Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[x] close video | All SANSFIRE Videos

Latest Diaries

Windows 10 Built-in Packet Sniffer - PktMon

Published: 2020-05-31
Last Updated: 2020-05-31 19:59:18 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

Microsoft released with the October 2018 Update a built-in packet sniffer for Windows 10 located in C:\Windows\system32\PktMon.exe. At ISC we like packets and this is one of the multiple ways to capture packets and send us a copy for analysis. Rob previously published another way of capturing packets in Windows here. If Windows 10 was compromised, this application would be a prime target by malicious actors and it need to be monitored, protected or removed in an enterprise.

In order to collect packets you need to launch a Windows 10 command prompt as admin before using PktMon.

The first thing to do is figure out what can be done with PktMon, if you execute PktMon filter add help it list all posible options by MAC address, datalink, VLAN, protocol, IPv4/IPv6 and services:

For example, let’s capture SSL traffic on port 443, the filter will look like this:

PktMon filter add -p 443

To view the port filtered list:
PktMon filter list

To remove the same filter when done will look like this:
PktMon filter remove -p 443

To clear the packet port filtered list (capture all ports):
PktMon filter remove list

To list the interfaces available for packet capture on Windows 10, use PktMon comp list. This list can contains several interfaces (i.e. wireless, VPN, Ethernet, etc)

Starting PktMon with -p 0 to capture the entire packet (default to 128 bytes), start packet capture from Ethernet interface Id: 10 and save the packets to a log file with Event Tracing for Windows (--etw default filename is PktMon1.etl):
pktmon start --etw -p 0 -c 10

Stopping PktMon you get the traffic statistics from the interface and leave a file PktMon1.etl on the drive where PktMon was started:

The file PktMon1.etl can be converted to text:

pktmon format PktMon.etl -o https.txt

14:08:19.937939100 MAC Dest 0x000C2986BE53, MAC Src 0x247703FD6DE8, EtherType IPv4 , VlanId 0, IP Dest, IP Src, Protocol UDP , Port Dest 62594, Port Src 3389, TCPFlags 0, PktGroupId 1125899906842838, PktCount 1, Appearance 1, Direction Tx , Type Ethernet , Component 95, Edge 1, Filter 0

Finally, reset all counter back to 0 and get ready for the next packet capture:

PktMon reset
All counters reset to 0.

Microsoft Network Monitor is dated and no longer actively supported by Microsft but until the next release of PktMon in Windows 10 2004 supporting conversion to pcapng, it can be used to open and read these packet capture files or read them as text has previous demonstratred.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

YARA v4.0.1
May 30th 2020
2 days ago by DidierStevens (0 comments)

The Impact of Researchers on Our Data
May 29th 2020
2 days ago by Johannes (0 comments)

Flashback on CVE-2019-19781
May 28th 2020
4 days ago by Xme (0 comments)

Frankenstein's phishing using Google Cloud Storage
May 27th 2020
5 days ago by Jan (0 comments)

Seriously, SHA3 where art thou?
May 26th 2020
5 days ago by Jim (0 comments)

View All Diaries →

Latest Discussions

IP Address from Hex
created Apr 15th 2020
1 month ago by Anonymous (0 replies)

Best Laptop for Wireshark 3.2
created Apr 14th 2020
1 month ago by ismicok (0 replies)
created Mar 10th 2020
2 months ago by Bill (9 replies)

DShield analysis
created Mar 1st 2020
3 months ago by Anonymous (0 replies)

Setting up a security champions network.
created Feb 24th 2020
3 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
11 months ago by Brad (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
11 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Verifying Running Processes against VirusTotal - Domain-Wide
Jun 28th 2019
11 months ago by Rob VandenBrink (0 comments)