Packet Capture on Windows Without Wireshark

Posted Under: Pktmon, Shell, Tutorials, Windows on Dec 14, 2020
Packet Capture on Windows Without Wireshark
First thing that come to mind for packet capturing in Wireshark or tcpdump. In this tutorial we will be capturing packet on Windows 10 machine without any external tool installed. Microsoft is shipping PktMon utility with Windows 10 since 2018. It is gradually receiving updated and getting better as time moves on. Pktmon is a Windows Command Line Packet Capture utility. Getting started is fairly easy.
  1. Open Windows Command Line with Administrator privileges.
  2. A user need to specify its desired filter. Only packet matching this filter will be recorded.
  3. Start the capture.
  4. End the capture.
  5. Convert, if desired.

Check if Pktmon is present on your machine by simply typing pktmon on elevated command shell.
Pktmon on Windows

Add a capture filter.
pktmon filter add OptionalFilterName -i -p 443
Above command will capture all IPv4 traffic from network and port 443 only.
pktmon filter list
list show the active filters.

Pktmon add filter command

Next start the capture by issuing following command
pktmon start --etw -p 0 -f e:\capture.etl -l real-time
  • --etw implies start capture.
  • -p 0 capture packet of minimum 0 (zero) size (all packets), default is 128 bytes.
  • -f ETL capture file location.
  • -l Logging mode, real-time verbose log on command line.
Pktmon start capture

When you are done capturing press Ctrl + c. This will stop the capture and file is generated. Pktmon create files in ETL format, a windows propitiatory format. But it provides a mechanism to covert ETL format into PCAPNG format. By which converted file can be open in Wireshark or open online in Packet Total type utilities for further analysis.
pktmon pcapng e:\capture.etl -o e:\capture.pcapng

Specify the input etl file and output pcapng file.

Pktmon etl to pcap

This converted file can be opened in Wireshark.

Pktmon pcap wireshark