Even though it is a system that is present on millions of devices, Windows 10 still has secrets. There are tools that few know about and that can be used at key moments to solve problems or abnormal situations.
One of the most recent is a packet sniffer, which allows you to listen to your computer's network. It is a simple executable, but it allows you to know a lot about what is going on and where the traffic is going to and from the network.
A new secret tool from Microsoft
Not much is known about pktmon yet, but it certainly came with the October 2018 update. This Microsoft tool does not exist in any known documentation, but its function is well known.
Present in the folder C: Windows system32 , pktmon.exe is used in the terminal or in PowerShell. It allows you to listen to the network and collect information about the packets traveling to and from it. It is a tool similar to Wireshark, but without a graphical environment.
Listening to what circulates on the computer network
Used as another executable app, it allows you to apply a filter to ports or define a real-time monitoring. This can be visible or sent to a file, which will default to the name PktMon.etl.
pktmon filter add -p 80
With the command above, they define a filter for port 80, which will be applied to the collection when listening to your computer's network. They can define other filters simultaneously and thus choose in detail the data to be collected.
A simple command to use in Windows 10
To collect the data, simply execute the command below and wait. The -m real-time flag will display the data in real time and on the screen. If not used, it will just put the information in the standard file.
pktmon start –etw -m real-time
You should explore the many flags present, each for the various options present. They will discover how to show or clear the filters, how to change the format of the result or simply see the counters for each of the interfaces.
There's a lot more to discover in Windows 10
Of course, they can later convert the format that is obtained to one that can be used in a text editor. You must use the command below. They can also use a known Microsoft publisher, Microsoft Network Monitor which easily reads the etl format.
pktmon format PktMon.etl -o packetlog.txt
So it's time to abandon the Wireshark and switch to using the native Windows 10 tool. It has been hidden for some time and not even Microsoft has officially introduced it. Still, it is an excellent proposal for anyone who wants to listen to their computer's network.