The most detailed guide to the PKTMON tool on the Internet:
Many administrators are familiar with packet capture tools such as Wireshark. These tools offer excellent capabilities to capture network packets and analyze the content. However, the main disadvantage is that the software is not included in the Windows Server operating system by default. To utilize Wireshark, the administrator must install the 3rd party software package on the server. Depending on the current change-control policy in the organization, this could be difficult or impossible to accomplish.
Additionally, for, e.g., consultants conducting temporary troubleshooting, it is often not preferred to require new software to be installed in the customer’s production environment.
In Linux / Unix operating systems, the classic TCPDUMP command is often included by default. This utility provides the administrator with an out-of-the-box option to conduct basic network troubleshooting without additional software.
For a long time, a similar ability has been lacking in the Windows operating system. However, in the past few years, Microsoft has silently added a comparable tool to both the client and server operating system platforms. This command line tool is called:
PKTMON
The PKTMON tool is installed by default on Windows Server 2019 and 2022. It is also available on Windows 10 versions later than 1809, as well as on Windows 11.
The tool requires no installation of any downloaded software nor to add any new “roles and features.”
You can verify the presence of PKTMON on a system by using an elevated Command Prompt or Powershell window:
pktmon status
If we receive an error message, the tool is not available on the system. If we see the following output, the tool is installed and ready to be used.
Please note that the command line syntax has changed significantly during the short lifetime of PKTMON. Unfortunately, this means that some of the early blog posts on the Internet are no longer correct. Additionally, even some online documentation from Microsoft is not fully updated and contains syntax that is no longer functional.
In this series of articles, the following information will be presented:
Part 2: Building the capture filters.
Part 3: Using PKTMON in a tcpdump-like mode.
Part 4: Summary of using PKTMON on the command line.
Part 5: Capture packets for offline analysis with Wireshark.
Part 6: View live counters on the command line.
Part 7: View CDP and LLDP on the Windows command line.
Part 8: Analyze packets in text format.
Part 9: Troubleshooting DNS with PKTMON.
Part 10: Troubleshooting TCP with PKTMON.
It is very useful tools and information.
Thanks Rickard.
Excellent series about pktmon, the best yet 🙂
I am glad to hear that, Anders. Thanks for your comment!
This is a great series of articles. Many thanks for taking the time to write them!
Handy reference & bookmarked for future reference.
Will share with others
Hi Rickard,
an excellent series – thank you! I found your blog during some investigations on pktmon, due to its relatively sparsely documented nature. I got a few insights, especially in the last parts. By the way, where is part 8? 😉
Regards, Lukas
Hi Lukas, and thanks for your comment!
Additionally, thanks for reminding me of the part 8 – I will make it ready as well. 🙂