In previous parts in this series of articles on the Windows built-in packet sniffer tool, PKTMON, we have examined how to view packets directly on the command line, as well as how to capture to a file, later to be exported to Wireshark.
However, there might be occasions where neither of these options are required. We might not be interested in the exact details of the traffic, such as the sender or the destination. Instead, we might just want to quickly verify that we do have a certain type of traffic receiving at the server.
On a Windows server, the classical Task Manager network view will provide a helpful overview of the total network traffic on the machine. However, we cannot make out the proportions between individual protocols.
With PKTMON, it is possible to instruct the tool to not capture any traffic for storing into a log file or to live display the packets. Instead, we can configure the tool to only display packet counters for the traffic we are interested in.
To use the PKTMON counters-only mode, we have four prerequisites:
- Know what traffic we are interested in and the corresponding details, i.e., the TCP or UDP port number for the particular protocol, or the IP address of a certain partner machine, etc.
With this knowledge, we must apply the correct filters. - We must locate the component id number for the network interface card.
- Start the capture in the counters-only mode.
- Initiate the display of the counters in a live mode.
Step 1:
Assume we are interested in RDP traffic on a particular server. RDP traffic is using port TCP/3389.
Clear the current filters and apply the new:
pktmon filter remove
pktmon filter add -t TCP -p 3389
Please see this article for the full details of constructing filters for PKTMON.
Step 2:
Locate the component number for the NIC.
Run the following command:
pktmon comp list
Make a note of the number on the left side of the interface. If the server has more than one network interface card, compare the MAC addresses with data from, e.g., ipconfig /all to identify the correct adapter.
Note that the component numbers of the NICs are not persistent between server reboot.
Step 3:
To start the capture without any log file or display of the packet details, use the following command:
pktmon start -c -o --comp <Interface-id>
(If the output states that pktmon is already running, first use pktmon stop.)
Note that nothing really seems to occur currently, but the capture is started, just without any storage to file nor display of the packet details.
The -o parameter instructs the PKTMON tool to only collect counters.
Step 4:
To initiate the display of the counters in a live mode, run the following command:
pktmon counters --live --refresh-rate 1 -z -t flow
––live Display the counters live and refresh automatically.
––refresh-rate The number of seconds between refresh. The default value is 10.
-z Display the output even if the counters are yet zero.
-t flow Only display normal incoming and outgoing packet flows.
The live output will now be displayed and automatically refreshed. The traffic included in the counters are the matches with the currently applied filters.
Note that the counters display the number of identified matches since the pktmon start command, not since, e.g., server reboot.
Quit the display with CTRL+C.
Note that this will not terminate the counter capturing. You can, at any time, return to the live output with the same command:
pktmon counters --live --refresh-rate 1 -z -t flow
When you are satisfied with the counter information, end the PKTMON state by the command:
pktmon stop
The counters-only output mode can be very useful when you don’t need to store the data for offline analysis, nor display the packet details directly on the command line. Suppose you have a new system running on a particular port, say TCP/443, and want to visually verify you receive incoming traffic to this service.
Run the following commands:
pktmon filter remove
pktmon filter add -t TCP -p 443
pktmon comp list
pktmon start -c -o --comp <Interface-id>
pktmon counters --live --refresh-rate 1 -z -t flow
Another example, assume you have a new DNS server that recently have been added to DHCP client scope options, and you would like to verify that DNS traffic occurs, use this filter:
pktmon filter add -t UDP -p 53
At times, you might only be interested to see the number of new TCP sessions being established to a particular service, but not the total number of packets actually used for data. If so, we could instruct the filter to only track the session start, with the option TCP SYN.
pktmon filter remove
pktmon filter add -t TCP SYN -p 443
The live counters for RX (receive) will now display the number of new TCP sessions being setup since the PKTMON capture start.
To learn how to capture CDP and LLDP discovery frames, please see the next article in the series.