If you are a hacker or a security researcher, you probably use Wireshark or one of the tonnes of third-party network packet sniffer Apps available. Did you know that since 2018, Microsoft has included a service called PKTMON in Windows 10 builds?
What is Packet Monitor or PKTMON
PKTMON is what the name suggests, a built-in Windows 10 network packet sniffer. A network packet sniffer is an App that can intercept and log traffic that passes over a digital network or part of a network. It is used by hackers and network admin to find vulnerabilities in the network or troubleshoot network issues. A packet sniffer App can even listen to network communications sent via clear text. Here are somethings that a packet sniffer can do:
- Analyze network problems
- Detect network intrusion attempts
- Detect network misuse by internal and external users
- Documenting regulatory compliance through logging all perimeter and endpoint traffic
- Gain information for effecting a network intrusion
- Isolate exploited systems
- Monitor WAN bandwidth utilization
- Monitor network usage (including internal and external users and systems)
- Monitor data in transit
- Monitor WAN and endpoint security status
Linux users have tcpdump tool to perform network sniffing and now Windows 10 users have Pktmon.
How to use Pktmon?
You can use PKTMON the same way you use third-party packet sniffers. PKTMON is a executable file in C:\Windows\system32\pktmon.exe. It can be used to perform a full packet inspection of data being sent over your PC/laptop/network.
To run PKTMON, make sure that you are logged in as Administrator. ust go to Start and type in PKTMON and click on pktmon.exe. You can run all the network sniffing commands that you use on any packet sniffer. You can visit the help file to know the commands by typing in
pktmon filter help
PKTMON saves log as .etl files. You can download and install the Microsoft Network Monitor and use it to view the ETL file.
Microsoft has announced that the Windows 10 May 2020 mega-update will have a real-time packet sniffer included. Let’s wait for the update to use real-time network sniffing tools.