Network Sniffer or Packet Sniffer is an application that can monitor network activities that run on devices at the level of each packet, for some people, especially network engineers and security researchers, the application is very useful for analyzing what is running on the network, seeing the type programs that are being used on the network, and even see network communications sent through clear text.
Windows 10 Network Sniffer Application
Generally, network engineers and security researchers usually use Wireshark, a popular Packet Sniffer application that has been available for a long time. But did you know that Windows 10 itself actually has a similar application?
Starting Windows 10 October 2018, or Windows 10 1809, Microsoft secretly added a new network diagnostic tool and a packet sniffer program called ‘pktmon’, this application is in the C: \ Windows \ system32 \ pktmon.exe directories.
Based on its description, the application has a description of “Internal packet propagation and packet drop report monitors” which shows the application is designed to diagnose network problems.
Quoted from Bleeping Computer, this application is not mentioned on the Microsoft site, and to use it users must explore, learn and continue to test directly in the application.
How to access it?
To open this ‘pktmon’, users can use the Command Prompt or Powershell, simply by entering the command ‘pktmon’ without quotes then you can immediately access it.
What is quite helpful is that this tool also provides a help command that can help users learn about this network sniffer tool.
Improved in Windows 10 2004
Windows 10 2004 will be released in the coming weeks, and besides bringing major features that can be seen directly, this hidden packet sniffer tool has also been updated with Real-time monitoring support, and pcapng support, namely the ability to convert ETL files to pcapng format.
To access ‘pktmon’ realtime scanning, users can add the argument – l real-time at the end of the command. For example, here I will retrieve data and monitoring on the network that I am currently using.
I use the command pktmon start -etw -p 0 -c 13 – l real-time, where the -p 0 argument is used to capture the entire packet, the -c 13 argument is the id of the network device (Realtek Ethernet) that I use (you can see it via the command comp pktmon list ), and the -l real-time argument to view and display packages in real-time because by chance I have also used Windows 10 2004.
When viewed, we will be confused with the results displayed except for those who are truly experts in network research, and with the support of PCAPNG which began to be present in Windows 10 2004, we can translate these confusing results so that later we can see and identify network communications in a better way.
For example, to save the results of the scanning process above, we can use the command pktmon format PktMon.etl -o namafileftp.txt, but even so, to read it is still quite difficult and confusing because only a summary of the network traffic is intended.
To open it up more clearly, we can use the command pktmon pcapng PktMon.etl -d to do the conversion from ETL file to pcapng.
Then after pktmon has been converted to PCAPng, we can see it more clearly using Wireshark or Microsoft Network Monitor which can be downloaded on the following page. Here is an example.
The benefits of this hidden network sniffer?
For normal users like us, it might not be too useful, but for the Advanced Network Engineer and Security Researcher, of course, this tool is very useful to support their work needs.
Once again, because this hidden Network Sniffer is still mysterious and there isn’t even a full explanation on the Microsoft site, be it the Network Engineer, or the Security Researcher must go the extra mile and spend a little time studying the tool.