Recently while doing some unrelated research, I came across this link from www.bleepingcomputer.com about Windows having a built in sniffer. I am aware of being able to use "netsh trace" to perform packet capturing but this seems like a better option. I may be wrong. Windows having built in sniffer is a good thing, as most of us who work with Linux are accustomed to having "tcpdump" there by default in most cases. What I like about the "pktmon.exe" version on my Windows 10 (2004), is that it support pcapng format.
Here is Microsoft's note on pktmon.exe.
"Packet Monitor (PacketMon) is an in-box cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting. The tool is especially helpful in virtualization scenarios like container networking, SDN, etc. It is available in-box via pktmon.exe command, and via Windows Admin Center extensions."
In this post, I will be walking through "pktmon" with as much detail as possible. Most of the resources I found online basically gave a somewhat superficial view of this tool. My intention is to make this your one-stop shop for how to use Packet Monitor.
First up, we need to ensure our terminal is running with elevated privileges.
Once in the elevated terminal, let's look at the help
C:\Users\SecurityNik>pktmon help pktmon { filter | comp | reset | start | stop } [OPTIONS | help] Monitor internal packet propagation and packet drop reports. Commands filter Manage packet filters. comp Manage registered components. reset Reset counters to zero. start Start packet monitoring. stop Stop monitoring. format Convert log file to text. pcapng Convert log file to pcapng format. unload Unload PktMon driver. help Show help text for a command.
C:\Users\SecurityNik>pktmon filter help pktmon filter { list | add | remove } [OPTIONS | help] Commands list Display active packet filters. add Add a filter to control which packets are reported. remove Removes all filters. help Show help text for a command.
C:\Users\SecurityNik>pktmon comp help pktmon comp { list | counters } [OPTIONS | help] Commands list List all active components. counters Display current per-component counters. help Show help text for a command.
C:\Users\SecurityNik>pktmon comp list help pktmon [comp] list List all active components. -i, --show-hidden Show components that are hidden by default. --json Output the list in JSON format.
C:\Users\SecurityNik>pktmon comp list --show-hidden | more VirtualBox Host-Only Ethernet Adapter Id: 13 Driver: VBoxNetAdp6.sys MAC Address: 0A-00-27-00-00-05 ifIndex: 5 Filter Drivers: Id Driver Name -- ------ ---- 38 wfplwfs.sys WFP Native Filter 36 pacer.sys QoS Packet Scheduler 35 wfplwfs.sys WFP 802.3 Filter Protocols: Id Driver Name EtherType -- ------ ---- --------- 96 tcpip.sys TCPIP6 IPv6 91 tcpip.sys TCPIP ARP, IPv4 84 mslldp.sys MSLLDP LLDP 83 rspndr.sys RSPNDR VLAN, LLTD 82 vmnetbridge.sys VMNETBRIDGE * (All) 81 ndisuio.sys NDISUIO 88c7, VLAN, 802.1X 80 lltdio.sys LLTDIO * (All) Application Protocols: Id Driver Name IP Address -- ------ ---- ---------- 107 http.sys HTTP fe80::910f:2448:7235:77be 101 http.sys HTTP 10.0.0.1 ... <TRUNCATED FOR BREVITY> ...
C:\Users\SecurityNik>pktmon comp counters help pktmon [comp] counters [-t { all | drop | flow }] [-z] [--json] Display current per-component counters. -t, --counter-type Select which types of counters to show. Supported values are all counters (default), drops only, or flows only. -z, --show-zeros Show counters that are zero in both directions. -i, --show-hidden Show components that are hidden by default. --json Output the counters in JSON format.
C:\Users\SecurityNik>pktmon comp counters --counter-type all --show-hidden All counters are zero.
C:\Users\SecurityNik>pktmon filter list There are no packet filters.
C:\Users\SecurityNik>pktmon filter add help pktmon filter add <name> [-m mac [mac2]] [-v vlan] [-d { IPv4 | IPv6 | number }] [-t { TCP [flags...] | UDP | ICMP | ICMPv6 | number }] [-i ip [ip2]] [-p port [port2]] [-e [port]] Add a filter to control which packets are reported. For a packet to be reported, it must match all conditions specified in at least one filter. Up to 8 filters can be active at once. NOTE1: When two MACs (-m), IPs (-i), or ports (-p) are specified, the filter matches packets that contain both. It will not distinguish between source or destination for this purpose. name Optional name or description of the filter. Ethernet frame -m, --mac[-address] Match source or destination MAC address. See NOTE1 above. -v, --vlan Match by VLAN Id (VID) in the 802.1Q header. -d, --data-link[-protocol], --ethertype Match by data link (layer 2) protocol. Can be IPv4, IPv6, ARP, or a protocol number. IP header -t, --transport[-protocol], --ip-protocol Match by transport (layer 4) protocol. Can be TCP, UDP, ICMP, ICMPv6, or a protocol number. To further filter TCP packets, an optional list of TCP flags to match can be provided. Supported flags are FIN, SYN, RST, PSH, ACK, URG, ECE, and CWR. -i, --ip[-address] Match source or destination IP address. See NOTE1 above. To match by subnet, use CIDR notation with the prefix length. TCP/UDP header -p, --port Match source or destination port number. See NOTE1 above. Encapsulation -e, --encap This filter also applies to encapsulated inner packets, in addition to the outer packet. Supported encapsulation methods are VXLAN, GRE, NVGRE, and IP-in-IP. Custom VXLAN port is optional, and defaults to 4789. Example 1: Ping filter pktmon filter add MyPing -i 10.10.10.10 -t ICMP Example 2: TCP SYN filter for SMB traffic pktmon filter add MySmbSyn -i 10.10.10.10 -t TCP SYN -p 445 Example 3: Subnet filter pktmon filter add MySubnet -i 10.10.10.0/24
C:\Users\SecurityNik>pktmon filter add VBox-Mac --mac 0A-00-27-00-00-05 Filter added.
C:\Users\SecurityNik>pktmon filter list # Name MAC Address - ---- ----------- 1 VBox-Mac 0A-00-27-00-00-05
C:\Users\SecurityNik>pktmon start help pktmon start [-c { all | nics | [ids...] }] [-d] [--etw [-p size] [-k keywords]] [-f] [-s] [--log-mode {circular | multi-file | real-time | memory}] Start packet monitoring. -c, --components Select components to monitor. Can be all components, NICs only, or a list of component ids. Defaults to all. -d, --drop-only Only report dropped packets. By default, successful packet propagation is reported as well. ETW Logging --etw Start a logging session for packet capture. -p, --packet-size Number of bytes to log from each packet. To always log the entire packet, set this to 0. Default is 128 bytes. -k, --keywords Hexadecimal bitmask (i.e. sum of the below flags) that controls which events are logged. Default is 0x012. Flags: 0x001 - Internal Packet Monitor errors. 0x002 - Information about components, counters and filters. This information is added to the end of the log file. 0x004 - Source and destination information for the first packet in NET_BUFFER_LIST group. 0x008 - Select packet metadata from NDIS_NET_BUFFER_LIST_INFO enumeration. 0x010 - Raw packet, truncated to the size specified in [--packet-size] parameter. -f, --file-name .etl log file. Default is PktMon.etl. -s, --file-size Maximum log file size in megabytes. Default is 512 MB. -l, --log-mode Select logging mode. Default is circular. circular New events overwrite the oldest ones when when the maximum file size is reached. multi-file A new log file is created when the maximum file size is reached. Log files are sequentially numbered. PktMon1.etl, PktMon2.etl, etc. real-time Display events and packets on screen at real time. No log file is created. Press Ctrl+C to stop monitoring. memory Events are written to a circular memory buffer. Buffer size is specified in [--file-size] parameter. Buffer contents is written to a log file during stop operation.
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time Active measurement started. Processing... 21:31:10.816725700 PktGroupId 1, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 85, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816732400 PktGroupId 1, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 36, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816734200 PktGroupId 1, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 36, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816735900 PktGroupId 1, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 38, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816742000 PktGroupId 1, PktNumber 1, Appearance 5, Direction Tx , Type Ethernet , Component 38, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816743500 PktGroupId 1, PktNumber 1, Appearance 6, Direction Tx , Type Ethernet , Component 13, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 Flushing logs... .... <TRUNCATED FOR BREVITY> ....
C:\Users\SecurityNik>ping 10.0.0.104 -n 1 Pinging 10.0.0.104 with 32 bytes of data: Request timed out. Ping statistics for 10.0.0.104: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
C:\Users\SecurityNik>dir PktMon.etl Volume in drive C is OS Volume Serial Number is D436-4013 Directory of C:\Users\SecurityNik 2020-08-07 09:42 PM 50,331,648 PktMon.etl 1 File(s) 50,331,648 bytes 0 Dir(s) 34,686,263,296 bytes free
C:\Users\SecurityNik>pktmon filter remove Removed all filters.
C:\Users\SecurityNik>pktmon filter add ARP-Capture --ethertype arp Filter added. C:\Users\SecurityNik>pktmon filter list # Name EtherType - ---- --------- 1 ARP-Capture ARP
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time Active measurement started. Processing... 21:54:33.326462700 PktGroupId 7, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168....... 21:54:36.322822700 PktGroupId 8, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28 21:54:36.322828200 PktGroupId 8, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 11, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28 Flushing logs...
C:\Users\SecurityNik>pktmon filters remove Removed all filters.
C:\Users\SecurityNik>pktmon filter add IP-TCP --data-link IPv4 --ip-protocol 1 --ip-address "9.9.9.9" Filter added. C:\Users\SecurityNik>pktmon filter list # Name EtherType Protocol IP Address - ---- --------- -------- ---------- 1 IP-TCP IPv4 ICMP 9.9.9.9
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time --packet-size 1500 Active measurement started. Processing... 22:12:01.498988200 PktGroupId 844424930131972, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 74: 192.168.0.62 > 9.9.9.9: ICMP echo request, id 1, seq 6, length 40 ... <TRUNCATED FOR BREVITY> ... 22:12:01.600308300 PktGroupId 281474976710661, PktNumber 1, Appearance 5, Direction Rx , Type Ethernet , Component 76, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74 F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40 22:12:01.600310300 PktGroupId 281474976710661, PktNumber 1, Appearance 6, Direction Rx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74 F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40 Flushing logs...
C:\Users\SecurityNik>ping -n 1 9.9.9.9 Pinging 9.9.9.9 with 32 bytes of data: Reply from 9.9.9.9: bytes=32 time=753ms TTL=54 Ping statistics for 9.9.9.9: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 753ms, Maximum = 753ms, Average = 753ms C:\Users\SecurityNik>pktmon filter remove Removed all filters.
C:\Users\SecurityNik>pktmon filter add IP-TCP-SYN-443 --data-link IPv4 --ip-address 172.217.2.115 --transport-protocol tcp SYN --port 443 Filter added. C:\Users\SecurityNik>pktmon filters list # Name EtherType Protocol IP Address Port - ---- --------- -------- ---------- ---- 1 IP-TCP-SYN-443 IPv4 TCP (SYN) 172.217.2.115 443 C:\Users\SecurityNik>pktmon start --etw --log-mode real-time --packet-size 1500 Active measurement started. Processing... 23:02:26.539704700 PktGroupId 562949953421500, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.539709400 PktGroupId 562949953421500, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.539712200 PktGroupId 562949953421500, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.539714000 PktGroupId 562949953421500, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.599504500 PktGroupId 1688849860264106, PktNumber 1, Appearance 1, Direction Rx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 66: 172.217.2.115.443 > 192.168.0.62.65066: Flags [S.], seq 546326696, ack 1995496357, win 60720, options [mss 1380,nop,nop,sackOK,nop,wscale 8], length 0 23:02:26.599510100 PktGroupId 1688849860264106, PktNumber 1, Appearance 2, Direction Rx , Type Ethernet , Component 32, ... <TRUNCATED FOR BREVITY>....
C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443 PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility Copyright (C) 2012-2016 Mark Russinovich Sysinternals - www.sysinternals.com TCP connect to 172.217.2.115:443: Infinite iterations (warmup 1) ping test: Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:65066: 63.67ms Sent = 0, Received = 0, Lost = 0 (0% loss), Minimum = 0.00ms, Maximum = 0.00ms, Average = 0.00ms Control-C ^C
C:\Users\SecurityNik>netstat -anop tcp | findstr /i "est" | findstr ":22" TCP 192.168.0.62:53726 192.168.0.4:22 ESTABLISHED 23548
C:\Users\SecurityNik>pktmon filter add --ip-address 192.168.0.4 192.168.0.62 --transport-protocol tcp --port 53726 22 Filter added.
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time Active measurement started. Processing... 10:25:13.196576300 PktGroupId 1688849860264110, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 10:25:13.196581200 PktGroupId 1688849860264110, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 10:25:13.196584200 PktGroupId 1688849860264110, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 10:25:13.196585800 PktGroupId 1688849860264110, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 ...<TRUNCATED FOR BREVITY>...
C:\Users\SecurityNik>pktmon filter list # Name EtherType Protocol IP Address Port - ---- --------- -------- ---------- ---- 1 IP-TCP-SYN-443 IPv4 TCP (SYN) 172.217.2.115 443
C:\Users\SecurityNik>pktmon start --etw --log-mode multi-file --file-size 1000 Log file name: C:\Users\SecurityNik\PktMon%d.etl Logging mode: Multifile Maximum file size: 1000 MB Active measurement started.
C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443 PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility Copyright (C) 2012-2016 Mark Russinovich Sysinternals - www.sysinternals.com TCP connect to 172.217.2.115:443: Infinite iterations (warmup 1) ping test: Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:49688: 38.02ms Connecting to 172.217.2.115:443: from 192.168.0.62:49689: 39.07ms
C:\Users\SecurityNik>pktmon counters --show-hidden Killer(R) Wi-Fi 6 AX1650s 160MHz Wireless Network Adapter (201D2W) Id Name Counter Direction Packets Bytes | Direction Packets Bytes -- ---- ------- --------- ------- ----- | --------- ------- ----- 33 Native WiFi Filter Driver Upper Rx 6 396 | Tx 6 396 32 VirtualBox NDIS Light-W... Upper Rx 6 396 | Tx 6 396 31 QoS Packet Scheduler Upper Rx 0 0 | Tx 6 396 | 90 TCPIP (NDIS) Lower Rx 6 396 | Tx 6 396 76 VMNETBRIDGE Lower Rx 6 396 | Tx 0 0 75 NDISUIO Lower Rx 6 396 | Tx 0 0 74 LLTDIO Lower Rx 6 396 | Tx 0 0
C:\Users\SecurityNik>pktmon stop Stopped active measurement. Flushing logs... Log file: C:\Users\SecurityNik\PktMon1.etl (No events lost)
C:\Users\SecurityNik>pktmon.exe format help pktmon format log.etl [-o log.txt] [-b] [-v [level]] [-x] [-e] [-l [port] Convert log file to text format. -o, --out Name of the formatted text file. -s, --stats-only Display log file statistical information. Network packet formatting options -b, --brief Abbreviated packet format. -v, --verbose Verbosity level [1..3]. -x, --hex Hexadecimal format. -e, --no-ethernet Don't print ethernet header. -l, --vxlan Custom VXLAN port.
C:\Users\SecurityNik>pktmon format PktMon1.etl --stats-only --verbose Processing... Start time 2020-08-07 23:17:46.996574700 Stop time 2020-08-07 23:22:43.422846700 Events total 788 Manifest-based events 788 WPP events 0 Provider Microsoft-Windows-PktMon Keywords 0000000000000012 Manifest-based events 788
C:\Users\SecurityNik>pktmon format PktMon1.etl --out securitynik-pktmon.txt --verbose Processing... Events formatted: 788 Formatted file: securitynik-pktmon.txt
C:\Users\SecurityNik>type securitynik-pktmon.txt | more 23:20:28.736260500 PktGroupId 1407374883553375, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:20:28.736265200 PktGroupId 1407374883553375, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 ... <TRUNCATED FOR BREVITY> ...
C:\Users\SecurityNik>pktmon pcapng help pktmon pcapng log.etl [-o log.pcapng] Convert log file to pcapng format. Dropped packets are not included by default. -o, --out Name of the formatted pcapng file. -d, --drop-only Convert dropped packets only. -c, --component-id Filter packets by a specific component ID.
C:\Users\SecurityNik>pktmon pcapng PktMon1.etl --out securitynik-pktmon.pcapng Processing... Packets total: 60 Packet drop count: 0 Packets formatted: 60 Formatted file: securitynik-pktmon.pcapng
C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n | more 1 0.000000 192.168.0.62 → 172.217.2.115 TCP 66 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 2 0.000005 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 3 0.000006 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 4 0.000008 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 ... <TRUNCATED FOR BREVITY> ...
C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n -z io,phs -q =================================================================== Protocol Hierarchy Statistics Filter: eth frames:60 bytes:3960 ip frames:60 bytes:3960 tcp frames:60 bytes:3960 ===================================================================
No comments:
Post a Comment