What is the Windows 10 sniffer?

This is a function to control or monitor the propagation of data packets. Consequently, it is possible to detect certain problems in the network. For example, an increase in latency and affected applications. It is very likely that you have looked for third-party apps to monitor the network without knowing that the system includes its own sniffer. The main function of these sniffers is to detect possible network failures.

As far as Windows 10 is concerned it is a command-line based tool called Packet Monitor. Therefore, to use it it is necessary to manage it from PowerShell.

How to use Package Monitor in Windows 10

As mentioned, to use Packet Monitor you need to launch a PowerShell with administrator privileges. With this intention, please press the Win+X combination, and from there select the option.

The correct syntax of PktMon is:

pktmon { filter | comp | reset | start | stop } [OPTIONS | help]

Below, I show you the available commands:

• filter: Manages packet filters
• comp: Manages the registered components.
• reset: Resets the counters to zero
• start: Starts package monitoring
• stop: Stop monitoring.
• format: Converts the log file to text
• unload: Download the PktMon controller

If we need more help on a specific command, then we can use the following command:

Pktmon commando help.

Executing this instruction will display information about the syntax and possible commands to be used. This is the available syntax and command:

pktmon start { list | add | remove } [OPTIONS | help]

Commandos:

• list: Shows the active packet filters.
• add: Adds a filter to control which packets are notified.
• remove: Remove all filters

pktmon comp { list | counters } [OPTIONS | help]

Commands:

• list: Lists all active components.
• counters: Shows the current counters per component

Other useful commands

pktmon reset[-counters]

Resets all component counters to zero.

pktmon start [-c { all | nics | [ids…] }] [-d] [–etw [-p size] [-k keywords]]  [-f] [-s] [-r] [-m]

Start package monitoring.

• c, –components: Select the components to be monitored. This can be all components, only NICs, or a list of component IDs. The default is all.
• -d, –drop-only: Only report discarded packages. Additionally, by default, the correct propagation of packets is also reported.

ETW Registry

• –etw: Logs in for packet capture.
• p, –packet-size: Number of bytes to be recorded from each packet. On the other hand, to always register the entire package, please set the value to 0.
• k, –keywords: Hexadecimal bit mask that controls which events are recorded. That is the sum of the following marks. By default, all events are logged.
• f, –file-name: Log file .etl. In addition, the default value is PktMon.etl.
• -s, –file-size: Maximum log file size in megabytes Additionally, the default value is 512 MB.

Registration mode

• r, –circular: New events overwrite older ones when the maximum file size is reached.
• m, –multi-file: A new file is created when the maximum file size is reached.

pktmon stop

Stops the package monitoring and displays the results.

pktmon format log.etl [-o log.txt]

Converts the log file to text format.

pktmon unload

Stop the PktMon driver service and download PktMon.sys. Equivalent to sc.exe stop PktMon.

Conclusion

Ultimately we have seen what it is and how to use sniffer in Windows 10. In addition, this Windows function is very useful for monitoring the network. Similarly, there is no need to use third-party apps. Before saying goodbye, I invite you to see our post about changing the language in Windows Server. Bye!

The post What is and how to use the Windows 10 sniffer appeared first on Linux Windows and android Tutorials.