Introducing Packet Monitor

Network connectivity issues are often hard to diagnose. There are multiple machines involved in a single data transfer; at least two endpoints and a complex network infrastructure in the middle. Lately, with the introduction of network , more of the infrastructure capabilities like routing and switching are being integrated into the endpoints. The additional complexity in the endpoints often leads to connectivity issues that are hard to diagnose. This new infrastructure requires a more comprehensive network diagnostics approach.

Packet Monitor

Packet Monitor (PacketMon) is an in-box cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting. The tool is especially helpful in scenarios like container networking, SDN, etc. It is available in-box via pktmon.exe command, and via Windows extensions.

Overview

Any machine that communicates over the network has at least one network adapter. All the components between this adapter and an application form a networking stack. The networking stack is a set of networking components that process and move networking traffic. In traditional scenarios, the networking stack is small, and all the packet routing and switching happens in external devices.

Networking stack in traditional scenariosNetworking stack in traditional scenarios

However, with the advent of network , the size of the networking stack has multiplied. This extended networking stack now includes components, like the Virtual Switch, that handle packet processing and switching. Such flexible environment allows for much better resource utilization and security isolation, but it also leaves more room for configuration mistakes that are hard to diagnose. Accordingly, a visibility within the networking stack is needed to pinpoint these mistakes, and PacketMon provides that visibility.

PacketMon's cross-component packet capturePacketMon's cross-component packet capture

PacketMon intercepts packets at multiple locations throughout the networking stack, exposing the packet route. If a packet was dropped by a supported component in the networking stack, PacketMon will report that packet drop. This allows users to differentiate between a component that is the intended destination for a packet and a component that is interfering with a packet. Additionally, PacketMon will report drop reasons; for example, MTU Mistmatch, or Filtered VLAN, etc. These drop reasons provide the root cause of the issue without the need to exhaust all the possibilities. PacketMon also provides packet counters for each intercept point to allow a high-level packet flow examination without the need for time-consuming log analysis.

PacketMon's packet drop and drop reason reportingPacketMon's packet drop and drop reason reporting

Functionality:

Packetmon was first released in Windows 10 and Windows version 1809 (October 2018 update). Since then, its functionality has been evolving through Windows releases. Below are some of the main capabilities and limitations of PacketMon in Windows 10 and Windows version 2004 (May 2020 Update).

Capabilities:
  • Packet capture at multiple locations of the networking stack 
  • Packet drop detection, including drop reason reporting
  • Runtime packet filtering with encapsulation support 
  • Flexible packet counters
  • Real-time on-screen packet monitoring 
  • High volume in-memory logging
  • Microsoft Network Monitor (NetMon) and Wireshark (pcapng) compatibility
Limitations:
  • Supports Ethernet media type only

  • No Firewall integration

  • Drop reporting is only available for supported components

Summary

Packet Monitor is an in-box network diagnostics tool. It fills a gap in diagnosing virtual environments by providing visibility within the networking stack as it captures packets throughout the networking stack and reports packet drops. In subsequent posts, we will explore get started with PacketMon, and use it to diagnose specific scenarios. For documentation about PacketMon, please go here.

Could you please implement extcap interface for Packet Monitor so it could be accessed directly from Wireshark?

I have read another post on this utility which stated that you could use the Microsoft Network Monitor app to view the ETL file.  Then the download page for Network Monitor refers me to the replacement app, Microsoft Message Analyzer which in turn says it has been discontinued.  Will Microsoft release any updated version of these diagnostic tools to make it easier to read the packet data or will that be the domain of third party software houses?

There is a utility etl2pcapng on Microsoft's github page that converts ETL to a format Wireshark can read.

I've used it on modestly sized files and it works well, much faster than previous methods via PowerShell.

Hope that helps!

Will it be possible to install pktmon on Windows 10 LTSC 2019 installations?

@tomaszmon WireShark actually wouldn't be the best UI for PacketMon since WireShark doesn't support a lot of the metadata that PacketMon exposes.

@Half_Penny We are working on extending the functionality of Windows Performance Analyzer (WPA) to parse and analyze packets, just as it parses other generic events today. This will actually be our recommended UI for parsing the output of PacketMon as it will be designed to take advantage of PacketMon's most valuable and unique functionality. The first version of this project should be out and announced soon, as we are continuing to add improvements for the next versions.

That being said, Microsoft Network Monitor  can also be used also to analyze the output from PacketMon today. The tool is still used even though it is deprecated; unlike Microsoft Message Analyzer which was completely retired.

Thanks @kewalaka. I would actually recommend using the converter built-in PacketMon through the pktmon PCAPNG command. It has the same instrumentation in etl2pcapng, but with added customizations for pktmon output to make it more efficient and accurate for packet data.

@DanBowker pktmon is built-in Windows builds so you never need to go install it; it's already there. Got to command-line or PowerShell module, and type pktmon; it will be there.

It is command line utility , it would be nice to implement a GUI tools too.

@Reza_Ameri-Archived You can operate and analyze the tool today in Windows Admin Center. You can also analyze the output of PacketMon today in Microsoft Network Monitor. Soon you will be able to analyze the output in Windows Performance Analyzer (WPA), and we are looking more into operating the tool through a GUI as well.

Thanks for you reply @george-guirguis. The Windows 10 LTSC 2019 installations that I am interested in are not Windows Server installations but I just checked and pktmon is on there.

Thank you @george-guirguis for clarification, I would like suggest write blog or article about these features for the benefit of community.

Using these features are easy but it would be nice to have some document or article about it.

@Reza_Ameri-Archived Expect blog posts about this soon! We are also adding documentation on MS Docs for the tool.

Thank you@george-guirguis 

Looking forward those blogs.

Thanks for this blog post. It has good info and might be more valuable to me than some of the others because sadly, I'm massively busy and spread far too thin to focus as much or as directly on some subjects/fields I once specialized in, such as this one. I'm “rusty,” so I find info like this quite helpful. Cheers!

Is there an install package for Windows 10? I don't see it on my PAW.

 

This article was originally published by Microsoft's Networking Blog. You can find the original article here.