Generating a Packet Capture on Windows With Packet Sniffer

Generating a Packet Capture on Windows With Packet Sniffer

Microsoft Windows provides a built-in packet sniffer called pktmon. This tool allows you to display monitored packets in real-time and convert logs into the PCAPNG format, which is supported by Wireshark. Pktmon is especially useful in environments where Wireshark is not allowed or practical.

Prerequisites

  1. Verify pktmon availability:
    pktmon help
  2. If the above command returns a help message, pktmon is ready for use.

Steps to Perform a Packet Capture

  1. Open a Command Prompt as Administrator
    • Right-click on Command Prompt and select "Run as administrator."
  1. List the Available Network Interfaces
    • Run the following command:
pktmon comp list
  • Example Output:
Intel(R) PRO/1000 MT Network Connection

Id: 9

Driver: E1G6032E.sys

MAC Address: 00-50-56-A6-49-1D

ifIndex: 7
  1. Start Packet Capture

Use the interface_id from the pktmon comp list output to start the packet capture before performing the task that the packet capture is needed for. By default, the pcap file will be generated to a file named PktMon.etl in the current working directory.

pktmon start --etw -c <interface_id>\
  • Example Command:
pktmon start --etw -c 9
  •  Example Output:
Log file name:     C:\Users\Administrator\Desktop\PktMon.etl

Logging mode:      Circular

Maximum file size: 512 MB

Active measurement started.

Perform the Task

  • Perform the activity you want to capture (e.g., agent scans, patch execution).

Stop the Packet Capture

  • End the capture with the following command:
pktmon stop

Example Output:

Stopped active measurement.

Flushing logs...

Log file: C:\Users\Administrator\Desktop\PktMon.etl (No events lost)

Convert ETL to PCAPNG

  1. To view the captured packets in Wireshark:

Run the conversion command:

pktmon pcapng <source_path> -o <destination_path>
  •   Example Command:
pktmon pcapng PktMon.etl -o pktmon.pcapng
  • Example Output:

Packets total:     112

Packet drop count: 0

Packets formatted: 112

Formatted file:    pktmon.pcapng
  1. Attach the generated pktmon.pcapng file to the support ticket if needed.

Troubleshooting

  • Error: Command not recognized: Ensure pktmon is included in your Windows version.
  • Permission issues: Run Command Prompt as an administrator.
Was this article helpful?
0 out of 0 found this helpful