%3CLINGO-SUB%20id%3D%22lingo-sub-1439389%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20Packet%20Monitor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1439389%22%20slang%3D%22en-US%22%3E%3CP%3ECould%20you%20please%20implement%20extcap%20interface%20for%20Packet%20Monitor%20so%20it%20could%20be%20accessed%20directly%20from%20Wireshark%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1410594%22%20slang%3D%22en-US%22%3EIntroducing%20Packet%20Monitor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1410594%22%20slang%3D%22en-US%22%3E%3CP%3ENetwork%20connectivity%20issues%20are%20often%20hard%20to%20diagnose.%26nbsp%3BThere%20are%20multiple%20machines%20involved%20in%20a%20single%20data%20transfer%3B%20at%20least%20two%20endpoints%20and%20a%20complex%20network%20infrastructure%20in%20the%20middle.%20Lately%2C%20with%20the%20introduction%20of%20network%20virtualization%2C%20more%20of%20the%20infrastructure%20capabilities%20like%20routing%20and%20switching%20are%20being%20integrated%20into%20the%20endpoints.%20The%20additional%20complexity%20in%20the%20endpoints%20often%20leads%20to%20connectivity%20issues%20that%20are%20hard%20to%20diagnose.%20This%20new%20infrastructure%20requires%20a%20more%20comprehensive%20network%20diagnostics%20approach.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EPacket%20Monitor%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPacket%20Monitor%26nbsp%3B(PacketMon)%26nbsp%3Bis%26nbsp%3Ban%20in-box%26nbsp%3Bcross-component%26nbsp%3Bnetwork%20diagnostics%26nbsp%3Btool%20for%20Windows.%26nbsp%3BIt%26nbsp%3Bcan%20be%20used%20for%26nbsp%3Bpacket%20capture%2C%20packet%20drop%20detection%2C%26nbsp%3Bpacket%20filtering%20and%20counting.%26nbsp%3BThe%20tool%20is%20especially%20helpful%20in%20virtualization%20scenarios%20like%20container%20networking%2C%20SDN%2C%20etc.%20It%20is%20available%26nbsp%3Bin-box%26nbsp%3Bvia%26nbsp%3Bpktmon.exe%26nbsp%3Bcommand%2C%20and%26nbsp%3Bvia%26nbsp%3BWindows%20Admin%20Center%20extensions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EOverview%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20machine%20that%20communicates%20over%20the%20network%20has%20at%20least%20one%20network%20adapter.%20All%20the%20components%20between%20this%20adapter%20and%20an%20application%20form%20a%20networking%20stack.%20The%20networking%20stack%20is%20a%20set%20of%20networking%20components%20that%20process%20and%20move%20networking%20traffic.%20In%20traditional%20scenarios%2C%20the%20networking%20stack%20is%20small%2C%20and%20all%20the%20packet%20routing%20and%20switching%20happens%20in%20external%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3EHowever%2C%20with%20the%20advent%20of%20network%20virtualization%2C%20the%20size%20of%20the%20networking%20stack%20has%20multiplied.%20This%20extended%20networking%20stack%20now%20includes%20components%2C%20like%20the%20Virtual%20Switch%2C%20that%20handle%20packet%20processing%20and%20switching.%20Such%20flexible%20environment%20allows%20for%20much%20better%20resource%20utilization%20and%20security%20isolation%2C%20but%20it%20also%20leaves%20more%20room%20for%20configuration%20mistakes%20that%20are%20hard%20to%20diagnose.%20Accordingly%2C%20a%20visibility%20within%20the%20networking%20stack%20is%20needed%20to%20pinpoint%20these%20mistakes%2C%20and%20PacketMon%20provides%20that%20visibility.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3EPacketMon%20intercepts%20packets%20at%20multiple%20locations%20throughout%20the%20networking%20stack%2C%20exposing%20the%20packet%20route.%20If%20a%20packet%20was%20dropped%20by%20a%20supported%20component%20in%20the%20networking%20stack%2C%20PacketMon%20will%20report%20that%20packet%20drop.%20This%20allows%20users%20to%20differentiate%20between%20a%20component%20that%20is%20the%20intended%20destination%20for%20a%20packet%20and%20a%20component%20that%20is%20interfering%20with%20a%20packet.%20Additionally%2C%20PacketMon%20will%20report%20drop%20reasons%3B%20for%20example%2C%20MTU%20Mistmatch%2C%20or%20Filtered%20VLAN%2C%20etc.%20These%20drop%20reasons%20provide%20the%20root%20cause%20of%20the%20issue%20without%20the%20need%20to%20exhaust%20all%20the%20possibilities.%20PacketMon%20also%20provides%20packet%20counters%20for%20each%20intercept%20point%20to%20allow%20a%20high-level%20packet%20flow%20examination%20without%20the%20need%20for%20time-consuming%20log%20analysis.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3EFunctionality%3A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPacketmon%20was%20first%20released%20in%20Windows%2010%20and%20Windows%20Server%202019%20version%201809%20(October%202018%20update).%20Since%20then%2C%20its%20functionality%20has%20been%20evolving%20through%20Windows%20releases.%20Below%20are%20some%20of%20the%20main%20capabilities%20and%20limitations%20of%20PacketMon%20in%20Windows%2010%20and%20Windows%20Server%202019%20version%202004%20(May%202020%20Update).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3ECapabilities%3A%20Packet%20capture%20at%26nbsp%3Bmultiple%20locations%26nbsp%3Bof%26nbsp%3Bthe%20networking%20stack%26nbsp%3B%20Packet%26nbsp%3Bdrop%20detection%2C%20including%20drop%20reason%20reporting%20Runtime%20packet%20filtering%20with%20encapsulation%20support%26nbsp%3B%20Flexible%20packet%26nbsp%3Bcounters%20Real-time%20on-screen%20packet%20monitoring%26nbsp%3B%20High%20volume%20in-memory%20logging%20Microsoft%20Network%20Monitor%20(NetMon)%20and%20Wireshark%20(pcapng)%26nbsp%3Bcompatibility%20Limitations%3A%3CP%3ESupports%20Ethernet%20media%20type%20only%3C%2FP%3E%20%3CP%3ENo%20Firewall%20integration%3C%2FP%3E%20%3CP%3EDrop%20reporting%20is%20only%20available%20for%20supported%20components%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3ESummary%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPacket%20Monitor%20is%20an%20in-box%20network%20diagnostics%20tool.%20It%20fills%20a%20gap%20in%20diagnosing%20virtual%20environments%20by%20providing%20visibility%20within%20the%20networking%20stack%20as%20it%20captures%20packets%20throughout%20the%20networking%20stack%20and%20reports%20packet%20drops.%20In%20subsequent%20posts%2C%20we%20will%20explore%20how%20to%20get%20started%20with%20PacketMon%2C%20and%20how%20to%20use%20it%20to%20diagnose%20specific%20scenarios.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1410594%22%20slang%3D%22en-US%22%3E%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPacket%20Monitor%20is%26nbsp%3Ban%20in-box%26nbsp%3Bcross-component%26nbsp%3Bnetwork%20diagnostics%26nbsp%3Btool%20for%20Windows.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1700483%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20Packet%20Monitor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1700483%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20read%20another%20post%20on%20this%20utility%20which%20stated%20that%20you%20could%20use%20the%20Microsoft%20Network%20Monitor%20app%20to%20view%20the%20ETL%20file.%26nbsp%3B%20Then%20the%20download%20page%20for%20Network%20Monitor%20refers%20me%20to%20the%20replacement%20app%2C%20Microsoft%20Message%20Analyzer%20which%20in%20turn%20says%20it%20has%20been%20discontinued.%26nbsp%3B%20Will%20Microsoft%20release%20any%20updated%20version%20of%20these%20diagnostic%20tools%20to%20make%20it%20easier%20to%20read%20the%20packet%20data%20or%20will%20that%20be%20the%20domain%20of%20third%20party%20software%20houses%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Network connectivity issues are often hard to diagnose. There are multiple machines involved in a single data transfer; at least two endpoints and a complex network infrastructure in the middle. Lately, with the introduction of network virtualization, more of the infrastructure capabilities like routing and switching are being integrated into the endpoints. The additional complexity in the endpoints often leads to connectivity issues that are hard to diagnose. This new infrastructure requires a more comprehensive network diagnostics approach.

 

Packet Monitor

 

Packet Monitor (PacketMon) is an in-box cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting. The tool is especially helpful in virtualization scenarios like container networking, SDN, etc. It is available in-box via pktmon.exe command, and via Windows Admin Center extensions.

 

Overview

 

Any machine that communicates over the network has at least one network adapter. All the components between this adapter and an application form a networking stack. The networking stack is a set of networking components that process and move networking traffic. In traditional scenarios, the networking stack is small, and all the packet routing and switching happens in external devices.

 

Networking stack in traditional scenariosNetworking stack in traditional scenarios

However, with the advent of network virtualization, the size of the networking stack has multiplied. This extended networking stack now includes components, like the Virtual Switch, that handle packet processing and switching. Such flexible environment allows for much better resource utilization and security isolation, but it also leaves more room for configuration mistakes that are hard to diagnose. Accordingly, a visibility within the networking stack is needed to pinpoint these mistakes, and PacketMon provides that visibility.

 

PacketMon's cross-component packet capturePacketMon's cross-component packet capture

PacketMon intercepts packets at multiple locations throughout the networking stack, exposing the packet route. If a packet was dropped by a supported component in the networking stack, PacketMon will report that packet drop. This allows users to differentiate between a component that is the intended destination for a packet and a component that is interfering with a packet. Additionally, PacketMon will report drop reasons; for example, MTU Mistmatch, or Filtered VLAN, etc. These drop reasons provide the root cause of the issue without the need to exhaust all the possibilities. PacketMon also provides packet counters for each intercept point to allow a high-level packet flow examination without the need for time-consuming log analysis.

 

PacketMon's packet drop and drop reason reportingPacketMon's packet drop and drop reason reporting

 

Functionality:

 

Packetmon was first released in Windows 10 and Windows Server 2019 version 1809 (October 2018 update). Since then, its functionality has been evolving through Windows releases. Below are some of the main capabilities and limitations of PacketMon in Windows 10 and Windows Server 2019 version 2004 (May 2020 Update).

 

Capabilities:
  • Packet capture at multiple locations of the networking stack 
  • Packet drop detection, including drop reason reporting
  • Runtime packet filtering with encapsulation support 
  • Flexible packet counters
  • Real-time on-screen packet monitoring 
  • High volume in-memory logging
  • Microsoft Network Monitor (NetMon) and Wireshark (pcapng) compatibility
Limitations:
  • Supports Ethernet media type only

  • No Firewall integration

  • Drop reporting is only available for supported components

 

Summary

 

Packet Monitor is an in-box network diagnostics tool. It fills a gap in diagnosing virtual environments by providing visibility within the networking stack as it captures packets throughout the networking stack and reports packet drops. In subsequent posts, we will explore how to get started with PacketMon, and how to use it to diagnose specific scenarios.

2 Comments
Occasional Visitor

Could you please implement extcap interface for Packet Monitor so it could be accessed directly from Wireshark?

Occasional Contributor

I have read another post on this utility which stated that you could use the Microsoft Network Monitor app to view the ETL file.  Then the download page for Network Monitor refers me to the replacement app, Microsoft Message Analyzer which in turn says it has been discontinued.  Will Microsoft release any updated version of these diagnostic tools to make it easier to read the packet data or will that be the domain of third party software houses?