When troubleshooting Always On VPN, taking a network packet capture or network trace is sometimes required to identify the root cause of a problem. After all, Packets Don’t Lie™. There are numerous ways to capture packets. Many administrators will install Wireshark for this purpose. However, Windows has a native packet capture tool called PktMon.exe that offers many advantages over Wireshark.
Wireshark
Many Always On VPN administrators will be familiar with Wireshark. Wireshark is a popular open-source network protocol analyzer that enables the capture and analysis of network traffic for troubleshooting. A packet capture driver must first be installed to capture network traffic with Wireshark. Typically, administrators will install Npcap, which is part of the default installation of Wireshark. Installing a capture driver poses a potential problem, as the administrator must install software on the target device before capturing traffic. Installing software may not always be feasible or possible. Fortunately, there’s an alternative.
PktMon.exe
The Windows Packet Monitor (PktMon.exe) is a built-in command-line tool first introduced in Windows 10 1809 and Windows Server 2019. It is designed to capture network traffic on Windows servers and client systems. This native lightweight tool is ideal for collecting network traces for offline analysis.
Capture All Interfaces
The most common scenario for PktMon.exe is to capture data for offline analysis. Use the following command to capture all network traffic on all active network interfaces.
PktMon.exe start –capture –file c:\capture.etl –pkt-size 0 –comp nics –flags 0x10
The command breaks down as follows:
–capture – captures network traffic
–file – the path of the file to save the data to
–pkt-size 0 – captures the full packet (not truncated)
–comp nics – captures traffic on all active network interfaces
–flags 0x10 – captures the raw packet
After reproducing the issue, you can stop the trace by running the following command.
PktMon.exe stop
Capture Specific Interface
Administrators may wish to capture traffic on a specific network interface instead of all active network interfaces. In this example, I have a multi-homed VPN server and want to capture traffic on only the DMZ interface. To do this, use PktMon.exe to enumerate all interfaces using the following command.
PktMon.exe list
Note: The output of PktMon.exe filter list does not include information that easily maps to existing network interfaces. I suggest also running the Get-NetAdapter PowerShell command to view detailed information about network interfaces. You can use this information to select the correct Network ID for PktMon.exe filtering.
Next, change the value of –comp nics in the command referenced above to –comp <Network ID>. Here’s an example.
PktMon.exe start –capture –file c:\capture.etl –pkt-size 0 –comp 62 –flags 0x10
Filtering
It’s also possible to use PktMon.exe to capture network traffic selectively. Filtering allows you to narrow the capture to relevant traffic, making analysis easier and faster. Add a filter, then start a trace to restrict data capture to traffic that matches the defined filters. You can add one or more filters to apply to the capture. Here are a few examples.
Protocols and Ports
Let’s say you are troubleshooting a device tunnel connection and want to see only IKEv2 traffic. The following filter will restrict the network capture to only the IKEv2-related protocols and ports.
PktMon.exe filter add IKEv2 -t UDP -p 500
PktMon.exe filter add IKEv2 -t UDP -p 4500
IP Address
The following filter will capture data that includes the specified IP address in the source or destination address field.
PktMon.exe filter add VPN1 -i 172.21.12.50
You can also specify IP address subnets using their CIDR notation.
PktMon.exe filter add Subnet1 -i 172.16.0.0/16
View and Clear Filters
You can view configured filters using the following command.
PktMon.exe filter list
You can remove configured filters using the following command. Use with caution, as this removes ALL filters!
PktMon.exe filter remove
Reference
You’ll find a complete list of PktMon.exe filters here.
Analysis
PktMon.exe outputs captured data in ETL format. Administrators can convert captured data to the standard PCAP format by running the following command.
PktMon.exe etl2pcap <path of trace file>
This command converts the file from ETL to PCAPNG format. Administrators can then open the capture in Wireshark for further detailed analysis.
Display Only
PktMon.exe can be configured to display network traffic in the console for quick troubleshooting. Console traffic display can be helpful for those scenarios where a quick check to validate traffic is reaching a particular destination is required. Here’s an example.
PktMon.exe start –capture –pkt-size 0 –comp nics –flags 0x10 -m real-time
Note: In the example above, I applied a traffic filter to limit the capture to only SSTP traffic (TCP 443).
Limitations
One crucial limitation of PktMon.exe is that it doesn’t support persistent network captures that survive a reboot. Persistent captures can be helpful when troubleshooting a device tunnel connection or slow logons. In this scenario, you must use netsh.exe.
netsh.exe trace start capture=yes tracefile=c:\tracefile.etl persistent=yes
<reboot>
netsh.exe trace stop
Although PktMon.exe supports the ‘etl2pcap’ switch, it does NOT work for converting .etl files generated with netsh.exe. To convert captures created with netsh.exe, use the open-source etl2pcapng tool.
Learn More
PktMon.exe has many different uses. This post barely scratches the surface of what PktMon.exe can do. PktMon.exe comes with robust help, accessible by adding the ‘help’ switch to commands. Here are some examples.
PktMon.exe start help
PktMon.exe filter add help
Be sure to view the online help to explore various options for capturing and logging to meet your specific needs.
Summary
PktMon.exe is a native command-line utility in Windows that provides a lightweight solution for capturing network traffic, making it particularly useful for Always On VPN troubleshooting. Key functionalities include full-packet captures, selective filtering by protocol, port, or IP address, and conversion of ETL files to PCAPNG format for analysis in tools like Wireshark. Real-time traffic displays are also supported for quick diagnostics. While effective for many scenarios, PktMon.exe lacks support for persistent captures across reboots, for which netsh.exe is recommended. The techniques outlined above offer administrators a practical, software-free approach to deep packet inspection for troubleshooting Always On VPN issues.
Have you used PktMon.exe for network troubleshooting? Feel free to share tips and tricks in the comments section below!
