Generating a Packet Capture on Windows With Packet Sniffer
Microsoft Windows provides a built-in packet sniffer called pktmon. This tool allows you to display monitored packets in real-time and convert logs into the PCAPNG format, which is supported by Wireshark. Pktmon is especially useful in environments where Wireshark is not allowed or practical.
Prerequisites
- Verify pktmon availability:
pktmon help
- If the above command returns a help message, pktmon is ready for use.
Steps to Perform a Packet Capture
- Open a Command Prompt as Administrator
- Right-click on Command Prompt and select "Run as administrator."
- List the Available Network Interfaces
- Run the following command:
pktmon comp list
- Example Output:
Intel(R) PRO/1000 MT Network Connection
Id: 9
Driver: E1G6032E.sys
MAC Address: 00-50-56-A6-49-1D
ifIndex: 7
- Start Packet Capture
Use the interface_id from the pktmon comp list output to start the packet capture before performing the task that the packet capture is needed for. By default, the pcap file will be generated to a file named PktMon.etl in the current working directory.
pktmon start --etw -c <interface_id>\
- Example Command:
pktmon start --etw -c 9
- Example Output:
Log file name: C:\Users\Administrator\Desktop\PktMon.etl
Logging mode: Circular
Maximum file size: 512 MB
Active measurement started.
Perform the Task
- Perform the activity you want to capture (e.g., agent scans, patch execution).
Stop the Packet Capture
- End the capture with the following command:
pktmon stop
Example Output:
Stopped active measurement.
Flushing logs...
Log file: C:\Users\Administrator\Desktop\PktMon.etl (No events lost)
Convert ETL to PCAPNG
- To view the captured packets in Wireshark:
Run the conversion command:
pktmon pcapng <source_path> -o <destination_path>
- Example Command:
pktmon pcapng PktMon.etl -o pktmon.pcapng
- Example Output:
Packets total: 112
Packet drop count: 0
Packets formatted: 112
Formatted file: pktmon.pcapng
- Attach the generated pktmon.pcapng file to the support ticket if needed.
Troubleshooting
- Error: Command not recognized: Ensure pktmon is included in your Windows version.
- Permission issues: Run Command Prompt as an administrator.