IMHO, This is a long time coming for Windows. I love this thing. You probably already know about it, but I haven't read much about it anywhere and Its been very useful to me. Its a version of tcpdump for windows that doesn't require I install the Winpcap drivers. I use it along with PSEXEC to start remote sniffing probes on Windows workstations. I'm sure its NOT forensically sound to do this in on a box that may contain evidence because of the swap file, but for information gathering something like this is very useful. So with this.. http://www.microolap.com/downloads/tcpdump/tcpdump.zip Something like this \mytools\psexec.exe \\remotecomputer -c \mytools\tcpdump.exe -i 1 -s0 -w \\remotefileserver\share\capturename.cap Lets me turn every node on my network into a remote Snort probe, or just capture anamolies!
This is a collection of Articles, Tools, Conference talks, interviews, etc by Mark Baggett