TheWindowsClub News

TheWindowsClub Tech News covers the latest Microsoft Windows 10 news, along with other products & services like Office, etc.

PktMon.exe built-in packet sniffer tool for Windows 10 gets real-time monitoring, PCAPNG support

Microsoft has quietly updated its built-in packet sniffer for the Windows 10 operating system. Alongside the Windows 10 2004 rollout, the company has brought certain improvements to its built-in packet sniffer PktMon.exe in the form of real-time monitoring, PCAPNG support, etc.

Network Sniffer Tool pktmon.exe

PktMon.exe gets real-time monitoring

Microsoft originally added PktMon.exe to Windows 10 with the October 2018 update. However, its existence only recently came to limelight. Located in the Systems folder of the operating system, the PktMon.exe network sniffer or network diagnostic and packet monitoring tool can easily be invoked from the Run or Command Prompt or PowerShell.

Windows May 2020 Update delivers two essential PktMon features: real-time monitoring and PCAPNG file format support.

Windows 10 2004 users can perform real-time packet monitoring using the command line. The brand-new real-time monitoring feature can be discovered by typing the following command in the command line:

pktmon start help

It shows a new -l flag allowing users to specify the log mode used by PktMon.exe. One of these new modes is real-time:

Display events and packets on screen at real time. No log file is created.
Press Ctrl+C to stop monitoring.

Contrary to its description, the Windows 10 operating system’s built-in packet sniffing tool creates PktMon.etl log file when using the real-time logging mode. But interestingly enough, it doesn’t provide users with specifics as to what information the packet actually contains.

This is where the second feature (PCAPNG support) comes into play.

PktMon.exe now supports a new ‘pcapng’ command, allowing users to convert an ETL log file into the PCAPNG capture file format. Microsoft stores packets captured using PktMon in its trace log ETL file format, which is unsupported by many popular network monitoring tools including Wireshark.

Converting an ETL file to a PCAPNG file can open it in Wireshark and other network monitoring tools, using the following command:

pktmon pcapng [logfile.etl] -o [logfile.pcapng]

Meanwhile, let’s take a look at some of the best networking monitoring tools for Windows 10.

Updated on Tags:

TanmayPatange@TWCN

Tanmay loves writing about Technology, Internet, Apps, Social Media, and Cybersecurity. He also tracks OTT video content streaming space and likes to spend his weekends watching plays. You can contact him on Twitter @techtsp.