All posts tagged network

Windows Server DHCP and Option 108

While enterprise adoption of IPv6 has been slow, it is still moving forward. For example, the U.S. federal government has mandated [M-21-07 – PDF] the transition to IPv6 to modernize its networks and enhance security, scalability, and interoperability. During the migration to IPv6, most systems will be configured with both IPv4 and IPv6, a configuration referred to as dual stack. Ultimately, the goal is the elimination of IPv4 entirely and the use of IPv6 exclusively. However, IPv6-only presents some unique challenges.

Access to IPv4

Although an organization can successfully migrate to IPv6-only networks internally, they do not control networks outside its boundaries. In some cases, a host on an IPv6-only network may need to communicate with an IPv4 resource. Administrators must deploy an IPv6 transition technology to support this scenario.

464XLAT

464XLAT, defined in RFC 6877, is a network architecture that facilitates the transition from IPv4 to IPv6 by enabling IPv4 traffic to operate over an IPv6-only network. It combines two translation mechanisms: a client-side translator (CLAT) on the user device, which converts IPv4 packets to IPv6, and a provider-side translator (PLAT) at the network edge, which converts the IPv6 packets back to IPv4 to communicate with IPv4-only internet services. This dual-translation approach allows devices in an IPv6-only environment to access both IPv6 and IPv4 resources without requiring a full IPv4 stack, making it an efficient solution for networks transitioning to IPv6 while maintaining compatibility with legacy IPv4 systems. To support 464XLAT, Windows provides specific functionality for CLAT, though with some limitations.

CLAT for Windows

Windows currently provides CLAT support only for cellular network interfaces. CLAT is not available for Wi-Fi or Ethernet interfaces today. However, Microsoft has publicly announced plans to extend CLAT support in Windows for these non-cellular network interfaces soon.

IPv6 Mostly

IPv6 Mostly, defined in RFC 8925, refers to a network configuration where IPv6 is the primary protocol for communication, but IPv4 is still supported for specific use cases. Devices in these networks prefer IPv6 for most operations, leveraging its larger address space and modern features, while maintaining limited IPv4 compatibility. IPv6 Mostly networks ease the transition from IPv4 to IPv6, balancing modern protocol adoption with support for older applications. They optimize resource usage and prepare networks for a future where IPv6 dominates, with tools like 464XLAT providing seamless IPv4 access when necessary.

DHCP Option 108

DHCP Option 108 is a specific configuration in DHCP that enables IPv6-only networks to signal clients to disable IPv4. When a client receives this option, it deactivates its IPv4 stack, relying solely on IPv6 for communication. Turning off IPv4 when it isn’t needed helps streamline network operations in IPv6-focused environments.

Option 108 and Windows Server DHCP

Commercial DHCP appliances like Infoblox and many open source DHCP platforms natively support DHCP option 108. However, no supported version of Windows Server, including the latest release (Windows Server 2025), supports DHCP option 108 natively. To enable DHCP option 108 on Windows DHCP servers, administrators can create a custom predefined option.

Custom Predefined Option

To create a custom predefined option for DHCP option 108 on a Windows DHCP server, open the DHCP management console (dhcpmgmt.msc) and perform the following steps.

  1. Right-click IPv4 and choose Set Predefined Options.
  2. Click Add.
  3. Enter IPv6 Only Preferred in the Name field.
  4. Select Long from the Data type drop-down list.
  5. Enter 108 in the Code field.
  6. Click Ok.

Assigning DHCP Option 108

Once complete, perform the following steps to assign DHCP option 108 to a DHCP scope.

  1. Select an IPv4 DHCP scope.
  2. Right-click Scope Options and choose Configure Options.
  3. Select 108 IPv6 Only Preferred from the Available Options list.
  4. Enter a value in seconds, in hexadecimal format. This value represents the duration for which a client should prefer IPv6-only mode. For example, 86,400 seconds (1 day) is 0x15180.
  5. Click Ok.

PowerShell

Custom predefined options can also be configured using PowerShell.

Custom Predefined Option

To create a custom predefined option for DHCP option 108, open an elevated PowerShell command on a Windows DHCP server and run the following command.

Add-DhcpServerv4OptionDefinition -Name ‘IPv6 Only Preferred’ -OptionId 108 -Type DWORD -PassThru

Assigning DHCP Option 108

To assign the custom predefined DHCP option 108 to a DHCP scope, run the following PowerShell command.

Set-DhcpServerv4OptionValue -ScopeId 172.16.5.0 -OptionId 108 -Value 0x15180 -PassThru

DHCP Offer

Once configured, if the client indicates support for DHCP option 108 in its DHCP Request, the DHCP server will include it in the DHCP Offer, as shown here.

Learn More

If you are interested in learning more about IPv6 Mostly and DHCP option 108, be sure to listen to the following episodes of the IPv6 Buzz Podcast.

Summary

As organizations continue their transition toward IPv6, DHCP option 108 provides administrators with a simple and effective way to reduce reliance on legacy IPv4 by signaling clients to prefer IPv6-only operation if they can support it. While Windows Server does not natively support this option, creating a custom predefined setting ensures administrators can take advantage of this important feature.

Additional Information

M-21-07 – Completing the Transition to IPv6 for U.S. Federal Government Agencies [PDF]

Microsoft Plans to Extend CLAT Support in Windows 11

RFC 6877 – 464XLAT: Combination of Stateful and Stateless Translation

RFC 8925 – IPv6-Only Preferred Option for DHCPv4

IPv6 Buzz Podcast on PacketPushers.Net

3 Comments
by Richard M. Hicks on August 25, 2025  •  Permalink
Posted in 464XLAT, administration, CLAT, Deployment, DHCP, Dynamic Host Configuration Protocol, Enterprise, Infrastructure, IPv6, IPv6 Transition, Microsoft, Operational Support, PowerShell, systems management, transition technology, WinCLAT, Windows 11, Windows CLAT, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 25, 2025

https://directaccess.richardhicks.com/2025/08/25/windows-server-dhcp-and-option-108/

Always On VPN Troubleshooting with Windows Packet Monitor PktMon.exe

When troubleshooting Always On VPN, taking a network packet capture or network trace is sometimes required to identify the root cause of a problem. After all, Packets Don’t Lie™. There are numerous ways to capture packets. Many administrators will install Wireshark for this purpose. However, Windows has a native packet capture tool called PktMon.exe that offers many advantages over Wireshark.

Wireshark

Many Always On VPN administrators will be familiar with Wireshark. Wireshark is a popular open-source network protocol analyzer that enables the capture and analysis of network traffic for troubleshooting. A packet capture driver must first be installed to capture network traffic with Wireshark. Typically, administrators will install Npcap, which is part of the default installation of Wireshark. Installing a capture driver poses a potential problem, as the administrator must install software on the target device before capturing traffic. Installing software may not always be feasible or possible. Fortunately, there’s an alternative.

PktMon.exe

The Windows Packet Monitor (PktMon.exe) is a built-in command-line tool first introduced in Windows 10 1809 and Windows Server 2019. It is designed to capture network traffic on Windows servers and client systems. This native lightweight tool is ideal for collecting network traces for offline analysis.

Capture All Interfaces

The most common scenario for PktMon.exe is to capture data for offline analysis. Use the following command to capture all network traffic on all active network interfaces.

PktMon.exe start –capture –file c:\capture.etl –pkt-size 0 –comp nics –flags 0x10

The command breaks down as follows:

–capture – captures network traffic

–file – the path of the file to save the data to

–pkt-size 0 – captures the full packet (not truncated)

–comp nics – captures traffic on all active network interfaces

–flags 0x10 – captures the raw packet

After reproducing the issue, you can stop the trace by running the following command.

PktMon.exe stop

Capture Specific Interface

Administrators may wish to capture traffic on a specific network interface instead of all active network interfaces. In this example, I have a multi-homed VPN server and want to capture traffic on only the DMZ interface. To do this, use PktMon.exe to enumerate all interfaces using the following command.

PktMon.exe list

Note: The output of PktMon.exe filter list does not include information that easily maps to existing network interfaces. I suggest also running the Get-NetAdapter PowerShell command to view detailed information about network interfaces. You can use this information to select the correct Network ID for PktMon.exe filtering.

Next, change the value of –comp nics in the command referenced above to –comp <Network ID>. Here’s an example.

PktMon.exe start –capture –file c:\capture.etl –pkt-size 0 –comp 62 –flags 0x10

Filtering

It’s also possible to use PktMon.exe to capture network traffic selectively. Filtering allows you to narrow the capture to relevant traffic, making analysis easier and faster. Add a filter, then start a trace to restrict data capture to traffic that matches the defined filters. You can add one or more filters to apply to the capture. Here are a few examples.

Protocols and Ports

Let’s say you are troubleshooting a device tunnel connection and want to see only IKEv2 traffic. The following filter will restrict the network capture to only the IKEv2-related protocols and ports.

PktMon.exe filter add IKEv2 -t UDP -p 500
PktMon.exe filter add IKEv2 -t UDP -p 4500

IP Address

The following filter will capture data that includes the specified IP address in the source or destination address field.

PktMon.exe filter add VPN1 -i 172.21.12.50

You can also specify IP address subnets using their CIDR notation.

PktMon.exe filter add Subnet1 -i 172.16.0.0/16

View and Clear Filters

You can view configured filters using the following command.

PktMon.exe filter list

You can remove configured filters using the following command. Use with caution, as this removes ALL filters!

PktMon.exe filter remove

Reference

You’ll find a complete list of PktMon.exe filters here.

Analysis

PktMon.exe outputs captured data in ETL format. Administrators can convert captured data to the standard PCAP format by running the following command.

PktMon.exe etl2pcap <path of trace file>

This command converts the file from ETL to PCAPNG format. Administrators can then open the capture in Wireshark for further detailed analysis.

Display Only

PktMon.exe can be configured to display network traffic in the console for quick troubleshooting. Console traffic display can be helpful for those scenarios where a quick check to validate traffic is reaching a particular destination is required. Here’s an example.

PktMon.exe start –capture –pkt-size 0 –comp nics –flags 0x10 -m real-time

Note: In the example above, I applied a traffic filter to limit the capture to only SSTP traffic (TCP 443).

Limitations

One crucial limitation of PktMon.exe is that it doesn’t support persistent network captures that survive a reboot. Persistent captures can be helpful when troubleshooting a device tunnel connection or slow logons. In this scenario, you must use netsh.exe.

netsh.exe trace start capture=yes tracefile=c:\tracefile.etl persistent=yes

<reboot>

netsh.exe trace stop

Although PktMon.exe supports the ‘etl2pcap’ switch, it does NOT work for converting .etl files generated with netsh.exe. To convert captures created with netsh.exe, use the open-source etl2pcapng tool.

Learn More

PktMon.exe has many different uses. This post barely scratches the surface of what PktMon.exe can do. PktMon.exe comes with robust help, accessible by adding the ‘help’ switch to commands. Here are some examples.

PktMon.exe start help
PktMon.exe filter add help

Be sure to view the online help to explore various options for capturing and logging to meet your specific needs.

Summary

PktMon.exe is a native command-line utility in Windows that provides a lightweight solution for capturing network traffic, making it particularly useful for Always On VPN troubleshooting. Key functionalities include full-packet captures, selective filtering by protocol, port, or IP address, and conversion of ETL files to PCAPNG format for analysis in tools like Wireshark. Real-time traffic displays are also supported for quick diagnostics. While effective for many scenarios, PktMon.exe lacks support for persistent captures across reboots, for which netsh.exe is recommended. The techniques outlined above offer administrators a practical, software-free approach to deep packet inspection for troubleshooting Always On VPN issues.

Have you used PktMon.exe for network troubleshooting? Feel free to share tips and tricks in the comments section below!

Additional Information

Getting Started with Windows Packet Monitor (PktMon.exe)

PktMon.exe Filter Reference

Open-source Etl2pcap for netsh.exe captures

Leave a comment
by Richard M. Hicks on March 31, 2025  •  Permalink
Posted in Always On VPN, AOVPN, device tunnel, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, nmap, Open Source, Operational Support, PowerShell, Remote Access, troubleshooting, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 31, 2025

https://directaccess.richardhicks.com/2025/03/31/always-on-vpn-troubleshooting-with-windows-packet-monitor-pktmon-exe/

Always On VPN Training at TechMentor Redmond 2019

TechMentor Redmond 2019I’m pleased to announce that I’ll be delivering two technical training sessions at this year’s TechMentor Redmond event. This event takes place on the Microsoft campus in Redmond, WA August 5-9, 2019. I’ll be presenting two sessions on Thursday, August 8. They are:

TH16 – Wireshark Essentials: Your First Day with Wireshark

During this session you will learn essential techniques for optimizing packet analysis using Wireshark. Topics will include filter and display tips, workspace oganization, using shortcuts for common tools, and configuring Wireshark profiles. I’ll also touch upon some advanced techniques such as graphing and geography database integration.

TH20 – Always On VPN: The Good, the Bad, and the Ugly!

During this session you will gain a full understanding of Always On VPN including and how it compares with its predecessor, DirectAccess. I’ll share detailed information about this new technology, and how it best fits in to your organizations mobility strategy. Always On VPN has some important advantages over DirectAccess, and some challenging drawbacks. I’ll explain everything good, bad, and even the ugly.

TechMentor Redmond 2019

 

Don’t miss out on this fantastic event. Register now to take advantage of early bird savings, which end June 7. Hope to see you there!

Leave a comment
by Richard M. Hicks on April 3, 2019  •  Permalink
Posted in Always On VPN, AOVPN, DirectAccess, education, enterprise mobility, learning, Mobility, Remote Access
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 3, 2019

https://directaccess.richardhicks.com/2019/04/03/always-on-vpn-training-at-techmentor-redmond-2019/

« Older Posts