PS C:\WINDOWS\system32> pktmon start help
pktmon start [--capture [--counters-only] [--comp <selector>] [--type <type>]
                        [--pkt-size <bytes>] [--flags <mask>]]
             [--trace --provider <name> [--keywords <k>] [--level <n>] ...]
             [--file-name <name>] [--file-size <size>] [--log-mode <mode>]
    Start packet capture and event collection.

Packet Capture
    -c, --capture
        Enable packet capture and packet counters.

        -o, --counters-only
            Collect packet counters only. No packet logging.

        --comp { all | nics | id1 id2 ... }
            Select components to capture packets on. Can be ALL components,
            NICs only, or a list of component Ids. Default is ALL.

        --type { all | flow | drop }
            Select which packets to capture. Default is ALL.

        --pkt-size <bytes>
            Number of bytes to log from each packet. To always log the entire
            packet set this to 0. Default is 128 bytes.

        --flags <mask>
            Hexadecimal bitmask that controls information logged during packet
            capture. Default is 0x012.

            0x001 - Internal Packet Monitor errors.
            0x002 - Information about components, counters and filters.
            0x004 - NET_BUFFER_LIST group source and destination information.
            0x008 - Select packet metadata from NDIS_NET_BUFFER_LIST_INFO.
            0x010 - Raw packet, truncated to the size from --pkt-size.

Event Providers
    -t, --trace
        Enable event collection.

        -p, --provider <name>
            Event provider name or GUID. For multiple providers, use this
            parameter more than once.

        -k, --keywords <k>
            Hexadecimal bitmask that controls which events are logged
            for the corresponding provider. Default is 0xFFFFFFFF.

        -l, --level <n>
            Logging level for the corresponding provider.
            Default is 4 (info level).

Logging Parameters
    -f, --file-name <name>
        Log file name. Default is PktMon.etl.

    -s, --file-size <size>
        Maximum log file size in megabytes. Default is 512 MB.

    -m, --log-mode { circular | multi-file | memory | real-time }
        Logging mode. Default is circular.

        circular    New events overwrite the oldest ones when the log is full.

        multi-file  No limit on number of captured events, but a new log file
                    is created each time the log is full.

        memory      Like circular, but the entire log is stored in memory.
                    It is written to a file when pktmon is stopped.

        real-time   Display events and packets on screen at real time. No log
                    file is created. Press Ctrl+C to stop monitoring.

Example 1: Packet capture
    pktmon start --capture

Example 2: Packet counters only
    pktmon start --capture --counters-only

Example 3: Event logging
    pktmon start --trace -p Microsoft-Windows-TCPIP -p Microsoft-Windows-NDIS

Example 4: Packet capture with event logging
    pktmon start --capture --trace -p Microsoft-Windows-TCPIP -k 0xFF -l 4