pktmon Packet Capture Windows

  • pktmon is a native binary found on Windows 10 systems

  • Can capture packets based on port number

  • Binary found on all post Win 10 October 18 update

  • Binary with pcap conversion ability found on all Win 10 2004 (May 2020 update)

  • Packet Capture will be saved in .etl format, convert it to a pcap --> https://github.com/microsoft/etl2pcapng/

Capture Packet Process

  • View the filters saved on the machine first (if any)

pktmon filter list

  • Create your own filters

pktmon filter add -t TCP -p 8080 -i 10.10.120.1
pktmon filter add -t UDP -p 69

  • Capture Packets 

pktmon start --etw -po -f output.etl
pktmon stop

  • Convert if the system is post required updated

pktmon pcapng input.etl -o output.etl
PreviousAMSI BypassesNextPowershell Constrained Language Mode

Last updated