Monitor internal packet propagation and packet drop reports. Run all PktMon commands from an Elevated command prompt.
Syntax - List all active components:
PKTMON comp list options
Options:
-i, --show-hidden
Show components that are hidden by default.
--json Output the list in Json format
Syntax - Display current per-component counters:
PKTMON comp counters options
Options:
-i, --show-hidden
Show components that are hidden by default.
--json Output the list in Json format
-t,--counter-type
Select which types of counters to show
Supported values are all counters (default), drops only, or flows only.
-z, --show-zeros
Show counters that are zero in both directions.
Syntax - Manage packet filters:
PKTMON filter { list | add | remove } [options | help]
Key:
list Display active packet filters.
add Add a filter to control which packets are reported.
remove Removes all filters.
help Show help text and sub-options for a command.
Syntax - Reset all component counters to zero:
PKTMON reset[-counters]
Syntax - Stop packet monitoring and show results:
PKTMON stop
Syntax - Convert log file to text format:
PKTMON format log.etl [-o log.txt]
Key:
-o, --out Name of the formatted text file.
Syntax - Stop the PktMon driver service and unload PktMon.sys:
PKTMON unload
Effectively equivalent to 'SC.exe stop PktMon'.
Measurement (if active) will immediately stop, and any state will be
deleted (counters, filters, etc.).
Syntax - Start packet monitoring:
PKTMON start [-c { all | nics | [ids...] }] [-d]
[--etw [-p size] [-k keywords]] [-f] [-s] [-r] [-m]
Key:
-c, --components
Select components to monitor. Can be all components, NICs only, or a
list of component ids. Defaults to all.
-d, --drop-only
Only report dropped packets. By default, successful packet propagation
is reported as well.
ETW Logging
--etw
Start a logging session for packet capture.
-p, --packet-size
Number of bytes to log from each packet. To always log the entire
packet, set this to 0. Default is 128 bytes.
-k, --keywords
Hexadecimal bitmask (i.e. sum of the below flags) that controls
which events are logged. By default all events are logged.
Flags:
0x001 - General configuration events.
0x002 - Component related information, including counters.
0x004 - Pre-parsed packets.
0x008 - Packet metadata (NBL OOB).
0x010 - Raw packet payload.
-f, --file-name
.etl log file. Default is PktMon.etl.
-s, --file-size
Maximum log file size in megabytes. Default is 512 MB.
Logging mode
-r, --circular
New events overwrite the oldest ones when
when the maximum file size is reached.
-m, --multi-file
A new log file is created when the maximum file size is reached.
Log files are sequentially numbered. PktMon1.etl, PktMon2.etl, etc.
Create a packet filter for the traffic on TCP port 20:
pktmon filter add -p 20
List the current packet filters:
pktmon filter list
Start monitoring to a file called PktMon.etl (n.b. without the -p option this will default to capturing only the first 128 bytes of each packet.):
pktmon start --etw
Stop monitoring:
pktmon stop
Convert the PktMon.etl file to a human-readable text format:
pktmon format PktMon.etl -o converted.txt
“Sooner or later we all discover that the important moments in life are not the advertised ones, not the birthdays, the graduations, the weddings, not the great goals achieved. The real milestones are less prepossessing. They come to the door of memory unannounced, stray dogs that amble in, sniff around a bit and simply never leave. Our lives are measured by these” ~ Susan B. Anthony
Microsoft Network Monitor - View the .ETL file generated by PktMon.
How to use PktMon - Bleeping Computer.
Equivalent macOS command : tcpdump - Dump traffic on a network.