Network Sniffer or Packet Sniffer is an application that can monitor network activities that run on devices at the level of each packet, for some people, especiallynetwork engineersandsecurity researchers, the application is very useful for analyzing what is running on the network, seeing the type programs that are being used on the network, and even seenetwork communicationssent through clear text.
Windows 10 Network Sniffer Application
Generally, network engineersandsecurity researchersusually use Wireshark, a popular Packet Sniffer application that has been available for a long time. But did you know that Windows 10 itself actually has a similar application?
Starting Windows 10 October 2018, or Windows 10 1809, Microsoft secretly added a newnetwork diagnostictool and apacket sniffer programcalled ‘pktmon’, this application is in the C: \ Windows \ system32 \ pktmon.exe directories.
Based on its description, the application has a description of“Internal packet propagation and packet drop report monitors”which shows the application is designed to diagnose network problems.
Quoted from Bleeping Computer, this application is not mentioned on the Microsoft site, and to use it users must explore, learn and continue to test directly in the application.
How to access it?
To open this ‘pktmon’, users can use the Command Prompt or Powershell, simply by entering the command ‘pktmon’ without quotes then you can immediately access it.
What is quite helpful is that this tool also provides ahelp commandthat can help users learn about this network sniffer tool.
Improved in Windows 10 2004
Windows 10 2004 will be released in the coming weeks, and besides bringingmajor featuresthat can be seen directly, this hiddenpacket sniffer toolhas also been updated withReal-time monitoringsupport, andpcapng support, namely the ability to convert ETL files to pcapng format.
To access ‘pktmon’ realtime scanning, users can add the argument –l real-timeat the end of the command. For example, here I will retrieve data and monitoring on the network that I am currently using.
I use the commandpktmon start -etw -p 0 -c 13–l real-time, where the -p 0 argument is used to capture the entire packet, the -c 13 argument is the id of the network device (Realtek Ethernet) that I use (you can see it via the commandcomp pktmon list), and the-l real-time argument to view and display packages in real-time because by chance I have also used Windows 10 2004.
When viewed, we will be confused with the results displayed except for those who are truly experts in network research, and with the support of PCAPNG which began to be present in Windows 10 2004, we can translate these confusing results so that later we can see and identifynetwork communicationsin a better way.
For example, to save the results of the scanning process above, we can use the commandpktmon format PktMon.etl -o namafileftp.txt, but even so, to read it is still quite difficult and confusing because only a summary of the network traffic is intended.
To open it up more clearly, we can use the commandpktmon pcapng PktMon.etl -dto do the conversion from ETL file to pcapng.
Then after pktmon has been converted to PCAPng, we can see it more clearly using Wireshark or Microsoft Network Monitor which can be downloaded on thefollowing page.Here is an example.
The benefits of this hidden network sniffer?
For normal users like us, it might not be too useful, but for the Advanced Network EngineerandSecurity Researcher, of course,this tool is very useful to support their work needs.
Once again, because this hidden Network Sniffer is still mysterious and there isn’t even a full explanation on the Microsoft site, be it theNetwork Engineer,or theSecurity Researchermust go the extra mile and spend a little time studying the tool.