I'm trying to use pktmon on a Windows Server 2019 Core (10.0.17763) instance and it doesn't seem like the filters I add are actually applied. Am I missing something?
Ran these commands:
> pktmon filter add -t TCP -p 9273
Filter added.
> pktmon start --capture --comp nics --pkt-size 0 -f .\pktmon_testing.etl
Logger Parameters:
Logger name: PktMon
Logging mode: Circular
Log file: C:\Users\me\Documents\pktmon_testing.etl
Max file size: 512 MB
Memory used: 256 MB
Collected Data:
Packet counters, packet capture
Capture Type:
All packets
Monitored Components:
Network adapters
Packet Filters:
# Name Protocol Port
- ---- -------- ----
1 <empty> TCP 9273
> pktmon stop
Flushing logs...
Log file: C:\Users\me\Documents\pktmon_testing.etl (No events lost)
> pktmon etl2txt .\pktmon_testing.etl -o pktmon_testing.txt
Processing...
Events formatted: 1008
Formatted file: pktmon_testing.txt
Sample output of the txt file (somewhat obfuscated):
[05]0000.0000::2022-11-09 15:58:16.608010000 [Microsoft-Windows-PktMon] PktGroupId 15481123719086081, PktNumber 1, Appearance 53, Direction Rx , Type Ethernet , Component 1, Edge 1, Filter 4, OriginalSize 225, LoggedSize 225
00-50-56-B9-B5-6C > 00-50-56-B9-A8-09, ethertype IPv4 (0x0800), length 225: aaa.aaa.aaa.aaa.8301 > bbb.bbb.bbb.bbb.8301: UDP, length 183
I added a filter for TCP packets with port 9273, why does the output contain a UDP packet on port 8301? I assume I'm just missing some step, but I feel like I've followed the examples and documentation very closely.
