PKTMON filter not applied

Question

PKTMON filter not applied

Florent QUILICHINI 0

Hello,

I'm trying to use PKTMON to troubleshoot DHCP problems.

After tracking the packets from the source through the network devices, I'm trying to control their reception and response from the DHCP server. A Windows 2022 server.

I wanted to use PKTMON on the same principle as the tcpdump used previously.

However, I can't figure out how filtering works.

I have the same problem on my Windows 11 workstation for a simple ICMP test.

Here's an example:

To view ICMP packets on my workstation, I proceed as follows:

1/ I list the interfaces and find the ID of the component carrying my IP address.

2/ I create a filter on the ICMP protocol

3/ I start real-time capture on the component I've identified. I'm expecting to see only ICMP packets (which I would have generated as a test), but I'm seeing all kinds of packets: TCP, UDP, ...

Can anyone explain the behavior and how to make my filter work?

(Please check the screenshot with commands used?) screenshot Pktmon filter error

2 answers

Your answer

Answer 1

Hello Florent,

Your understanding of how filtering should work is probably correct - there is certainly something odd about the output.

In addition to the mismatch between the filter set and the packets captured, the oddities include:

Apparence values (should be 0)
Filtre values (should be 1, given the "pktmon filter list" output)
The second and third capture reports seem to be two appearances (195 and 196) of the same packet (identical PktGroupId and PktNumber values), which is not itself unusual, but with different OriginalSize values (which is unexpected).

This is not normal behaviour - I can't reproduce it. Is there anything unusual (e.g. installed network drivers (perhaps Wireshark npmon or similar)) about the system that you can tell us? Can you reproduce the problem on other systems?

Gary

Answer 2

Florent QUILICHINI 0

Hello Gary,

Thanks for your feedback and research. It's a strange situation indeed.

I've reproduced exactly the same situation on a second computer and a Windows 2022 server in my company, and the filters are not taken into account.

However, if I try the same thing on my personal computer, no problem, the filter works fine.

I wonder if deploying EDR on all the machines in my organization isn't the problem.

I'll continue my tests and get back to you if I have any news, and am of course interested if anyone manages to get to the bottom of this.

Best Regards,

Florent

Gary Nebbett 6,216 Reputation points

2025-06-23T13:07:10.76+00:00

Hello Florent,

My initial suggestion would be to perform a short unfiltered capture with a command like:

pktmon start --capture --comp all --flags 0x3F --file-name why.etl

Analysis of the capture data might give some indication of why the Appearance values are so high; this may seem unrelated to your core question, but understanding why one odd behaviour is occurring might give ideas/insight into why other odd things are happening.

Gary
Florent QUILICHINI 0 Reputation points

2025-06-23T15:07:21.36+00:00

I did it, but I am not sure to understand it.

I'll let you explain if there's anything to understand
Gary Nebbett 6,216 Reputation points

2025-06-23T19:41:42.8566667+00:00

Hello Florent,

The structured .etl file is better suited than the .txt file for filtering/searching etc.

Is there any correlation between the presence of the "Zscaler LightWeight Filter" driver, the "Npcap Packet Driver" and the odd behaviour?

Gary
Florent QUILICHINI 0 Reputation points

2025-06-24T09:40:15.07+00:00

Hello Gary,

I'd prefer to use a text format to have control over the data and partially anonymize it.

I finally understood! It's not Zscaler but EDR. I disabled both one after the other and when the EDR is inactive, the filtering works fine. As soon as I reactivate it, the abnormal behavior reappears.

So there's no ideal solution to my problem with PktMon (EDR is mandatory on these machines). Except to filter the display via PowerShell Select-String commands. Or use another network capture solution, Wireshark or netsh trace.

Thank you for your time and suggestions.

Florent
Gary Nebbett 6,216 Reputation points

2025-06-24T10:34:51.1366667+00:00

Hello Florent,

It is not useful for me, but it might be worthwhile naming the particular EDR product causing the problem (in case others experience this issue).

The product appears to be damaging kernel-mode data; there may be risk in not using an EDR product but there are different risks when using one...

Gary
Florent QUILICHINI 0 Reputation points

2025-06-24T12:19:16.29+00:00

Hello Gary,

I can't share this information for the same reason I didn't share the etl file.

This EDR is one of the leading solutions identified by Gartner, and is therefore massively deployed.

Best Regards,

Florent

Share via

PKTMON filter not applied

2 answers

Your answer