Packet Monitor will not distinguish between source or destination when it comes to MAC address, IP address, or port filters. Packet Monitor supports filtering by MAC addresses, IP addresses, ports, EtherType, transport protocol, and VLAN ID. C:\Test> pktmon filter add -i 10.0.0.10 -t icmp Up to 32 filters are supported at once.įor example, the following set of filters will capture any ICMP traffic from or to the IP address 10.0.0.10 as well as any traffic on port 53. For a packet to be reported, it must match all conditions specified in at least one filter.
Capturing all the networking traffic can make the output too noisy to analyze. It's highly recommended to apply filters before starting any packet capture, because troubleshooting connectivity to a particular destination is easier when you focus on a single stream of packets. See Analyze Packet Monitor output for instructions on analyzing txt output. Stop the capture and retrieve the logs in txt format for analysis. Query counters to confirm the presence of expected traffic, and to get a high-level view of how the traffic flowed in the machine. Start the capture and enable packet logging. Identify the type of packets needed for the capture, such as specific IP addresses, ports, or protocols associated with the packet.Ĭheck the syntax to apply capture filters, and apply the filters for the packets identified in the previous step. Use the following steps to get started in generic scenarios: For a complete list of commands, see pktmon syntax.
You can use this topic to learn how to understand pktmon syntax, command formatting, and output.
Packet Monitor is available in-box via pktmon.exe command on Windows 10 and Windows Server 2019 (Version 1809 and later). The tool is especially helpful in virtualization scenarios, like container networking and SDN, because it provides visibility within the networking stack. It can be used for packet capture, packet drop detection, packet filtering and counting. Packet Monitor (Pktmon) is an in-box, cross-component network diagnostics tool for Windows. Helps when tracking down slow application performance and packet loss.Applies to: Windows Server 2022, Windows Server 2019, Windows 10, Azure Stack Hub, Azure, Azure Stack HCI, versions 21H2 and 20H2
tcp.flags = 0x012 - Displays all TCP SYN/ACK packets - shows the connections that had a positive response.tcp.port=4000 - Sets a filter for any TCP packet with 4000 as a source or dest port.250 - sets a filter to display all tcp packets that have a delta time of greater than 250mSec in the context of their stream
I created this list from the Wiki, to be a Ctrl + F personal reference to common display filters Operators You can debug filters using the dftest command Cheat Sheet This goes far beyond just filtering based on IP, port and protocol. Wirechark has some comprehensive packet filtering capabilities, and display filters let you utilize these multi-pass packet processing capabilities.