pktmon - Packet Monitor - "tcpdump" on windows

Reference:
- Pktmon command formatting
- pktmon filter

Quick start

# Define filter
C:\Test> pktmon filter add help
C:\Test> pktmon filter add <filters>

# Start the capture
C:\Test> pktmon start -c

# Check Counter
C:\Test> pktmon counters

# Stop the capture and retrieve logs in txt format for analysis
C:\Test> pktmon stop
C:\Test> pktmon etl2txt <etl file>

Filter and Capture Examples

Capture any ICMP traffic from or to the IP address 10.0.0.10 as well as any traffic on port 53:

pktmon filter add -i 10.0.0.10 -t icmp
pktmon filter add -p 53

Capture all the SYN packets sent or received by the IP address 10.0.0.10:

pktmon filter add -i 10.0.0.10 -t tcp syn

Display/remove active packet filters

pktmon filter list
pktmon filter remove

Capture packets of only the network adapters:

# Components (--comp) can be nics only or a list of components IDs, default to all components
pktmon start -c --comp nics

Capture only the dropped packets that pass through components 4 and 5, and log them:

pktmon start -c --comp 4,5 --type drop

Capture packets and log events from the provider "Microsoft-Windows-TCPIP":

pktmon start --capture --trace -p Microsoft-Windows-TCPIP

PreviousN NextS

Last updated 5 months ago