33 C

What is and how to use the Windows 10 sniffer

Hi! Microsoft wants Windows 10 to be the best version of their operating systems. In fact, updates incorporate new features that boost performance. However, there are features already included and little-publicized. Sometimes, these features are very useful and interesting for the user. In this case, we will talk about sniffer, an addition present since the October 2018 update, and very little known. Specifically, this is not a setting that modifies any aspect of the desktop. On the contrary, it is a tool to control the activity and latency of the network connection. Well, in this post we will see what is it and how to use the Windows 10 sniffer.

What is the Windows 10 sniffer?

This is a function to control or monitor the propagation of data packets. Consequently, it is possible to detect certain problems in the network. For example, an increase in latency and affected applications. It is very likely that you have looked for third-party apps to monitor the network without knowing that the system includes its own sniffer. The main function of these sniffers is to detect possible network failures.

As far as Windows 10 is concerned it is a command-line based tool called Packet Monitor. Therefore, to use it it is necessary to manage it from PowerShell.

How to use Package Monitor in Windows 10

As mentioned, to use Packet Monitor you need to launch a PowerShell with administrator privileges. With this intention, please press the Win+X combination, and from there select the option.

Launch a PowerShell with administrator privileges.
Launch a PowerShell with administrator privileges.
- Advertisement -

The correct syntax of PktMon is:

pktmon { filter | comp | reset | start | stop } [OPTIONS | help]

Below, I show you the available commands:

  • filter: Manages packet filters
  • comp: Manages the registered components.
  • reset: Resets the counters to zero
  • start: Starts package monitoring
  • stop: Stop monitoring.
  • format: Converts the log file to text
  • unload: Download the PktMon controller

If we need more help on a specific command, then we can use the following command:

Pktmon commando help.
PowerShell running the Pktmon start help command
PowerShell running the Pktmon start help command

Executing this instruction will display information about the syntax and possible commands to be used. This is the available syntax and command:

pktmon start { list | add | remove } [OPTIONS | help]


  • list: Shows the active packet filters.
  • add: Adds a filter to control which packets are notified.
  • remove: Remove all filters
pktmon comp { list | counters } [OPTIONS | help]


  • list: Lists all active components.
  • counters: Shows the current counters per component

Other useful commands

pktmon reset[-counters]

Resets all component counters to zero.

pktmon start [-c { all | nics | [ids…] }] [-d] [–etw [-p size] [-k keywords]]  [-f] [-s] [-r] [-m]

Start package monitoring.

  • c, –components: Select the components to be monitored. This can be all components, only NICs, or a list of component IDs. The default is all.
  • -d, –drop-only: Only report discarded packages. Additionally, by default, the correct propagation of packets is also reported.

ETW Registry

  • –etw: Logs in for packet capture.
  • p, –packet-size: Number of bytes to be recorded from each packet. On the other hand, to always register the entire package, please set the value to 0.
  • k, –keywords: Hexadecimal bit mask that controls which events are recorded. That is the sum of the following marks. By default, all events are logged.
  • f, –file-name: Log file .etl. In addition, the default value is PktMon.etl.
  • -s, –file-size: Maximum log file size in megabytes Additionally, the default value is 512 MB.

Registration mode

  • r, –circular: New events overwrite older ones when the maximum file size is reached.
  • m, –multi-file: A new file is created when the maximum file size is reached.

pktmon stop

Stops the package monitoring and displays the results.

pktmon format log.etl [-o log.txt]

Converts the log file to text format.

pktmon unload

Stop the PktMon driver service and download PktMon.sys. Equivalent to sc.exe stop PktMon.


Ultimately we have seen what it is and how to use sniffer in Windows 10. In addition, this Windows function is very useful for monitoring the network. Similarly, there is no need to use third-party apps. Before saying goodbye, I invite you to see our post about changing the language in Windows Server. Bye!

- Advertisement -
Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"


Please enter your comment!
Please enter your name here

Latest article