How to Use Pktmon, the Windows Network Monitor

Windows 10 is today the most used operating system on desktop computers. This means that when a new tool or feature appears, many users can benefit. As we know, there are many external programs that allow us to have control over our network, such as analyzing packets. However, in this tutorial we are going to talk about Pktmon , which is a network monitor that has been integrated into the operating system itself for some updates.

Pktmon, the Windows 10 network monitor

As we say, there are many external tools that we can install in Windows 10 to have greater control over our network and the different aspects that surround it. But we can also find some functions that are integrated into the operating system itself and that do not need to be installed.


That is the case with Pktmon. It is a network monitor that we can use in the popular Microsoft operating system. We do not need to install anything additional, since since the update version of Windows 10 October 2018 it is integrated.

What is Pktmon for? We can say that it is a packet monitor that allows us to trace networks, control the network traffic that flows through the devices down to the level of individual packets.

Keep in mind that since it was added to Windows 10 with the October 2018 update until now it has added some new capabilities. Previously it only supported the event tracking log format, which is a Microsoft proprietary logging system. Later it also added support for PCAPNG log files and real-time monitoring.

How to use Pktmon in Windows 10

Using Pktmon in Windows 10 is very simple. To do this, the first thing we have to do is start the Command Prompt. We have to do it with administrator privileges. If we run pktmon help we will get help on the different options of this tool.

Usar Pktmon

There it will show us different subcommands. Also, we can get help from each of those subcommands. For example, you should use pktmon filter help .

We can create a filter to monitor the traffic. For this we can use the command filter and -i or monitor DNS traffic with pktmon filter add -t UDP -p 53. You can see the examples in the image below.

Crear filtro en Pktmon

For example, if we want to monitor all DNS traffic on all network interfaces and show the activity in real time, we must execute the command pktmon start –etw -p 0 -l real-time.

We can specify if we want to monitor all the packages or only a specific one through the different arguments that we can obtain in the help section. Once it begins to monitor all the traffic, we will see that it captures all the DNS packets and shows them in the terminal in real time.

To stop monitoring we have to press the key combination Ctrl + C. Later there will be a PktMon.etl registry file created in the folder where we have executed it. We can create a PCAPNG file through the pktmon pcapng command. For example, to convert the PktMon.etl file we would have to execute the command pktmon pcapng PktMon.etl -o PktMon.pcapng.

We can pass all this information that we obtain to a program like Wireshark and in this way obtain more detailed data on DNS requests.

In short, as we have seen, Pktmon is an interesting tool that we can use in Windows 10. It comes integrated with the operating system itself and we do not need to install anything additional. It is easy to use and provides data that can be very useful to have greater control of our network and monitor packets.

We recommend using the help command for each of the elements it offers and thus obtain more information about its use and the range of possibilities it offers. It is a fairly complete feature, although it does not have a graphical interface like other similar programs that we can install from third-party sources in the Microsoft operating system. However, it is a good complement to use this type of tool.

Join The Discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.