Windows 10 has a secret network packet sniffer -- here's where to find it and how to use it

Networked computers

With Windows 10 having been with us for a number of years, you would think that all of its secrets had been discovered by now. Of course, Microsoft has released numerous updates to the operating system but it's hard to imagine anything included in these going unnoticed, right?

Maybe not. You may not be aware that with Windows 10 October 2018 Update, Microsoft added a network packet sniffer, Packet Monitor or Pktmon. No one seemed to notice... until now.

See also:

Over the weekend Lawrence Abrams from BleepingComputer wrote about the Pktmon tool which Microsoft has said nothing about. When Windows 10 October 2018 Update was released, there was no mention of the network packet sniffer, it does not appear to be mentioned on the Microsoft website, and no documentation appears to have been produced.

You can find the utility at C:\Windows\system32\pktmon.exe, and if you run it from the Command Prompt you will see a list of command you can use.

Packet Monitor

You can use the help parameter to learn more about each of the commands; for example:

pktmon comp help

If you want to monitor, for instance, port 80, you can add a filter with the command:

pktmon filter add -p 80

You can then start monitoring using the command:

pktmon start --etw -m real-time

You can stop monitoring with the command:

pktmon stop

Details of what has been captured are saved in a file called PktMon.etl. You can convert this to plain text with the command:

pktmon format PktMon.etl -o packetlog.txt

Alternatively, as Abrams points out, you could download the Microsoft Network Monitor which can read .etl files.

Image credit: bluebay / Shutterstock

91 Responses to Windows 10 has a secret network packet sniffer -- here's where to find it and how to use it

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.