Welcome to In Depth Defense. In Depth Defense LLC is a privately owned Information Security Consulting company owned and operated by Mark Baggett. In Depth Defense specializes in Penetration Testing and Incident Response. At this time In Depth Defense is not accepting any new client work, but we are happy to speak to you and point you to other resources in the community.

Mark Baggett has been active in Information Security for 18+ years. I've served in a variety of roles from software developer to CISO. You can find archives of older blog entries below and read my newer posts on http://www.pauldotcom.com, http://isc.sans.edu and http://pen-testing.sans.org

Wednesday, July 11, 2007

Windows TCPDUMP without installing WINPCAP!!!!!!!!

IMHO, This is a long time coming for Windows. I love this thing. You probably already know about it, but I haven't read much about it anywhere and Its been very useful to me. Its a version of tcpdump for windows that doesn't require I install the Winpcap drivers. I use it along with PSEXEC to start remote sniffing probes on Windows workstations. I'm sure its NOT forensically sound to do this in on a box that may contain evidence because of the swap file, but for information gathering something like this is very useful.

So with this..

Something like this

\mytools\psexec.exe \\remotecomputer -c \mytools\tcpdump.exe -i 1 -s0 -w \\remotefileserver\share\capturename.cap

Lets me turn every node on my network into a remote Snort probe, or just capture anamolies!


Anonymous said...

Cool I like that

Anonymous said...

Hi Mark,
Just discover your blog today while listening at pauldotcom insider on "Practical Client_Side Exploitation".
I reach this article allowing to capture without installing winpcap.
It's great but the link is dead and mostly it seems that the library provided by microolap is now mandatory registered.
I'm asking myself if you know other methods to do remote capture sniffing easily using psexec, without instaslling winpcap.. Allowing to use another library e.g or another method !

Thanks in advance !!
Nice to follow your blog (great material), hope see you some day at course or con !

Mark Baggett said...

You can still download tcpdump although their license has changed since this original post. The older version was "free for personal use". You can now download a TRIAL VERSION here:


Alternatively you can capture packets for free on your internal network using metasploits's psexec "exploit" and meterpreter as your payload.


netresec said...

The simplest way to sniff packets on Windows without ANY drivers is to use a raw socket sniffer.

The best raw socket sniffer around is probably the command line tool RawCap: