Sniffing the target under question using wireshark with winpcap installed or port mirroring for sniffing is a little headache which can very well be avoided. In a larger companies we have Regional analysts who would help us getting this done but however it takes some time to get it done.
When an incident is identified, notifying regional analyst and get the pcaps sent to us takes atleast 12 hours which is nonsense. Also its difficult for small companies where machines are spread around and you yourself has to do everything. A nice little tool of Rawcap where we can inject remotely using psexec that doesnt need any external libraries like winpcap and the best part is it is 17 KB.
E:\Security\Software\Sysinternals>rawcap 192.168.1.2 sniff.pcap
Sniffing IP : 192.168.1.2
File : sniff.pcap
Packets : 211^C