Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE
Introducing Packet Monitor
Published May 22 2020 06:00 AM 121K Views
Microsoft

Network connectivity issues are often hard to diagnose. There are multiple machines involved in a single data transfer; at least two endpoints and a complex network infrastructure in the middle. Lately, with the introduction of network virtualization, more of the infrastructure capabilities like routing and switching are being integrated into the endpoints. The additional complexity in the endpoints often leads to connectivity issues that are hard to diagnose. This new infrastructure requires a more comprehensive network diagnostics approach.

 

Packet Monitor

 

Packet Monitor (PacketMon) is an in-box cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting. The tool is especially helpful in virtualization scenarios like container networking, SDN, etc. It is available in-box via pktmon.exe command, and via Windows Admin Center extensions.

 

Overview

 

Any machine that communicates over the network has at least one network adapter. All the components between this adapter and an application form a networking stack. The networking stack is a set of networking components that process and move networking traffic. In traditional scenarios, the networking stack is small, and all the packet routing and switching happens in external devices.

 

Networking stack in traditional scenariosNetworking stack in traditional scenarios

However, with the advent of network virtualization, the size of the networking stack has multiplied. This extended networking stack now includes components, like the Virtual Switch, that handle packet processing and switching. Such flexible environment allows for much better resource utilization and security isolation, but it also leaves more room for configuration mistakes that are hard to diagnose. Accordingly, a visibility within the networking stack is needed to pinpoint these mistakes, and PacketMon provides that visibility.

 

PacketMon's cross-component packet capturePacketMon's cross-component packet capture

PacketMon intercepts packets at multiple locations throughout the networking stack, exposing the packet route. If a packet was dropped by a supported component in the networking stack, PacketMon will report that packet drop. This allows users to differentiate between a component that is the intended destination for a packet and a component that is interfering with a packet. Additionally, PacketMon will report drop reasons; for example, MTU Mistmatch, or Filtered VLAN, etc. These drop reasons provide the root cause of the issue without the need to exhaust all the possibilities. PacketMon also provides packet counters for each intercept point to allow a high-level packet flow examination without the need for time-consuming log analysis.

 

PacketMon's packet drop and drop reason reportingPacketMon's packet drop and drop reason reporting

 

Functionality:

 

Packetmon was first released in Windows 10 and Windows Server 2019 version 1809 (October 2018 update). Since then, its functionality has been evolving through Windows releases. Below are some of the main capabilities and limitations of PacketMon in Windows 10 and Windows Server 2019 version 2004 (May 2020 Update).

 

Capabilities:
  • Packet capture at multiple locations of the networking stack 
  • Packet drop detection, including drop reason reporting
  • Runtime packet filtering with encapsulation support 
  • Flexible packet counters
  • Real-time on-screen packet monitoring 
  • High volume in-memory logging
  • Microsoft Network Monitor (NetMon) and Wireshark (pcapng) compatibility
Limitations:
  • Supports Ethernet media type only

  • No Firewall integration

  • Drop reporting is only available for supported components

 

Summary

 

Packet Monitor is an in-box network diagnostics tool. It fills a gap in diagnosing virtual environments by providing visibility within the networking stack as it captures packets throughout the networking stack and reports packet drops. In subsequent posts, we will explore how to get started with PacketMon, and how to use it to diagnose specific scenarios. For documentation about PacketMon, please go here.

23 Comments
Copper Contributor

Could you please implement extcap interface for Packet Monitor so it could be accessed directly from Wireshark?

Iron Contributor

I have read another post on this utility which stated that you could use the Microsoft Network Monitor app to view the ETL file.  Then the download page for Network Monitor refers me to the replacement app, Microsoft Message Analyzer which in turn says it has been discontinued.  Will Microsoft release any updated version of these diagnostic tools to make it easier to read the packet data or will that be the domain of third party software houses?

Copper Contributor

There is a utility etl2pcapng on Microsoft's github page that converts ETL to a format Wireshark can read.

 

I've used it on modestly sized files and it works well, much faster than previous methods via PowerShell.

 

Hope that helps!

 

 

Copper Contributor

Will it be possible to install pktmon on Windows 10 LTSC 2019 installations?

Microsoft

@tomaszmon WireShark actually wouldn't be the best UI for PacketMon since WireShark doesn't support a lot of the metadata that PacketMon exposes.

Microsoft

@Half_Penny We are working on extending the functionality of Windows Performance Analyzer (WPA) to parse and analyze packets, just as it parses other generic events today. This will actually be our recommended UI for parsing the output of PacketMon as it will be designed to take advantage of PacketMon's most valuable and unique functionality. The first version of this project should be out and announced soon, as we are continuing to add improvements for the next versions.

 

That being said, Microsoft Network Monitor  can also be used also to analyze the output from PacketMon today. The tool is still used even though it is deprecated; unlike Microsoft Message Analyzer which was completely retired.

Microsoft

Thanks @stu_nz. I would actually recommend using the converter built-in PacketMon through the pktmon PCAPNG command. It has the same instrumentation in  etl2pcapng, but with added customizations for pktmon output to make it more efficient and accurate for packet data.

Microsoft

@DanBowker pktmon is built-in Windows Server 2019 builds so you never need to go install it; it's already there. Got to command-line or PowerShell module, and type pktmon; it will be there.

Bronze Contributor

It is command line utility , it would be nice to implement a GUI tools too.

Microsoft

@Reza_Ameri-Archived You can operate and analyze the tool today in Windows Admin Center. You can also analyze the output of PacketMon today in Microsoft Network Monitor. Soon you will be able to analyze the output in Windows Performance Analyzer (WPA), and we are looking more into operating the tool through a GUI as well.

Copper Contributor

Thanks for you reply @george-guirguis. The Windows 10 LTSC 2019 installations that I am interested in are not Windows Server installations but I just checked and pktmon is on there.

Bronze Contributor

Thank you @george-guirguis for clarification, I would like suggest write blog or article about these features for the benefit of community.

Using these features are easy but it would be nice to have some document or article about it.

Microsoft

@Reza_Ameri-Archived Expect blog posts about this soon! We are also adding documentation on MS Docs for the tool.

Bronze Contributor

Thank you@george-guirguis 

Looking forward those blogs.

Brass Contributor

Thanks for this blog post. It has good info and might be more valuable to me than some of the others because sadly, I'm massively busy and spread far too thin to focus as much or as directly on some subjects/fields I once specialized in, such as this one. I'm "rusty," so I find info like this quite helpful. Cheers!

Copper Contributor

Is there an install package for Windows 10? I don't see it on my PAW.

Microsoft

@Bennett Benson Packet Monitor is available in-box via pktmon.exe command on Windows 10 and Windows Server 2019 (Version 1809 and later). If you're on one of these builds, you should be able to go to elevated CMD or PowerShell and just type pktmon to verify that you have it. If you're on an older build, I recommend that you update it; the tool cannot be shipped out of box. 

Copper Contributor

@george-guirguis We are finding LTSC 2019 has pktmon version 10.0.17763.292. That seems to be an older version that doesn't have the command line options that I have on my Windows 10, pktmon 10.0.19041.906. Windows Update doesn't seem to update the version on LTSC. Do you know if we can just copy over the latest pktmon related files to LTSC? Thanks.

Microsoft

@KevinPiazza pktmon doesn't really support versioning yet; when you try to call its version, it will simply reflect the Windows version. These 2 builds should have the latest version of pktmon if you updated them since April so it's definitely unexpected to have an older version of pktmon on these builds regardless of the Windows updates. I would double check on installing the optional packages of Windows update, but let me know if the still doesn't update for some reason. There is no way to copy pktmon or ship it out of box unfortunately, it's an inbox tool that can either come with windows or through windows update.

Copper Contributor

Hello @george-guirguis  -- We retried running the Windows Update on LTSC 2019 and this time the pktmon was updated. Not sure why it didn't a couple weeks ago. Anyway, thanks for the help. We are hoping this tool will help us remotely debug network issues with our kiosks in the field. A good network trace gets down to the issues faster than other methods. It's the blood test of the network world. :)

Thanks again!

Microsoft

@KevinPiazza Glad that this worked out for you at the end! Let me know if you have any feedback or requests about the tool as you use it.

Copper Contributor

Is the WPA Integration already there? I have found that pktmon traces only in one user mode session with a ETW buffer size of 16 KB. If I add other WPA profiles and try to merge the resulting ETL xperf/WPR complains that the ETW buffer sizes are inocompatible. Can I somehow set the ETW buffer size of pktmon at recording time to make it with other profiles work? The current workaround is to stop the ETW session and restart it which works, but it is kind of dirty workaround.

Iron Contributor

What am I missing here? Why don't I see 1.1.1.1 traffic in the etl file?

 

pktmon start --capture --pkt-size 0 -f C:\tmp\capture.etl
ping 1.1.1.1
pktmon stop
Version history
Last update:
‎Dec 24 2020 11:44 AM
Updated by: