pktmon start
Starts packet capture and event collection.
Syntax
pktmon start [--capture [--counters-only] [--comp <selector>] [--type <type>] [--pkt-size <bytes>] [--flags <mask>]]
[--trace --provider <name> [--keywords <k>] [--level <n>] ...]
[--file-name <name>] [--file-size <size>] [--log-mode <mode>]
Packet capture parameters
Use -c or --capture to enable packet capture and packet counters, along with the following optional parameters.
| Parameter | Description |
|---|---|
| -o, --counters-only | Collect packet counters only. No packet logging. |
| --comp | Select components to capture packets on. Can be all components (all), NICs only (nics), or a list of component IDs. Defaults to all. |
| --type | Select which packets to capture. Can be all, flow, or drop. Default is all. |
| --pkt-size <bytes> | Number of bytes to log from each packet. To always log the entire packet, set this to 0. Default is 128 bytes. |
| --flags <mask> | Hexadecimal bitmask that controls information logged during packet capture. Default is 0x012. Packet capture flags, below. |
Packet capture flags
The following flags apply to the --flags parameter (see above).
| Flag | Description |
|---|---|
| 0x001 | Internal Packet Monitor errors. |
| 0x002 | Information about components, counters, and filters. This information is added to the end of the log file. |
| 0x004 | Source and destination information for the first packet in NET_BUFFER_LIST group. |
| 0x008 | Select packet metadata from NDIS_NET_BUFFER_LIST_INFO enumeration. |
| 0x010 | Raw packet, truncated to the size specified in the [--pkt-size] parameter. |
Event collection parameters
Use -t or --trace to enable event collection, along with the following optional parameters.
| Parameter | Description |
|---|---|
| -p, --provider <name> | Event provider name or GUID. For multiple providers, use this parameter more than once. |
| -k, --keywords <k> | Hexadecimal bitmask that controls which events are logged for the corresponding provider. Default is 0xFFFFFFFF. |
| -l, --level <n> | Logging level for the corresponding provider. Default is 4 (info level). |
Logging parameters
Use the following parameters for logging:
| Parameter | Description |
|---|---|
| -f, --file-name <name> | Log file name. Default is PktMon.etl. |
| -s, --file-size <size> | Maximum log file size in megabytes. Default is 512 MB. |
| -m, --log-mode | Sets the logging mode (see below). Default is circular. |
Logging modes
The following modes apply to the -m or --log-mode parameter (see above).
| Mode | Description |
|---|---|
| circular | New events overwrite the oldest ones when the log is full. |
| multi-file | A new log file is created each time the log is full. Log files are sequentially numbered: PktMon1.etl, PktMon2.etl, etc. No limited on the number of captured events. |
| real-time | Display events and packets on screen at real time. No log file is created. Press Ctrl+C to stop monitoring. |
| memory | Like circular, but the entire log is stored in memory. It is written to a file when pktmon is stopped. Memory buffer size is specified in [--file-size] parameter. |
Examples
Example 1: Packet capture
C:\Test> pktmon start --capture
Example 2: Packet counters only
C:\Test> pktmon start --capture --counters-only
Example 3: Event logging
C:\Test> pktmon start --trace -p Microsoft-Windows-TCPIP -p Microsoft-Windows-NDIS
Example 4: Packet capture with event logging
C:\Test> pktmon start --capture --trace -p Microsoft-Windows-TCPIP -k 0xFF -l 4