Monitor internal packet propagation and packet drop reports. Run all PktMon commands from an Elevated command prompt.
Syntax - List all active components: PKTMON comp list options Options: -i, --show-hidden Show components that are hidden by default. --json Output the list in Json format Syntax - Display current per-component counters: PKTMON comp counters options Options: -i, --show-hidden Show components that are hidden by default. --json Output the list in Json format -t,--counter-type Select which types of counters to show Supported values are all counters (default), drops only, or flows only. -z, --show-zeros Show counters that are zero in both directions. Syntax - Manage packet filters: PKTMON filter { list | add | remove } [options | help] Key: list Display active packet filters. add Add a filter to control which packets are reported. remove Removes all filters. help Show help text and sub-options for a command. Syntax - Reset all component counters to zero: PKTMON reset[-counters] Syntax - Stop packet monitoring and show results: PKTMON stop Syntax - Convert log file to text format: PKTMON format log.etl [-o log.txt] Key: -o, --out Name of the formatted text file. Syntax - Stop the PktMon driver service and unload PktMon.sys: PKTMON unload Effectively equivalent to 'SC.exe stop PktMon'. Measurement (if active) will immediately stop, and any state will be deleted (counters, filters, etc.). Syntax - Start packet monitoring: PKTMON start [-c { all | nics | [ids...] }] [-d] [--etw [-p size] [-k keywords]] [-f] [-s] [-r] [-m] Key: -c, --components Select components to monitor. Can be all components, NICs only, or a list of component ids. Defaults to all. -d, --drop-only Only report dropped packets. By default, successful packet propagation is reported as well. ETW Logging --etw Start a logging session for packet capture. -p, --packet-size Number of bytes to log from each packet. To always log the entire packet, set this to 0. Default is 128 bytes. -k, --keywords Hexadecimal bitmask (i.e. sum of the below flags) that controls which events are logged. By default all events are logged. Flags: 0x001 - General configuration events. 0x002 - Component related information, including counters. 0x004 - Pre-parsed packets. 0x008 - Packet metadata (NBL OOB). 0x010 - Raw packet payload. -f, --file-name .etl log file. Default is PktMon.etl. -s, --file-size Maximum log file size in megabytes. Default is 512 MB. Logging mode -r, --circular New events overwrite the oldest ones when when the maximum file size is reached. -m, --multi-file A new log file is created when the maximum file size is reached. Log files are sequentially numbered. PktMon1.etl, PktMon2.etl, etc.
Create a packet filter for the traffic on TCP port 20:
pktmon filter add -p 20
List the current packet filters:
pktmon filter list
Start monitoring to a file called PktMon.etl (n.b. without the -p option this will default to capturing only the first 128 bytes of each packet.):
pktmon start --etw
Stop monitoring:
pktmon stop
Convert the PktMon.etl file to a human-readable text format:
pktmon format PktMon.etl -o converted.txt
“Sooner or later we all discover that the important moments in life are not the advertised ones, not the birthdays, the graduations, the weddings, not the great goals achieved. The real milestones are less prepossessing. They come to the door of memory unannounced, stray dogs that amble in, sniff around a bit and simply never leave. Our lives are measured by these” ~ Susan B. Anthony
Microsoft Network Monitor - View the .ETL file generated by PktMon.
How to use PktMon - Bleeping Computer.
Equivalent macOS command : tcpdump - Dump traffic on a network.