Network troubleshooting and analysis are essential tasks for maintaining a healthy and secure network environment. In the realm of Windows operating systems, the introduction of the built-in packet capture tool “pktmon” has provided administrators and analysts with a convenient way to capture, filter, and analyze network traffic.

In this blog post, we will delve into the world of packet capture using pktmon

• explore its features
• compare it to its predecessor “netsh trace,”
• and provide step-by-step instructions for effective packet capture and analysis.

Introducing pktmon: Your Windows Packet Capture Companion

Packet Monitor, commonly referred to as “pktmon,” is a powerful command-line utility integrated into Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022. Its inception in the Windows 10 May 2020 Update (version 2004) marked a significant advancement in network troubleshooting capabilities. Let’s begin by understanding the basics of pktmon and its core functionalities.

Starting and Stopping a Capture

The --etw flag utilizes Event Tracing for Windows, while the -m real-time flag enables real-time monitoring of network traffic. , simply run:

Filtering Captured Packets

pktmon offers the ability to filter captured packets based on specific criteria. For instance, to capture packets involving a particular IP address, execute the following command:

Replace <ip_address> with the IP address of interest. This feature allows you to focus on specific network interactions, streamlining your analysis.

Converting Captures to PCAP Format

While pktmon natively saves captures in the ETL (Event Trace Log) format, it can be more convenient to work with captures in the universally supported PCAP format, especially when using tools like Wireshark. To convert an ETL capture to PCAP format, employ the following command:

Replace {etlfile} with the ETL file to be converted and {pcap_name} with the desired name for the resulting PCAP file.

A Practical Example: Capturing HTTPS Traffic

To illustrate the application of pktmon, consider the following example of capturing HTTPS traffic involving the IP address 74.207.230.63 and port 443:

1. Add a filter for the desired IP address and port:

2. Verify the applied filter:

3. Start the real-time packet capture:

4. Stop the capture once sufficient data has been collected:

5. Convert the ETL capture to PCAP format for analysis in Wireshark:

pktmon vs. netsh trace: Choosing the Right Tool

While pktmon has undoubtedly brought network packet capture to the forefront, it’s crucial to understand its predecessor, netsh trace, and the differences between the two tools.

pktmon: Modern and User-Friendly

pktmon offers a more user-friendly experience for capturing and analyzing network traffic. Its simplified command-line interface and direct support for PCAP output make it an attractive option for basic packet capture tasks. However, for advanced network analysis, pktmon might fall short, lacking the extensive filtering capabilities and graphical interfaces of specialized tools like Wireshark.

netsh trace: Legacy Packet Capture

netsh trace, a component of the broader netsh utility, provides packet capturing functionality, albeit with less user-friendly commands. While it can output captures in ETL format, which can later be converted to PCAP, its focus lies more on configuration and monitoring of Windows networking components. As such, netsh trace may not offer the same level of simplicity as pktmon but can still serve network administrators well.

Converting ETL Captures for Analysis

After capturing network traffic using pktmon or netsh trace, the captured data can be converted to a more widely recognized format for analysis in tools like Wireshark. There are two notable methods for conversion:

1. Microsoft Message Analyzer (Retired): This tool, now retired, allowed users to open the ETL file and export the captured messages to a PCAP format file for use in Wireshark.
2. Microsoft GitHub Script ETL2PCAPNG: A free tool available on GitHub, “etl2pcapng,” can convert ETL files to the PCAPNG format, enhancing compatibility with popular packet analysis tools. This option provides a more streamlined approach for converting captures.

Packet capture on Windows systems can be done using various tools and methods.One of the most commonly used tools for packet capture on Windows is Wireshark, which is a powerful open-source network protocol analyzer. Here’s a basic guide on how to perform packet capture using Wireshark:

1. Install Wireshark: If you don’t have Wireshark installed, you can download it from the official website: https://www.wireshark.org/
2. Launch Wireshark: After installing Wireshark, launch the application. You might need administrative privileges to capture packets on your network interface.
3. Select Network Interface: In the Wireshark application, you’ll see a list of available network interfaces. Choose the interface through which you want to capture packets (e.g., Ethernet, Wi-Fi).
4. Start Capturing Packets: Once you’ve selected the desired network interface, click the “Start” or “Capture” button to begin capturing packets. Wireshark will start capturing packets on the chosen interface in real-time.
5. Analyze Packets: Wireshark will display a live stream of captured packets. You can apply filters to narrow down the packets you’re interested in analyzing. You can also stop the capture process at any time.
6. Save Capture File: To save the captured packets for later analysis, go to “File” > “Save” or “File” > “Save As” and choose a location on your system to save the capture file. The capture file will have a “.pcap” extension.
7. Analyze Saved Capture: You can reopen the saved capture file in Wireshark for further analysis. This is useful if you want to review captured packets or share the capture with others for troubleshooting.