how to use the Windows 10 sniffer

by

Since the launch of Windows 10 we have seen how from Redmond they have not stopped working on improving what so far for most users of the Microsoft system is the best version. Before each new version or compilation, the company usually announces the news that each one of them will bring, however, there are sometimes that the company includes certain features or functions without mentioning anything about it. This is the case with the Windows 10 sniffer , a utility available on the system since the October 2018 update and few users have discovered and used it.

The truth is that it is not about any adjustment or configuration that allows us to customize any aspect of our desktop, but rather it is a very useful tool for those who want to control certain activity or determine the cause of the latency of their connection.

What is the Windows 10 sniffer

It is a specific function to control or monitor the propagation of data packets , which can help us when it comes to detecting certain problems or an increase in the latency of our network, identifying the affected applications, etc.

Since its integration, it is certain that many users have looked for a third-party sniffer to control or track their network traffic without knowing that the system itself had its own sniffer. These packet sniffers are diagnostic tools that allow you to analyze your network and detect or diagnose network problems.

In this case, the Windows 10 sniffer is a command-line-based tool that has been christened Packet Monitor. Its executable is located in the Windows System32 folder , therefore, it means that we can launch said tool from the command prompt or Windows PowerShell.

How to use the PktMon.exe sniffer

To use Packet Monitor the first thing we have to do is open a command prompt window or Windows PowerShell with administrator permissions. Once in front of the command line, if we write pktMon and press Enter we will find that the syntax of the command and the possible commands to be used will be shown.

The correct syntax for PktMon is:

pktmon {filter | comp | reset | start | stop} [OPTIONS | help]

Being the commands:

  • filter     Manage packet filters.
  • comp       Manage registered components.
  • reset      Resets the counters to zero.
  • start       Starts package monitoring.
  • stop       For monitoring.
  • format     Converts the log file to text.
  • unload     Download the PktMon driver.

If we need more help on a specific command, then we can use the following command:

Pktmon command help . For example, Pktmon filter help.

As soon as this instruction is executed, information on the syntax and the possible commands to be used for pktmon filter or the indicated command will be shown. These are the syntax and commands available for each case:

pktmon filter {list | add | remove} [OPTIONS | help]

Commands:

  • list: Shows active packet filters.
  • add: Add a filter to control the packets that are reported.
  • remove: Remove all filters.

pktmon comp {list | counters} [OPTIONS | help]

Commands:

  • list: List all active components.
  • counters: Shows the current counters by component.

pktmon reset [-counters]

Reset all component counters to zero.

pktmon start [-c {all | nics | [ids…]}] [-d] [–etw [-p size] [-k keywords]] [-f] [-s] [-r] [-m]

Starts package monitoring.

  • -c, –components: Select the components to monitor. It can be all components, just NICs, or a list of ids. of components. The default is all.
    -d, –drop-only: Only report dropped packets. By default, successful packet propagation is also reported.
  • ETW registration
    • –Etw: Starts a log session for packet capture.
    • -p, –packet-size: Number of bytes to be recorded for each packet. To always log the entire packet, set the value to 0. The default is 128 bytes.
    • -k, –keywords: Hexadecimal bit mask (that is, the sum of the following marks) that controls which events are logged. By default, all events are logged.
    • -f, –file-name: .etl registry file. The default is PktMon.etl.
    • -s, –file-size: Maximum size of the log file in megabytes. The default is 512MB.
  • Registration mode
    •  -r, –circular: New events overwrite the oldest when the maximum file size is reached.
    •  -m, –multi-file: A new file is created when the maximum file size is reached.

pktmon stop

Stops package monitoring and displays the results.

pktmon format log.etl [-o log.txt]

Convert the log file to text format.

pktmon unload

Stops the PktMon driver service and downloads PktMon.sys. Equivalent to ‘sc.exe stop PktMon’.

Related Posts:

by Abdullah Sam
I’m a teacher, researcher and writer. I write about study subjects to improve the learning of college and university students. I write top Quality study notes Mostly, Tech, Games, Education, And Solutions/Tips and Tricks. I am a person who helps students to acquire knowledge, competence or virtue.

Leave a Comment