PKTMON - CMD

Overview

PKTMON is a packet monitoring tool included in Windows for tracking and diagnosing network traffic. It can capture, list, and filter network packets and is useful for network performance analysis, network troubleshooting, and verifying network deployments.

Syntax

The common command syntax used for PKTMON is:

pktmon [command] [Options]

Where [command] represents the operation you wish to perform, such as starting a packet capture, listing components, or filtering packets. [Options] represent the parameters that modify or extend the behavior of the chosen command.

Options/Flags

Major Commands

  • start – Starts the packet capture.
  • stop – Stops the ongoing packet capture.
  • list – Lists the available counters or filters.
  • filter – Adds or removes a filter.
  • reset – Resets counters to zero.
  • comp – Manages packet monitoring components.
  • convert – Converts a specified etl file to a human-readable format.
  • help – Displays help information.

Commonly Used Options

  • -p or --persistent
    Start the capture with persistent settings, meaning it will continue after a system reboot.
  • -c or --capture
    Specify capture mode (e.g., basic, detailed).
  • -f or --file
    Specifies the file where the capture will be stored.
  • -l or --list
    Lists the current configuration or statistics.

Examples

  1. Starting a Basic Capture

    Start a basic capture saving logs to C:\capture.etl.

    pktmon start --capture basic -f C:\capture.etl

  2. Stopping a Capture

    Stop an ongoing capture:

    pktmon stop

  3. Converting ETL to Text

    Convert the .etl file to a readable .txt format:

    pktmon convert C:\capture.etl -o C:\capture.txt

  4. Using Filters

    Add a filter to capture traffic on port 80:

    pktmon filter add -p 80
pktmon start --capture detailed

Common Issues

  • Permission Errors: Ensure you are running CMD as an administrator to avoid permission issues.
  • File Overwriting: Note that running pktmon again with the same output file path without stopping can overwrite the previous capture data.
  • Filter Complexity: Incorrect filter setup can lead to capturing no data. Verify filter configuration carefully.

Integration

PKTMON can be combined with other tools like findstr for more refined output filtering, or integrated into batch files for scheduled monitoring tasks.

pktmon start --capture detailed -f C:\daily.etl
timeout /t 3600
pktmon stop
pktmon convert C:\daily.etl -o C:\daily.txt
del C:\daily.etl
  • NETSTAT – Displays network connections and statistics.
  • TRACERT – Traces path packets take to a network host.
  • IPCONFIG – Shows or refreshes network adapter settings.

For more information, refer to the Microsoft documentation on PKTMON:
Microsoft Docs – PKTMON