By
Securitynik on 2020-08-11 14:41:08
Recently while doing some unrelated research, I came across this link from www.bleepingcomputer.com about Windows having a built in sniffer. I am aware of being able to use "netsh trace" to perform packet capturing but this seems like a better option. I may be wrong. Windows having built in sniffer is a good thing, as most of us who work with Linux are accustomed to having "tcpdump" there by default in most cases. What I like about the "pktmon.exe" version on my Windows 10 (2004), is that it support pcapng format.
Here is Microsoft's note on pktmon.exe.
"Packet Monitor (PacketMon) is an in-box cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting. The tool is especially helpful in virtualization scenarios like container networking, SDN, etc. It is available in-box via pktmon.exe command, and via Windows Admin Center extensions."
In this post, I will be walking through "pktmon" with as much detail as possible. Most of the resources I found online basically gave a somewhat superficial view of this tool. My intention is to make this your one-stop shop for how to use Packet Monitor.
First up, we need to ensure our terminal is running with elevated privileges.
Once in the elevated terminal, let's look at the help
C:\Users\SecurityNik>pktmon help pktmon { filter | comp | reset | start | stop } [OPTIONS | help] Monitor internal packet propagation and packet drop reports. Commands filter Manage packet filters. comp Manage registered components. reset Reset counters to zero. start Start packet monitoring. stop Stop monitoring. format Convert log file to text. pcapng Convert log file to pcapng format. unload Unload PktMon driver. help Show help text for a command.
If you need help for a particular component, you can use for example "pktmon filter help"
C:\Users\SecurityNik>pktmon filter help pktmon filter { list | add | remove } [OPTIONS | help] Commands list Display active packet filters. add Add a filter to control which packets are reported. remove Removes all filters. help Show help text for a command.
Before we begin, let's look at the registered components via "pktmon.exe comp help"
C:\Users\SecurityNik>pktmon comp help pktmon comp { list | counters } [OPTIONS | help] Commands list List all active components. counters Display current per-component counters. help Show help text for a command.
If we look further at the help via "pktmon comp list help", we see we can show components that are hidden by default as well as specify the output to be json.
C:\Users\SecurityNik>pktmon comp list help pktmon [comp] list List all active components. -i, --show-hidden Show components that are hidden by default. --json Output the list in JSON format.
At this point, we see we can list all active components via "pktmon comp list'. We will use the default output rather than json.
C:\Users\SecurityNik>pktmon comp list --show-hidden | more VirtualBox Host-Only Ethernet Adapter Id: 13 Driver: VBoxNetAdp6.sys MAC Address: 0A-00-27-00-00-05 ifIndex: 5 Filter Drivers: Id Driver Name -- ------ ---- 38 wfplwfs.sys WFP Native Filter 36 pacer.sys QoS Packet Scheduler 35 wfplwfs.sys WFP 802.3 Filter Protocols: Id Driver Name EtherType -- ------ ---- --------- 96 tcpip.sys TCPIP6 IPv6 91 tcpip.sys TCPIP ARP, IPv4 84 mslldp.sys MSLLDP LLDP 83 rspndr.sys RSPNDR VLAN, LLTD 82 vmnetbridge.sys VMNETBRIDGE * (All) 81 ndisuio.sys NDISUIO 88c7, VLAN, 802.1X 80 lltdio.sys LLTDIO * (All) Application Protocols: Id Driver Name IP Address -- ------ ---- ---------- 107 http.sys HTTP fe80::910f:2448:7235:77be 101 http.sys HTTP 10.0.0.1 ... <TRUNCATED FOR BREVITY> ...
From the output returned above, we see information on protocol, drivers, IPv4 and IPv6 addresses, etc.
Let's now look at the help for the counters via "pktmon comp counters help"
C:\Users\SecurityNik>pktmon comp counters help pktmon [comp] counters [-t { all | drop | flow }] [-z] [--json] Display current per-component counters. -t, --counter-type Select which types of counters to show. Supported values are all counters (default), drops only, or flows only. -z, --show-zeros Show counters that are zero in both directions. -i, --show-hidden Show components that are hidden by default. --json Output the counters in JSON format.
Let's now look at the counters via "pktmon comp counters --counter-type all --show-hidden"
C:\Users\SecurityNik>pktmon comp counters --counter-type all --show-hidden All counters are zero.
Now that we have a better understanding of the registered components, let's move to setting up our first a filter to capture traffic for a specific MAC address.
Let's verify if any filters exist via "pktmon filter list"
C:\Users\SecurityNik>pktmon filter list There are no packet filters.
Time for our first filter. First, let's look at the help for adding a filter via "pktmon filter add help"
C:\Users\SecurityNik>pktmon filter add help pktmon filter add <name> [-m mac [mac2]] [-v vlan] [-d { IPv4 | IPv6 | number }] [-t { TCP [flags...] | UDP | ICMP | ICMPv6 | number }] [-i ip [ip2]] [-p port [port2]] [-e [port]] Add a filter to control which packets are reported. For a packet to be reported, it must match all conditions specified in at least one filter. Up to 8 filters can be active at once. NOTE1: When two MACs (-m), IPs (-i), or ports (-p) are specified, the filter matches packets that contain both. It will not distinguish between source or destination for this purpose. name Optional name or description of the filter. Ethernet frame -m, --mac[-address] Match source or destination MAC address. See NOTE1 above. -v, --vlan Match by VLAN Id (VID) in the 802.1Q header. -d, --data-link[-protocol], --ethertype Match by data link (layer 2) protocol. Can be IPv4, IPv6, ARP, or a protocol number. IP header -t, --transport[-protocol], --ip-protocol Match by transport (layer 4) protocol. Can be TCP, UDP, ICMP, ICMPv6, or a protocol number. To further filter TCP packets, an optional list of TCP flags to match can be provided. Supported flags are FIN, SYN, RST, PSH, ACK, URG, ECE, and CWR. -i, --ip[-address] Match source or destination IP address. See NOTE1 above. To match by subnet, use CIDR notation with the prefix length. TCP/UDP header -p, --port Match source or destination port number. See NOTE1 above. Encapsulation -e, --encap This filter also applies to encapsulated inner packets, in addition to the outer packet. Supported encapsulation methods are VXLAN, GRE, NVGRE, and IP-in-IP. Custom VXLAN port is optional, and defaults to 4789. Example 1: Ping filter pktmon filter add MyPing -i 10.10.10.10 -t ICMP Example 2: TCP SYN filter for SMB traffic pktmon filter add MySmbSyn -i 10.10.10.10 -t TCP SYN -p 445 Example 3: Subnet filter pktmon filter add MySubnet -i 10.10.10.0/24
Next we configure a capture for traffic with MAC address "0A-00-27-00-00-05" which we learned about above, when we looked at the registered components and is associated with "VirtualBox Host-Only Ethernet Adapter" and IP address "10.0.0.1"
C:\Users\SecurityNik>pktmon filter add VBox-Mac --mac 0A-00-27-00-00-05 Filter added.
Verify the filter exists by listing the filters again.
C:\Users\SecurityNik>pktmon filter list # Name MAC Address - ---- ----------- 1 VBox-Mac 0A-00-27-00-00-05
Let's now look at the help for starting a capture
C:\Users\SecurityNik>pktmon start help pktmon start [-c { all | nics | [ids...] }] [-d] [--etw [-p size] [-k keywords]] [-f] [-s] [--log-mode {circular | multi-file | real-time | memory}] Start packet monitoring. -c, --components Select components to monitor. Can be all components, NICs only, or a list of component ids. Defaults to all. -d, --drop-only Only report dropped packets. By default, successful packet propagation is reported as well. ETW Logging --etw Start a logging session for packet capture. -p, --packet-size Number of bytes to log from each packet. To always log the entire packet, set this to 0. Default is 128 bytes. -k, --keywords Hexadecimal bitmask (i.e. sum of the below flags) that controls which events are logged. Default is 0x012. Flags: 0x001 - Internal Packet Monitor errors. 0x002 - Information about components, counters and filters. This information is added to the end of the log file. 0x004 - Source and destination information for the first packet in NET_BUFFER_LIST group. 0x008 - Select packet metadata from NDIS_NET_BUFFER_LIST_INFO enumeration. 0x010 - Raw packet, truncated to the size specified in [--packet-size] parameter. -f, --file-name .etl log file. Default is PktMon.etl. -s, --file-size Maximum log file size in megabytes. Default is 512 MB. -l, --log-mode Select logging mode. Default is circular. circular New events overwrite the oldest ones when when the maximum file size is reached. multi-file A new log file is created when the maximum file size is reached. Log files are sequentially numbered. PktMon1.etl, PktMon2.etl, etc. real-time Display events and packets on screen at real time. No log file is created. Press Ctrl+C to stop monitoring. memory Events are written to a circular memory buffer. Buffer size is specified in [--file-size] parameter. Buffer contents is written to a log file during stop operation.
Picking the "--log-mode" as "real-time" mode to start things off. After setting up the filter, we then do a "ping 10.0.0.104". Remember, to cancel this monitor session, hit "CTRL+C" after which you should see "Flushing logs..."
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time Active measurement started. Processing... 21:31:10.816725700 PktGroupId 1, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 85, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816732400 PktGroupId 1, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 36, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816734200 PktGroupId 1, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 36, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816735900 PktGroupId 1, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 38, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816742000 PktGroupId 1, PktNumber 1, Appearance 5, Direction Tx , Type Ethernet , Component 38, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816743500 PktGroupId 1, PktNumber 1, Appearance 6, Direction Tx , Type Ethernet , Component 13, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 Flushing logs... .... <TRUNCATED FOR BREVITY> ....
Here is what my ping looked like.
C:\Users\SecurityNik>ping 10.0.0.104 -n 1 Pinging 10.0.0.104 with 32 bytes of data: Request timed out. Ping statistics for 10.0.0.104: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
If we revisit the help above about "real-time" logging, it states "Display events and packets on screen at real time. No log file is created." However, when I look on my file system, a file with the default filename was created as seen below. Maybe I am missing something.
C:\Users\SecurityNik>dir PktMon.etl Volume in drive C is OS Volume Serial Number is D436-4013 Directory of C:\Users\SecurityNik 2020-08-07 09:42 PM 50,331,648 PktMon.etl 1 File(s) 50,331,648 bytes 0 Dir(s) 34,686,263,296 bytes free
If you are reading this blog and know why a file was created even though I told it to do "real-time" logging, please let me know what I might have missed.
C:\Users\SecurityNik>pktmon filter remove Removed all filters.
Above we removed the previously configured filters. It does not look like there is an option at present to remove a specific filter.
Let's run another filter which focuses on ARP packets.
Once again, let's set and verify a filter.
C:\Users\SecurityNik>pktmon filter add ARP-Capture --ethertype arp Filter added. C:\Users\SecurityNik>pktmon filter list # Name EtherType - ---- --------- 1 ARP-Capture ARP
Starting the capture in "real-time" mode.
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time Active measurement started. Processing... 21:54:33.326462700 PktGroupId 7, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168....... 21:54:36.322822700 PktGroupId 8, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28 21:54:36.322828200 PktGroupId 8, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 11, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28 Flushing logs...
Now that we know how to capture ARP packets, let's move up the stack. Once again, delete all defined filters.
C:\Users\SecurityNik>pktmon filters remove Removed all filters.
Let's continue at the IP layer. Time to add a filter to look for ICMP (protocol 1) packets to destination 9.9.9.9. After setting the filter, we verify its creation.
C:\Users\SecurityNik>pktmon filter add IP-TCP --data-link IPv4 --ip-protocol 1 --ip-address "9.9.9.9" Filter added. C:\Users\SecurityNik>pktmon filter list # Name EtherType Protocol IP Address - ---- --------- -------- ---------- 1 IP-TCP IPv4 ICMP 9.9.9.9
Once again capturing to the screen, while setting the packet size option to "1500" bytes.
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time --packet-size 1500 Active measurement started. Processing... 22:12:01.498988200 PktGroupId 844424930131972, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 74: 192.168.0.62 > 9.9.9.9: ICMP echo request, id 1, seq 6, length 40 ... <TRUNCATED FOR BREVITY> ... 22:12:01.600308300 PktGroupId 281474976710661, PktNumber 1, Appearance 5, Direction Rx , Type Ethernet , Component 76, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74 F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40 22:12:01.600310300 PktGroupId 281474976710661, PktNumber 1, Appearance 6, Direction Rx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74 F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40 Flushing logs...
Looks good so far. Once again, delete the filter and let's extend the last filter.
Here is what my ping looked like. Remember, this needs to be executed after starting the filter.
C:\Users\SecurityNik>ping -n 1 9.9.9.9 Pinging 9.9.9.9 with 32 bytes of data: Reply from 9.9.9.9: bytes=32 time=753ms TTL=54 Ping statistics for 9.9.9.9: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 753ms, Maximum = 753ms, Average = 753ms C:\Users\SecurityNik>pktmon filter remove Removed all filters.
Modifying and extending the previous filter, we now look for TCP traffic on port 443 where the SYN flag is set. Note below, this will also show packets with both the SYN and ACK flags set. I am not aware of a way of isolating the filter to only one specific flag at this time.
C:\Users\SecurityNik>pktmon filter add IP-TCP-SYN-443 --data-link IPv4 --ip-address 172.217.2.115 --transport-protocol tcp SYN --port 443 Filter added. C:\Users\SecurityNik>pktmon filters list # Name EtherType Protocol IP Address Port - ---- --------- -------- ---------- ---- 1 IP-TCP-SYN-443 IPv4 TCP (SYN) 172.217.2.115 443 C:\Users\SecurityNik>pktmon start --etw --log-mode real-time --packet-size 1500 Active measurement started. Processing... 23:02:26.539704700 PktGroupId 562949953421500, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.539709400 PktGroupId 562949953421500, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.539712200 PktGroupId 562949953421500, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.539714000 PktGroupId 562949953421500, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.599504500 PktGroupId 1688849860264106, PktNumber 1, Appearance 1, Direction Rx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 66: 172.217.2.115.443 > 192.168.0.62.65066: Flags [S.], seq 546326696, ack 1995496357, win 60720, options [mss 1380,nop,nop,sackOK,nop,wscale 8], length 0 23:02:26.599510100 PktGroupId 1688849860264106, PktNumber 1, Appearance 2, Direction Rx , Type Ethernet , Component 32, ... <TRUNCATED FOR BREVITY>....
Here is what my PSPing looked like.
C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443 PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility Copyright (C) 2012-2016 Mark Russinovich Sysinternals - www.sysinternals.com TCP connect to 172.217.2.115:443: Infinite iterations (warmup 1) ping test: Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:65066: 63.67ms Sent = 0, Received = 0, Lost = 0 (0% loss), Minimum = 0.00ms, Maximum = 0.00ms, Average = 0.00ms Control-C ^C
Maybe you have learned about a specific session, on a particular pair of IP addresses and ports that you should be monitoring. Specifically, let's say there is a SSH session on "192.168.0.62:53726" and "192.168.0.4:22" as shown by the "nestat" output below.
C:\Users\SecurityNik>netstat -anop tcp | findstr /i "est" | findstr ":22" TCP 192.168.0.62:53726 192.168.0.4:22 ESTABLISHED 23548
A filter such as the following can be used.
C:\Users\SecurityNik>pktmon filter add --ip-address 192.168.0.4 192.168.0.62 --transport-protocol tcp --port 53726 22 Filter added.
Starting the capture and looking at the results, we see.
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time Active measurement started. Processing... 10:25:13.196576300 PktGroupId 1688849860264110, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 10:25:13.196581200 PktGroupId 1688849860264110, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 10:25:13.196584200 PktGroupId 1688849860264110, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 10:25:13.196585800 PktGroupId 1688849860264110, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 ...<TRUNCATED FOR BREVITY>...
At this point, we should have a good idea how to capture packets through the OSI or TCP/IP model. We first captured at the network access layer. This was then followed by capture at the internet layer, moving to the transport layer and then the application layer, looking at packets on port 443 and 22.
Let's now write this out to output files, using the default name.
Using the previous filter.
C:\Users\SecurityNik>pktmon filter list # Name EtherType Protocol IP Address Port - ---- --------- -------- ---------- ---- 1 IP-TCP-SYN-443 IPv4 TCP (SYN) 172.217.2.115 443
Starting the capture in a "Multifile" mode with maximum file size of 1GB (1000MB)
C:\Users\SecurityNik>pktmon start --etw --log-mode multi-file --file-size 1000 Log file name: C:\Users\SecurityNik\PktMon%d.etl Logging mode: Multifile Maximum file size: 1000 MB Active measurement started.
Now that the capture has started, let's look at the counters after generating some traffic to "www.securitynik.com" via "psping".
C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443 PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility Copyright (C) 2012-2016 Mark Russinovich Sysinternals - www.sysinternals.com TCP connect to 172.217.2.115:443: Infinite iterations (warmup 1) ping test: Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:49688: 38.02ms Connecting to 172.217.2.115:443: from 192.168.0.62:49689: 39.07ms
Looking at the counters.
C:\Users\SecurityNik>pktmon counters --show-hidden Killer(R) Wi-Fi 6 AX1650s 160MHz Wireless Network Adapter (201D2W) Id Name Counter Direction Packets Bytes | Direction Packets Bytes -- ---- ------- --------- ------- ----- | --------- ------- ----- 33 Native WiFi Filter Driver Upper Rx 6 396 | Tx 6 396 32 VirtualBox NDIS Light-W... Upper Rx 6 396 | Tx 6 396 31 QoS Packet Scheduler Upper Rx 0 0 | Tx 6 396 | 90 TCPIP (NDIS) Lower Rx 6 396 | Tx 6 396 76 VMNETBRIDGE Lower Rx 6 396 | Tx 0 0 75 NDISUIO Lower Rx 6 396 | Tx 0 0 74 LLTDIO Lower Rx 6 396 | Tx 0 0
Let's now stop the capture.
C:\Users\SecurityNik>pktmon stop Stopped active measurement. Flushing logs... Log file: C:\Users\SecurityNik\PktMon1.etl (No events lost)
Now that we have the file, let's convert it to two different outputs. First, let's change it to text.
Looking at the help for "format" via "pktmon.exe format help"
C:\Users\SecurityNik>pktmon.exe format help pktmon format log.etl [-o log.txt] [-b] [-v [level]] [-x] [-e] [-l [port] Convert log file to text format. -o, --out Name of the formatted text file. -s, --stats-only Display log file statistical information. Network packet formatting options -b, --brief Abbreviated packet format. -v, --verbose Verbosity level [1..3]. -x, --hex Hexadecimal format. -e, --no-ethernet Don't print ethernet header. -l, --vxlan Custom VXLAN port.
Looking first at the statistics of of the previously captured data in the "PktMon1.epl" file
C:\Users\SecurityNik>pktmon format PktMon1.etl --stats-only --verbose Processing... Start time 2020-08-07 23:17:46.996574700 Stop time 2020-08-07 23:22:43.422846700 Events total 788 Manifest-based events 788 WPP events 0 Provider Microsoft-Windows-PktMon Keywords 0000000000000012 Manifest-based events 788
Sending the output to a text file name "securitynik-pktmon.txt"
C:\Users\SecurityNik>pktmon format PktMon1.etl --out securitynik-pktmon.txt --verbose Processing... Events formatted: 788 Formatted file: securitynik-pktmon.txt
Peaking into the "securitynik-pktmon.txt" file, we see.
C:\Users\SecurityNik>type securitynik-pktmon.txt | more 23:20:28.736260500 PktGroupId 1407374883553375, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:20:28.736265200 PktGroupId 1407374883553375, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 ... <TRUNCATED FOR BREVITY> ...
Let's now get the "PktMon1.epl" file to our analysis machine where we have TShark/Wireshark installed. Here we once again do some conversion.
As always, looking at the help.
C:\Users\SecurityNik>pktmon pcapng help pktmon pcapng log.etl [-o log.pcapng] Convert log file to pcapng format. Dropped packets are not included by default. -o, --out Name of the formatted pcapng file. -d, --drop-only Convert dropped packets only. -c, --component-id Filter packets by a specific component ID.
Let's now convert the file.
C:\Users\SecurityNik>pktmon pcapng PktMon1.etl --out securitynik-pktmon.pcapng Processing... Packets total: 60 Packet drop count: 0 Packets formatted: 60 Formatted file: securitynik-pktmon.pcapng
Reading the packets with TShark.
C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n | more 1 0.000000 192.168.0.62 → 172.217.2.115 TCP 66 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 2 0.000005 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 3 0.000006 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 4 0.000008 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 ... <TRUNCATED FOR BREVITY> ...
Looking at the protocol hierarchy in TShark
C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n -z io,phs -q =================================================================== Protocol Hierarchy Statistics Filter: eth frames:60 bytes:3960 ip frames:60 bytes:3960 tcp frames:60 bytes:3960 ===================================================================
Well that's it for this post. I believe this to be the most comprehensive usage of Microsoft new packet capture utility on Windows as of at the time of writing.
References: