Windows 10 got a built-in network sniffer

Windows10 wallpaper

There are a lot of new features (see this post) coming soon in Windows 10. Microsoft has quietly added a built-in network packet sniffer to the Windows 10 October 2018 Update, and it has gone unnoticed since its release.

A packet sniffer, or network sniffer, is a program that monitors the network activity flowing over a computer down to an individual packet level.

This can be used by network administrators to diagnose networking issues, see what types of programs are being used on a network, or even listen in on network conversations sent via clear text.

Built-in packet sniffer comes to Windows 10

With the release of the Windows 10 October 2018 Update, Microsoft quietly added a new network diagnostic and packet monitoring program located in C:\Windows\system32\pktmon.exe.

This program has a description of “Monitor internal packet propagation and packet drop reports”, which indicates it is designed for diagnosing network problems.

Similar to the Windows netsh trace command, it can be used to perform full packet inspection of data being sent over the computer.

Windows 10 network sniffer
Windows 10 network sniffer

This program has no mention on Microsoft’s site that we could find, and we had to learn how to use it by playing with the program.

Thankfully it includes a fairly extensive help system that can be used by typing ‘pktmon [command] help‘.

For example, pktmon filter help, will give you the help screen for the filter command.

Windows 10 network sniffer - filter
Windows 10 network sniffer – filter

To learn how to use Pktmon, I strongly suggest you read through the help documentation and play around with the program. We have also provided an example in the next section to help you get started.

Using Pktmon to monitor network traffic

Unfortunately, diving into the full feature set of Pktmon is outside of the scope of this article, but we wanted to show you a basic example of how you can use the tool.

For our example, we will use Pktmon to monitor FTP traffic from the computer it is run on.

To do this, we first need to launch a Windows 10 elevated command prompt as Pktmon requires administrator privileges.

We then need to create two packet filters that tell Pktmon what traffic to monitor, which in our example will be the traffic on TCP ports 20 and 21.

These filters can be created by using the pktmon filter add -p [port] command for each port we want to monitor.

pktmon filter add -p 20
pktmon filter add -p 21

You can then use the pktmon filter list command to see the packet filters we just created.

Configured packet filters
Configured packet filters

To start monitoring for packets communicating with TCP ports 20 and 21, we need to use the pktmon start --etw command.

Once executed, pktmon will log all packets on ALL network interfaces on the device to a file called PktMon.etl and only record the first 128 bytes of a packet.

To make it log the entire packet and only from a specific ethernet device, you can use the -p 0 (capture entire packet) and -c 13 (capture only from the adapter with ID 13) arguments.

To determine what ID your adapters are, you can run the command pktmon comp list command

When we combine all the arguments, we get a final command of:

pktmon start --etw -p 0 -c 13
Capturing packets
Capturing packets

Pktmon will now quietly run while capturing all packets that match our inputted filters.

To stop capturing packets, enter the pktmon stop command, and a log file called PktMon.etl will have been created in the same folder that contains the raw captured data.

This data in this file is not directly usable, so you need to convert it to a human-readable text format with the following command:

pktmon format PktMon.etl -o ftp.txt
Converted into a text format
Converted into a text format

To benefit from the captured data, I suggest you download and install the Microsoft Network Monitor and use it to view the ETL file.

Using Network Monitor, you can see the full packet that was sent, including any clear-text information.

For example, below you can see a packet containing the clear-text password we entered when logging into this FTP test site.

Network monitor showing clear-text FTP password
Network monitor showing clear-text FTP password

When done using the Pktmon program, you can remove all created filters using the command:

pktmon filter remove

One thought on “Windows 10 got a built-in network sniffer

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.