Damjan Cvetko

Damjan Cvetko

Developer, System Architect, Hacker.

PktMon

1 minute read

Ever got in a situation where you have to debug packets and there was no Wireshark on the Windows Server? PktMon!

Most new Windows Server installs have the Packet Monitor. It can recotd packets in the etl format. Since I’m not used to the viewer and just know my way better around Wireshark, I was pleased to see it also contains a converted command.

To star capturing do

pktmon list

This gives a list of interfaces

Network Adapters:
   Id MAC Address       Name
   -- -----------       ----
...
   13 28-B0-CC-00-03-A0 Microsoft Network Adapter Multiplexor Driver #4

Start the capture, all packet on interface 13:

pktmon start -c --comp 13

See if it is running:

pktmon status

Stop capturing:

pktmon stop

This will produce a file PktMon.etl.

Convert to pcap:

pktmon etl2pcap PktMon.etl

This produces the file PktMon.pcapng

Read more at https://learn.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon and https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/pktmon-etl2pcap

Recent posts

See more

Categories

About