PktMon.exe

Monitor internal packet propagation and packet drop reports. Run all PktMon commands from an Elevated command prompt.

Syntax - List all active components:
      PKTMON comp list options

   Options:
   -i, --show-hidden
   Show components that are hidden by default.

   --json  Output the list in Json format

Syntax - Display current per-component counters:
      PKTMON comp counters options

   Options:
   -i, --show-hidden
   Show components that are hidden by default.

   --json  Output the list in Json format

   -t,--counter-type
   Select which types of counters to show
   Supported values are all counters (default), drops only, or flows only.

   -z, --show-zeros
   Show counters that are zero in both directions.

Syntax - Manage packet filters:
      PKTMON filter { list | add | remove } [options | help]

   Key:
      list    Display active packet filters.
      add     Add a filter to control which packets are reported.
      remove  Removes all filters.
      help    Show help text and sub-options for a command.

Syntax - Reset all component counters to zero:
      PKTMON reset[-counters]

Syntax - Stop packet monitoring and show results:
      PKTMON stop

Syntax - Convert log file to text format:
      PKTMON format log.etl [-o log.txt]
   Key:
   -o, --out     Name of the formatted text file.

Syntax - Stop the PktMon driver service and unload PktMon.sys:
      PKTMON unload
      Effectively equivalent to 'SC.exe stop PktMon'.
      Measurement (if active) will immediately stop, and any state will be
      deleted (counters, filters, etc.).

Syntax - Start packet monitoring:
      PKTMON start [-c { all | nics | [ids...] }] [-d]
         [--etw [-p size] [-k keywords]]  [-f] [-s] [-r] [-m]

   Key:
   -c, --components
      Select components to monitor. Can be all components, NICs only, or a
      list of component ids. Defaults to all.

  -d, --drop-only
      Only report dropped packets. By default, successful packet propagation
      is reported as well.

   ETW Logging
      --etw
         Start a logging session for packet capture.

      -p, --packet-size
         Number of bytes to log from each packet. To always log the entire
         packet, set this to 0. Default is 128 bytes.

      -k, --keywords
         Hexadecimal bitmask (i.e. sum of the below flags) that controls
         which events are logged. By default all events are logged.

         Flags:
         0x001 - General configuration events.
         0x002 - Component related information, including counters.
         0x004 - Pre-parsed packets.
         0x008 - Packet metadata (NBL OOB).
         0x010 - Raw packet payload.

   -f, --file-name
      .etl log file. Default is PktMon.etl.

   -s, --file-size
      Maximum log file size in megabytes. Default is 512 MB.

   Logging mode

      -r, --circular
         New events overwrite the oldest ones when 
         when the maximum file size is reached.

      -m, --multi-file
         A new log file is created when the maximum file size is reached.
         Log files are sequentially numbered. PktMon1.etl, PktMon2.etl, etc.

Examples

Create a packet filter for the traffic on TCP port 20:

pktmon filter add -p 20

List the current packet filters:

pktmon filter list

Start monitoring to a file called PktMon.etl (n.b. without the -p option this will default to capturing only the first 128 bytes of each packet.):

pktmon start --etw

Stop monitoring:

pktmon stop

Convert the PktMon.etl file to a human-readable text format:

pktmon format PktMon.etl -o converted.txt

“Sooner or later we all discover that the important moments in life are not the advertised ones, not the birthdays, the graduations, the weddings, not the great goals achieved. The real milestones are less prepossessing. They come to the door of memory unannounced, stray dogs that amble in, sniff around a bit and simply never leave. Our lives are measured by these” ~ Susan B. Anthony

Related commands

Microsoft Network Monitor - View the .ETL file generated by PktMon.
How to use PktMon - Bleeping Computer.
Equivalent macOS command : tcpdump - Dump traffic on a network.


 
Copyright © 1999-2024 SS64.com
Some rights reserved