, I would have typed a capital. I know how to work the shift key.

        I just about remember wordstar, I was not really a PC user in those days, but I used it to type recipes out when I was at college, I remember the clunk of the power switch and the sound of the hard drive spinning up. something that is missing on modern machines,

  17. Scrooge McDuck says:

    My current firewall software also does that for the last 6 yrs

  18. David Palanuk says:

    Ah, the lynchpin for the off-platform sensorship initiatives. Incredibly invasive. Does anyone by chance know which script or sys file triggers Skype (never used it, ended up uninstalling it after numerous instances of catching it running in background and chowing down some odd 40-60% of available ram! I'd literally tell my wife "there's Skype spying again and instantaneously watch it on task manager plummet to 0% and ram usage and disappear) or, now since I got rid of Skype, the culprit is Cortana...which I purposely change permission and ownership of admin read/write to myself only every time there's an update... still somehow it uses MY ram, MY HARDWARE, that I PAID FOR for ME TO USE. I was able to find the script in the win 10 fall 2019 update that broke, literally broke my Ethernet port on a desktop. That script had a typo in the startup request to fetch network hardware information. That's when I stumbled across the script for auto forced-unwanted updates... which I also stripped Microsoft's permission to read write or access... which has surprisingly been great! But this packet sniffer intrigues me, doesn't surprise me, but you've narrowed my search to embark on my next mission to surgically remove as much bill gates handling of my personal life as possible. Of course I prefer Linux, but my job requires certain needs only executable by chrome browser and windows is/.net framework.

  19. roborodent says:

    Seems like you need to actually read that article because nowhere in the article did it say MS spied on behalf of the NSA.

    All corporations are subject to the laws where they operate. If a court ask you to provide evidence against your neighbour because the police said you may be a witness, do you say you've help the police by spying on your neighbour? Yes. it is pretty dumb.

    It's important to understand how the world works and what motivates people into action. There is no benefit to any corporation to hand over anything unless this is their business model - they get paid for it. The only reason why MS, Google or any other hand over information is because a legal request (e.g., warrant) was made.

    Some of you need to grow up and put down the tin foil.

    • grizzlyadams says:

      No benefit? LOL and WHO got the JEDI contract again? Grow up and learn how the real world works, kid.

      • roborodent says:

        I suppose that federal judge that recently halted the JEDI project was wrong to think that the project was improperly evaluated in favour of MS because of bias from the administration against Amazon. Not to mention the Oracle case about conflict of interest within the way the bid was designed for Amazon by a former Amazon employee. Surely there are no other factors to consider why things happen the way they do. No processes, no checks and balance, no fear of consequences from getting caught doing the wrong thing.

        But I suppose in a child-like simplistic world, MS helps government, MS gets big contract. Why spend more time learning what really goes on?

  20. wisepinecone :3 says:

    What do i do with this information?

  21. Bengt Nilsen says:

    You are not stupid, but I think decency in communication with fellow nerds and other people will make our worries come a long way with privacy. There is a worry that these secret courts give a shit about common people. Mean, - US got 4.5M people working in IT-security, maybe that is why US need their own GDPR, possibly lay the foundation for joint world privacy. And dont let China dictate. Today, it seems that US and China is competing who can be the biggest bully, and spread the most fear and paranoia. Please spread the worry to your Congress-man. And dont take your current liberties for granted. Remember these people are just as filled with fear as me and you. And under the current administration, I worry that fear have given in, aka "space-force".

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.