How to Create a Network Trace Using Windows Built-in Pktmon Tool

How To

Summary

Pktmon is a built-in network diagnostic and packet monitoring tool available in Windows 10 (version 2004 and later) and Windows Server. It allows administrators to capture and analyze network traffic without the need for additional third-party tools. Follow this guide to create a network trace using Pktmon.

Objective

create Wireshark compatible network traces with built-in tools on current Windows operating systems

Environment

Microsoft Windows 10 (version 2004 and later) and Windows Server.

Steps

Step 1: Open Command Prompt with Administrative Privileges

Press Win + S to open the search bar.
Type cmd.
Right-click on Command Prompt and select Run as administrator.

Step 2: Verify Pktmon Installation

Run the following command to verify that Pktmon is available:

pktmon help

This will display the available Pktmon commands if it is properly installed.

Step 3: Start a Pktmon Capture

Enable Pktmon Logging:

Use the following command to set up logging:
```
pktmon start --capture --comp nics --etw
```
- --capture enables packet capture.
- --comp nics captures traffic for all network interfaces.
- --etw enables detailed logging of events.
Specify Filters (Optional):

To capture only specific traffic, set up filters. For example, to capture traffic to a specific IP address:
```
pktmon filter add -t ip -a 192.168.1.1
```
Replace 192.168.1.1 with the desired IP address.

Pktmon will now monitor and log network traffic based on your configured filters

Step 4: Stop the Capture

When you have captured sufficient data, stop Pktmon by running:

pktmon stop

This will finalize and save the capture log file.

Step 5: Convert the Log File to PCAP Format

Pktmon saves the log file in its own format. To convert it to the widely used PCAP format for analysis in tools like Wireshark, use the following command:

pktmon etl2pcap PktMon.etl

Replace pktmon.etl with the name of your generated log file.
The output file *.pcap will be created in the specified location.

Step 6: Analyze the PCAP File

Open the generated trace.pcap file in Wireshark or any other network analysis tool.
Use Wireshark’s filters and features to analyze the network traffic.

Additional Information

Common Commands Reference

List current filters:
```
pktmon filter list
```
Remove all filters:
```
pktmon filter remove
```
Check Pktmon status:
```
pktmon status
```
Get detailed help for commands:
```
pktmon <command> help
```

Best Practices

Run with Administrator Rights: Ensure you run Pktmon commands with administrative privileges for proper functionality.
Minimize Traffic During Capture: To simplify analysis, stop unnecessary applications or network services during the capture.
Keep Filters Specific: Use filters to focus on relevant traffic and avoid capturing excessive data.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSTIPK","label":"Microsoft Windows"},"ARM Category":[{"code":"a8mKe000000004NIAQ","label":"Windows"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Was this topic helpful?

Document Information

More support for:
Microsoft Windows

Component:
Windows

Software version:
All Versions

Document number:
7178726

Modified date:
12 December 2024

UID

ibm17178726

IBM Support

Tips