I'm looking for a way to detect ICMP requests (e.g. ping) on a Windows 10 System. Unfortunately it does not work with netstat, since ICMP doesn't depend on a port hence all other light weight tools like TCPview won't work either.
Is there a native command to monitor for ICMP on a Windows 10 system? Alternatively I would go for a third party tool if there is no other solution, preferably something simpler / more light weight then Wireshark. Any hints/solutions are appreciated!
Unfortunately it does not work with netstat, since ICMP doesn't depend on a port
No; it's because the ICMP handler does not use a regular socket, but is built into the IP stack. But if you had a program that uses "raw sockets" to generate e.g. UDP or TCP packets (e.g. I think nmap qualifies) you wouldn't see them in netstat either.
Also, it wouldn't work anyway because ICMP is a datagram-based protocol, where a single "unconnected" socket can receive packets from all possible sources – even if it was UDP (which does show up in netstat), you'd typically see only a single "Foreign Address: *:*" socket even if the server was responding to 50 different clients.
Is there a native command to monitor for ICMP on a Windows 10 system?
Windows 10 has pktmon since a 2018 release.
pktmon filter add -p ICMP
pktmon start --etw -m real-time
pktmon filter add -p ICMP
pktmon start -c
...
pktmon stop
pktmon etl2txt .\PktMon.etl
The traces are done at various OS layers, so the same packet will show up as going through multiple Windows components (unlike Npcap, which only gets them at one place).
Pktmon's ETL capture files can also be converted to .pcapng for use in Wireshark.
Alternatively I would go for a third party tool if there is no other solution, preferably something simpler / more light weight then Wireshark
Wireshark comes with two command-line tools: tshark which captures packets to a terminal (very much like tcpdump, only with Wireshark's dissecting capabilities) and dumpcap which outputs the raw pcapng file (like tcpdump with the -w option).
(Other tools may also directly use the same Npcap driver that gets installed alongside Wireshark, e.g. quite possibly there's a tcpdump port for it; though you'd need to pay attention to Npcap's licensing which has a special exception for Wireshark. Some of those tools may also need Npcap to be installed in "WinPcap-compatible" mode.)
-t instead of -p ?? Or the whole command: pktmon filter add -t ICMP
A free tool that can detect ICMP probes is Wireshark.
Once you choose the network adapter and start capturing, you may set the Display filter to ICMP.
Here is an example for detecting ping localhost:
