Mastering Microsoft's CLI Packet Capture: Pktmon.exe for IT Pros

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
foreign [Music] [Music] ER pool and this channel is dedicated to I.T students I.T professionals and anyone who enjoys learning technical subjects [Music] foreign we are going to look at Microsoft's command line packet capture tool it is known as packet monitor now I'm going to refer to it as packet monitor throughout this presentation but I want you to understand I'm always talking about the file name pktmon.exe so from this point on I'm going to call it packet monitor but understand I'm referring to pktmon.exe let's get started now packet monitor is an in the Box cross component Network diagnostic tool it ships with Windows 10 and windows 11. it's also in server 2019 and server 2022. packet monitor can be used for packet capture packet drop detection packet filtering and packet counting if you'll notice the diagram on the right hand side shows you a little bit of the complexity that is in today's Microsoft network environment if you have running and you're running virtual switches virtual adapters virtual machines with containers in them and on top of that you're running Microsoft software-defined networking components like load balancers the network stack in Windows becomes very complexed packet monitor does an excellent job of making all this complex Network stack visible and easier to troubleshoot on the right hand side is a diagram of my video editor I have two net physical network cards I have two virtual switches that are connected up to each of the physical network cards then I have virtual Nix to the parent OS and then I have a number of virtual machines that are then connected via a virtual Nic to each of the virtual switches this gets complex and packet monitor is going to give us visibility into all of this and allow us to troubleshoot effectively now a majority of your network work stack is in kernel mode packet monitor gives you visibility in the kernel mode it allows you to see your network stack at OSI layers 2 3 and 4. now packet monitor runs in either Powershell or CMD you're also able to integrate it into Windows admin center it's limited but it is useful now packet monitor is going to leverage a lot of Windows built-in diagnostic systems for example Performance counters it's going to use performance counters to give you information about the network stack so if you've ever dug into performance Monitor and just looked at the counters available to Performance monitor it's mind-blowing well packet monitor is actually going to use many of those same counters packet monitor is also going to leverage the etw architecture the event Trace Windows architecture if you're a developer you're very comfortable using traces to debug or look at the performance of a software module packet monitor will allow developers to take advantage of what is known as performance traces so Mr Vanderpool how does Wireshark compare with packet monitor well Wireshark is multi-platform runs on a variety of operating systems it's a very comprehensive capture and analysis tool it does come in GUI and command line it's probably the most well-developed tool in the industry over here on the right hand side packet monitor is Microsoft Centric it's limited but it's a useful packet capture tool and troubleshooting tool it runs command line and windows and does have a little bit of GUI if you're using it with the windows admin Center its strength is visibility into virtualization container Network and Microsoft sdn components it is included in Windows since the October 2018 update now to start capture is relatively simple if you've used packet capture tools in the past you'll find packet monitor relatively straightforward the documentation for this tool is very limited and you end up with more questions than answers and I spent a lot of time on Microsoft's website when you start a capture you simply type in packet monitor start Dash C and you're ready to start capturing data now you're going to get a default file name you're going to get a default directory it's going to dump that file into the root of your user profile it's going to use circular logging in other words when the the memory log file fills up it's going to overwrite the oldest data with new the maximum and default size is going to be 512 megabytes to stop a capture is simply packet Monitor and the word stop and it basically takes what it has in the circular logging writes it to the default file name the last command that you don't want to forget is Packet monitor unload that removes it from memory if you don't you're going to leave it running on your server until it reboots again on the slide you can see a cheat sheet of the many options and features that you can use in conjunction with the packet monitor start Dash C you can download our video notes found in the video description and in there we'll have all kinds of additional information concerning each one of these options and features now packet monitor allows you to do a number of scenarios you can capture and log your results you can capture and log and display information and even display your results or you can capture and display with no logging so here I'm in Powershell and I've got packet monitor start Dash C and I'm going to go ahead and start the capture when I do that it shows me all the defaults it shows me I'm using circular logging it shows me that it's going to put this file in my user profile root directory it's going to use a maximum file size of 512 megabytes and it gives me information about what's collected all packets because it didn't put any filtering in the data that it's going to collect is Packet counters packet capture it's going to capture everything because I didn't specify any filters now if I go to the command prompt and I type in packet monitor stop and hit enter it's now flushing what's in memory writing it to the hard drive as a file and notice it's indicated that no events were lost if I go to my root of my user profile I will see the file pktmon.etl and it's a 422 kilobyte file now when I I'm done with packet monitor I want to then unload it and that's going to remove it out of memory and essentially terminates the process now continuing on with our same topic of packet monitor start Dash C there are additional options and we're going to go through those quickly Dash F gives you the ability to change the file name dash s allows you to change the size of the log file Dash M gives you the ability to change the log mode Let's Take a Look you can do the circular which is the default you can also log with a multi-file so when the log file fills it just creates a new file and then a new file you can also do real time but if you choose real time you do not create a log file packet monitor also allows developers to take advantage of event traces now if you're not familiar with event traces and event logging I just finished this video Windows Event and logging for the it pro and I really went into the the event trace for Windows architecture talking a little bit about event tracing and a lot about event log so if you're not familiar you want to go back and take a look at that so with the dash T you can do event traces you'll want to add the dash P or the provider name that can be a provider name or a good and then keywords and level if you want to pull up a list of event Trace provider names in GUI you can just type in it Powershell logman query providers and it'll pull it right up in your capture packet monitor start Dash C you can also add the dash o meaning we're going to capture only counters and we'll look at counters it allows us to see our entire stack and the traffic going through it but if you choose the counters there's no logging also you can do dash dash comp or components and you can select any element in your network stack and look at that that only or two or three components and look at them only you do have the option dash dash type which allows you to look at traffic what we call flow in and out you can also look at just dropped packets in the network stack or the default is all you see both flow and drop packets now dash packet size is very important if you want a packet capture more like Wireshark then you want to add dash dash pkt dash size and put a zero after that it will then capture the entire packet just like Wireshark does if you don't packet monitor only by default captures 128 bytes it drops the rest now when we display or capture counters we'll have the listing of our Network stack on the left you'll see in the center you'll see your receive traffic and you'll on the right you'll see your transmit traffic now pay attention to the the order notice the network card is at the top then our filters are in the center and then our protocols at the bottom kind of flipped upside down from what we would think a counter would display counters are very important because they provide a high level view of networking traffic throughout the network stack without the need to analyze a log it's just right there remember packet monitor taking full advantage of performance counters and using those to display this network traffic so let's start a basic packet capture start Dash C and we're going to leave it default and I'm going to hit enter I can see the default settings for this particular capture I can also look at any time the status of my capture so I can go packet monitor status and I can pull up the status of what is going on with this capture but notice I don't see anything nothing is displayed if I would like to see my network stack and what's going on while it's capturing I know when I stop this capture it's going to log it to a file and then I can analyze it but if I'd like to see it right now I can simply go packet monitor counters and then hit enter and it pulls up the state and time of my counters and traffic right now in time it's not live it's not real time but it's at that time that I hit enter it displays what my values were now I can go up arrow and do it again and it's going to show me the next state in time or I could also do packet monitor counters and then dash dash live and it will Now display a live view of what is taking place while I'm capturing this is extremely handy and probably the best way to look at your traffic while you're capturing data now does anytime you have a live view all you have to do is Ctrl C and it will stop what if I would like to look at just specifically my VPN traffic I can turn on my VPN see what is going on turn off my VPN and make sure that it's responding the way that I think it should in order to pick a specific element out of my network stack and monitor that only I need the component ID of that driver or that filter or that component in the network stack so we're going to use packet monitor and I do the word list now this is going to give me all my network cards but I want more I want the entire stack so I'm going to do the same thing packet monitor list minus a this is going to give me a detailed list of everything in my network stack Bluetooth here's my wireless and you can see all my filters and all the way up here is my tap Dash window adapter v9 now if you don't understand your network stack in my video notes I have extensive notes on understanding your network stack but that ID 11 is my VPN now I want to start a capture look only at my VPN in my network stack so I did packet monitor start minus C dash dash component and then I use the component number for my VPN filter I'm going to hit enter and notice down here you can see I'm going to be looking at my VPN filter now what do I see nothing so I'm going to use packet counters dash dash live to view what's going on now notice nothing is there nothing is going on because you can see here my VPN is not turned on so I'm watching live what's going through my VPN well there's nothing going through it because it's not on let me come over here and turn on my VPN and let's see what happens there we go and I can actually watch my traffic in and out of my VPN filter and I can hit pause and you can see it stopped and so I can actually watch any element of my network stack with packet monitor pretty cool now let's take a look at packet monitors filter capability that you can set up prior to starting a capture let's take a look at this cheat sheet because it really will help you understand how to use filtering packet monitor filter add and in here we do a dash P 53 and what that means is since we only put in a port number Port 53 it's going to filter any TCP UDP anytime it sees Port 53 it's going to capture that data down below I've got the same thing a different filter Dash T and we're going to add TCP so we're going to exclusively look at TCP traffic only and Dash p Port 22 so here we've tightened up our filter we're only going to look at that traffic now the one below says a Port 123 and again a comma one two three so here we're going to look at packet traffic with a source Port of 123 and a destination Port of 123. we have the option of packet monitor filter add minus I so here we're looking at an IP address I've got a 172.32.1.1 here we're going to look at packets to and from that IP address that's the only IP address you put in notice the one before packet monitor filter add minus I I've got two IP addresses with a comma in between so I'm going to look at packets between these two IP addresses below is a filter that adds Mac addresses Dash M and I've put in a MAC address and so we're going to filter out and capture only that Mac if I want to capture VLAN traffic I can just Dash V and put the VLAN ID and I will capture that VLAN and traffic if I'm in a Data Center and I want to look at more encapsulated type traffic I use a dash e and I can look at xvland GRE or nvgre and at any time if I want to look at my filter list that I've created just packet monitor filter list and it will show you everything you have in your list and if you want to remove your filters packet monitor filter remove now you can have up to 32 filters when you're capturing traffic now once you've saved your packet capture to a file on the hard drive it saves it as an ETL file which is a trace file most of you don't have tools that can open and view Trace files Event Viewer will but it's not very helpful it's better to convert those file formats to either a text file or better yet a pcap extension which is useful in Wireshark and you can analyze your capture in Wireshark now packet monitor has a number of conversion tools if you look at the slide packet monitor ETL to txt and then you point it to the file that you have on your hard drive Dash o and you can turn it into any name that you want to and it will convert that ETL file to a text file or you can do packet monitor etl2 pcap point it to the file that you have on your hard drive Dash o and then rename it to whatever you want in terms of Dot pcap and then you can open up in Wireshark now here's an example of that ETL file converted into a text file so how do we look at this text file and understand it first of all packet monitor takes quick snapshots such that you will see repetitive text information about the same packet so how do you know when a packet starts and another packet begins you begin to look at the packet group ID notice this group of text is indicating packet group ID 1 1 1 as I go down this group of text information these are all snapshots of the same packet when I get down in the text file and it changed to packet group ID number two now we're taking snapshots of the second packet up here in the green it shows appearance 1 appearance 2 appearance three these appearance values act as counters for each sequence snapshot of the same packet in your text you will also see the word drop when the word drop appears before any lines it tells you that a packet got dropped each drop packet also provides you a drop reason why that packet was dropped noticed in this particular text file we went from packet group id1 and then down here we start packet group id2 so now we're beginning snapshots of the second packet now packet monitor can view and analyze all the stuff you would expect a packet capture tool to do you can analyze pixie traffic DHCP traffic SMB DNS https all of that can be analyzed with packet monitor as well as Wireshark and other tools where packet monitor really shines is when you look at your network stack now what packet monitor can do and Wireshark can't do especially when you get into hyper-v environments is drill into your network stack and help identify issues notice in this diagram we see TCP at the top filters virtual network adapters our v-switch which is our hyper-v switch and you see little green dots there those are connections between those layers and any one of those areas can fail for whatever you can analyze this stack and see where your problem is for example here in the graphic you can see I've got a v-switch a hyper-v switch and in that b switch is a virtual filter platform and in that connection I've got a drop going on and I need to understand why it's dropping packets in that filter platform Wireshark is not going to help you here packet monitor will you can drill right in and see what is the problem just to give you an example this is my video editor down here I'm showing you my virtual switches I have two virtual switches and we'll ignore my default virtual switch I have a virtual switch that's connected to a one gigabit physical Nick in my AMD video editor then I have a 2.5 virtual switch that's connected to my 2.5 physical network card up here you can actually see there's my 2.5 real physical Nick over here is my one gigabit Intel real network card and then you have a virtual network card here 2.5 and a virtual network card here it and that represents the one gigabit and then in them you have filter drivers and protocols and if you turn this into a server that's got 30 containers each of them in their own individual VM each having their own virtual switch or let's say you have five physical network cards in that server this can get really complex and if you don't have some mechanism to rip through all this mess and find out what your problem is you're going to be in real hurt so packet monitor gives you that visibility especially into the complex world of Microsoft's networking so with packet monitor notice here at the top here I'm got packet monitor list Dash a and that tells me show me everything all the protocol stack that you have and then it allows me to go through and I can see I'm at V switch the one gigabit the v-switch that's connected to my one gigabit physical adapter and then I can see all my filter drivers I can see the protocols and each of them have the component ID right here in this column so if I want to look at any one component if I want to look at the v-switch all I do is look at the component use the component ID of 143 and I can look at that component by itself now keep in mind those component IDs change every time you reboot so every time you reboot your server or reboot your PC and you're looking at component IDs they change on reboot now after finishing this video on packet monitor I will then do a quick video on the network stack so if you want a quick review and you just selected a refresher on your network Sac I'll produce that after I finish this one but you can see as I scroll down you can see all the components that are involved here here's again is a v-switch this is part of my 2.5 gigabit physical and you can see all the components in that v-switch then here's the virtual 2.5 up here is the physical 2.5 it gets complex and if you've got a problem in here this is one way to help you troubleshoot those problems if you're watching this at this point in the video you are a hardcore technology person ninety percent of the people who are on YouTube who watch a video that I create are gone in three minutes so the fact that you're watching me right now tells me you're pretty hardcore and you're the very reason we do all the work all the video editing all the preparation is because of you you're the person we're after you want to learn you want to understand and you're willing to watch 25 minutes 30 minutes of just geek stuff and we really really appreciate you one way that you can help us tremendously is support us by liking a video and subscribing it's simple two clicks and it doesn't cost you anything and it really really helps us if you can join that's great it really does help us it's two dollars and something and a month that's a cup of coffee a month we really really appreciate it but it's more important if you can like And subscribe and it's the best way of supporting this channel now recently Microsoft began to integrate packet monitor into the windows admin Center so you want to come over to settings in your windows admin Center and come down to extensions I have already installed it so mine is under the install extensions just scroll down here till you get to packet monitoring if you haven't installed it then yours would be under available extensions you want to go ahead and add that extension into your windows admin Center so I'm going to come and launch this particular PC virtual machine give it just a minute and you'll see under extensions where you can see packet monitoring so here under extensions you can see packet monitoring and here you can start a new capture and the first thing it wants to it asks is do you want to add filters so you could say no go ahead and start the capture or you can add filters and you can see it's pretty straightforward IP addresses up to two ports up to two Max up to two different Mac addresses then transport protocols and they're just radio buttons ether types and again radio buttons VLAN IDs and encapsulation so if you want to look at GRE or something like that you can now this is just one filter you can come down here and add another up to 32 filters and then once you have the filters you want you can go ahead and hit start and you can see it's successfully started to capture now three weeks ago this worked perfectly just before recording this would not work at all so it's starting to capture I'm going to go ahead and stop the capture and it says it stopped the capture it's asking me for user credentials on this PC so I'm going to insert those in I've entered in the credentials and every time I've tried to do this it failed I said it couldn't parse the file it should display your captured packets here so here it shows me successfully stop the capture now this voila it showed up and so here you can see the results of your capture notice I put no filtering so it captured everything and you can scroll down and in a very short period of time it captured all those events now this is in preview right now so anytime you're working with a preview version of any extension you can kind of expect some problems and in my case I went ahead and add my domain name username and that seemed to work so if I would like to capture quick traffic which is Port 443 or https and UDP not TCP which is becoming very very popular in browsers I can go ahead and start a new capture add a filter and this time I'm going to look at UDP and I'm going to look at Port number 443 and I'll capture any quick traffic so I'm going to start and you can see it started the capture and it shows me the rolling dots which indicates that it's capturing these packets and then I can I can go ahead and launch the browser it is my browser hold on let me go here and we'll go to let's go to CNN and so we went to a website and I don't know if CNN uses quick for their https traffic but we'll find out we'll go ahead and stop it successfully stopped the capture and now it should load the traffic now this is remote so I'm having to go across the network execute the packet capture and then bring the data across the network back to this PC I don't see my display so it says no packet data to show I don't know whether that was my problem or it just didn't work right this is in preview mode so we'll take it at that now here I've logged on to my Azure portal they also in Azure they've put in packet monitor so under net Watcher if you slide down here to packet capture you have the same functionality here I can add various restrictions so that I'm not charged for a lot of packet Network traffic and then down here I've got all my filtering it's a little bit different you a look and feel but you know it's the same thing you're filtering out ports IP addresses Mac addresses Etc now both Azure and windows admin Center have a limited ability to use or to implement this packet capture it's much more powerful in the command line so just be aware of it you still can do some with it but it doesn't give you all the functionality and features either in Azure as far as I can determine or in Windows ad foreign [Music] foreign
Info
Channel: TechsavvyProductions
Views: 7,954
Rating: undefined out of 5
Keywords:
Id: E6LVisVKM5Y
Channel Id: undefined
Length: 31min 17sec (1877 seconds)
Published: Mon Feb 13 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.