Microsoft Windows provides a built-in packet sniffer called pktmon. The pktmon tool allows you to display monitored packets in real-time and convert the default ETL files to the PCAPNG format, which can be read by Wireshark. Pktmon can be used in environments where WireShark is not allowed.
- Open a CMD prompt as administrator
- List the available network interfaces
pktmon comp list
C:\Users\Administrator\Desktop>pktmon comp list
Intel(R) PRO/1000 MT Network Connection
Id: 9
Driver: E1G6032E.sys
MAC Address: 00-50-56-A6-49-1D
ifIndex: 7 - Use the interface Id from the pktmon comp list output to start the packet capture before performing the task that the packet capture is needed for. By default, the pcap file will be generated to a file named PktMon.etl in the current working directory.
pktmon start --etw -c <interface_id>
C:\Users\Administrator\Desktop>pktmon start --etw -c 9
Log file name: C:\Users\Administrator\Desktop\PktMon.etl
Logging mode: Circular
Maximum file size: 512 MB
Active measurement started. - Perform the task needed. (Agent scan, patch policy execution, etc.)
- After you have performed the task needed, stop the packet capture.
pktmon stop
C:\Users\Administrator\Desktop>pktmon stop
Stopped active measurement.
Flushing logs...
Log file: C:\Users\Administrator\Desktop\PktMon.etl (No events lost) - You can convert the ETL to the WireShark supported pcapng format with the following command:
pktmon <format> <source_path> -o <source_output>
C:\Users\Administrator\Desktop>pktmon pcapng PktMon.etl -o pktmon.pcapng
Processing...
Packets total: 112
Packet drop count: 0
Packets formatted: 112
Formatted file: pktmon.pcapng - Attach the pktmon.pcapng file to the support ticket.
Comments
0 comments
Article is closed for comments.