Collect Packet Captures on Windows Client and Server OS

Available Languages

Download Options

  • PDF     (69.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (128.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (102.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 25, 2024
Document ID:221945

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to collect packet captures on the Windows platform using the Windows pktmon utility in a highly secured customer environment. For example, banking, defense, navy, and more.

    Problem

    Highly secured government environment viz banks, defense, navy, and more, restrict installing 3rd party tools. Especially, the packet capture tool Wireshark in order to troubleshoot voice, video, and data packets. Change management approvals undergo time consumption and unnecessary delays in resolving an issue. Utility by default available with Windows can help to avoid the delay.

    Solution

    By default, the tool name PKTMON is a by-default packet snippet utility bundled with Microsoft Windows client and server operating systems. PKTMON is available on Windows Server 2022, Windows Server 2019, Windows 10, Azure Stack HCI, Azure Stack Hub, and Azure. Setting up is very easy and less time-consuming. The utility is run using the Windows command prompt (cmd) utility with administrator privileges.

    Executable directory: C:\Windows\System32\PktMon.exe

    Here it is assumed to trace the packet capture between System-1 (PG-A) and System-2 (Logger-A).

    You must first identify the interface ID or Network Interface Controller or Card (NIC) ID on the system/virtual machine.

    pktmon list  - This command lists the interfaces on the system/virtual machine.

    Output:

    Network Adapters: 
    Id MAC Address Name 
    -- ----------- ---- 
    9 00-50-56-BD-C1-83 vmxnet3 Ethernet Adapter #2 
    10 00-50-56-BD-82-7B vmxnet3 Ethernet Adapter
    note-icon

    Note: For help, use the suffix help at the end of the command. That is,  pktmon list  help.

    Table 1. Interface tables.

    Once the interface ID is identified, the packet capture starts. The command enables the packet captures and packet counters.

    Method 1. pktmon start --capture

    This command starts capturing the packets at the default Windows logged-in user path.

    Output:

    Logger Parameters: 
    Logger name: PktMon 
    Logging mode: Circular 
    Log file: C:\Users\Administrator\PktMon.etl 
    Max file size: 512 MB 
    Memory used: 64 MB

    Collected Data: 
    Packet counters, packet capture

    Capture Type:  
          All packets

    Monitored Components: 
          All

    Packet Filters: 
          None

    Table 2. Packet capture start indication.

    Method 2. pktmon start --capture --file-name C:\Cisco\Campaigninactive\pga.etl

    This command starts capturing the packets at the custom-defined path.

    Output:

    Logger Parameters: 
    Logger name: PktMon 
    Logging mode: Circular 
    Log file: C:\Cisco\Campaigninactive\pga.etl 
    Max file size: 512 MB 
    Memory used: 64 MB

    Collected Data: 
    Packet counters, packet capture

    Capture Type: 
    All packets

    Monitored Components: 
    All

    Packet Filters: 
    None
    note-icon

    Note: By default, it captures all interfaces and all packet types.

    Table 3. Packet capture with path address in order to store the capture file.

    In the middle of capture, the packet capture status can also be validated.

    pktmon status- This command displays the ongoing active pktmon executed packet capture.

    Output:

    Collected Data:
    Packet counters, packet capture

    Capture Type:
    All packets

    Monitored Components:
    All

    Packet Filters:
    None

    Logger Parameters:
    Logger name: PktMon
    Logging mode: Circular
    Log file: C:\Cisco\Campaigninactive\pga_1.etl
    Max file size: 512 MB
    Memory used: 64 MB
    Events lost: 0

    Event Providers:

    ID                                              Level   Keywords
    --                                               --------  ---------------
    Microsoft-Windows-PktMon     4          0x12

    C:\Users\Administrator>

    Table 4. Validate the status of packet capture.

    Once the issue is reproduced, stop the packet capture with the pktmon stop command.

    Output:

    Flushing logs... 
    Merging metadata...

    Log file: C:\Cisco\Campaigninactive\pga.etl (No events lost)

    Table 5. Stop the packet capture.

    By default, pktmon stores in the default .etl format and there is a way to convert it into pcapng in order to review using Wireshark.

    Method 1. pktmon etl2pcap PktMon.etl --out C:\Cisco\Campaigninactive\pga.pcapng 

    This command converts the default saved in the PktMon.etl file at the default directory to the pcapng format.

    Output:

    C:\Users\Administrator>pktmon etl2pcap PktMon.etl --out C:\Cisco\Campaigninactive\pga_2.pcapng 
    Processing...

    Packets total: 606  
    Packet drop count: 0 
    Packets formatted: 606  
    Formatted file: C:\Cisco\Campaigninactive\pga_2.pcapng

    C:\Users\Administrator>

    Table 6.

    Method 1. To convert packet capture from native extension .etl to Wireshark readable format .pcapng.

    Method 2. pktmonetl2pcapC:\Cisco\Campaigninactive\pga_1.etl --out C:\Cisco\Campaigninactive\pga.pcapng

    Output:

    C:\Users\Administrator>pktmon etl2pcap C:\Cisco\Campaigninactive\pga_1.etl --out C:\Cisco\Campaigninactive\pga_1.pcapng
    Processing...

    Packets total: 8964
    Packet drop count: 0
    Packets formatted: 8964
    Formatted file: C:\Cisco\Campaigninactive\pga_1.pcapng

    C:\Users\Administrator>

    Method 2. to Convert Packet Capture from Native Extension .etl to Wireshark Readable Format .pcapng

    Image 1.

    Method 2. to convert packet capture from native extension .etl to Wireshark readable format .pcapng.

    These basic commands help collect the files and are useful in troubleshooting for TAC.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    26-Apr-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Ritesh Desai
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products