Packet Capture on Windows Without Wireshark

First thing that come to mind for packet capturing in Wireshark or tcpdump. In this tutorial we will be capturing packet on Windows 10 machine without any external tool installed. Microsoft is shipping PktMon utility with Windows 10 since 2018. It is gradually receiving updated and getting better as time moves on. Pktmon is a Windows Command Line Packet Capture utility. Getting started is fairly easy.

1. Open Windows Command Line with Administrator privileges.
2. A user need to specify its desired filter. Only packet matching this filter will be recorded.
3. Start the capture.
4. End the capture.
5. Convert, if desired.

Check if Pktmon is present on your machine by simply typing pktmon on elevated command shell.

pktmon

Add a capture filter.

pktmon filter add OptionalFilterName -i 192.168.1.0/24 -p 443

Above command will capture all IPv4 traffic from network 192.168.1.0/24 and port 443 only.

pktmon filter list

list show the active filters.



Next start the capture by issuing following command

pktmon start --etw -p 0 -f e:\capture.etl -l real-time

• --etw implies start capture.
• -p 0 capture packet of minimum 0 (zero) size (all packets), default is 128 bytes.
• -f ETL capture file location.
• -l Logging mode, real-time verbose log on command line.

When you are done capturing press Ctrl + c. This will stop the capture and file is generated. Pktmon create files in ETL format, a windows propitiatory format. But it provides a mechanism to covert ETL format into PCAPNG format. By which converted file can be open in Wireshark or open online in Packet Total type utilities for further analysis.

pktmon pcapng e:\capture.etl -o e:\capture.pcapng

Specify the input etl file and output pcapng file.



This converted file can be opened in Wireshark.