tcpdump for windows

i didn’t know about this cool tool before, so when i wanted to capture network traffic on a compromised machine i was often reduced to

  1. creating a temporary account with admin privs
  2. disabling the firewall
  3. fixing the registry to allow rdp
  4. rdp-ing in
  5. using a sniffing tool that required full installation of the winpcap drivers

hardly stealthy!

i normally used wireshark in the beginning.  there’s a wireshark portable, but that actually works by installing/uninstalling winpcap every time it’s used…

then there’s the command-line utility windump, but that also requires winpcap to be installed, and not only do i not want to have to install something, but i couldn’t find a command-line-only installer for winpcap anyway


it has the necessary drivers precompiled into it, so you just transfer the exe and run it, then exfiltrate the cap back to kali and view it using your local wireshark (or whatever tool)


# example usage
tcpdump -D (to get interface numbers to use with -i)
tcpdump -i 1 -w dump.pcap “not arp”

Leave a Reply

Your email address will not be published. Required fields are marked *