Windows 10 packet monitor tool "pktmon" will allow real-time monitoring
Since October 2018 Update, Windows 10 comes with a "Packet Monitor" tool called pktmon.exe.
With the upcoming release of the Windows 10 May 2020 Update, Microsoft will update the pktmon tool to allow real-time visualization of monitored packets.
How to use pktmon.exe
Below, some basic example of pktmon [1] usage.
First, start a Windows 10 elevated command prompt as pktmon.exe requires administrator privileges.
Capture the traffic
In order to monitor, for example, HTTP traffic you need to create a packet filter to monitor traffic on TCP port 80, using this command:
pktmon filter add -p 80
Then, identify the network adapter number with this command
pktmon comp list
Finally, start the monitoring with:
pktmon start --etw -p 0 -c [Adapter ID]
in order to log all traffic matching the rules on a file called PktMon.etl.
To stop capturing packets, enter
pktmon stop
and the log file PktMon.etl will have been created in the current folder.
Read the data
This captured data in the log file are not directly usable, so you need to convert the log to a text format with the following command:
pktmon format PktMon.etl -o ftp.txt
However, even converted into text, the log shows only a summary of the network traffic: you need and install the Microsoft Network Monitor [2] and use it to view the full packets in the ETL file including any clear-text information.
Finally, you can remove the created filter using the command:
pktmon filter remove
Real-time monitoring
With the upcoming release of the Windows 10 May 2020 Update [2], Microsoft has updated the pktmon.exe to allow you to display monitored packets in real-time: using this version, you can enable real-time monitoring using the -l real-time argument.
pktmon start --etw -p 0 -c 13 -l real-time
This will cause the captured packets to be displayed directly to the screen while also saving it to the ETL file.