I can’t believe we haven’t discussed NetworkMiner here before … it’s one of those must-have Windows (and Wine) based tools for packet junkies to quickly carve up PCAPs. We’ve used it a lot at the Packet Parties held periodically at NoVA Labs to quickly extract the data we needed when participating in PCAP-focused CTF challenges. From within NetworkMiner just open up a PCAP and instantly get access to pertinent data, including IPs, files, TCP sessions, DNS traffic, and much more as illustrated below.
In August the developer behind NetworkMiner quietly released version 1.5 of the free/open source and professional versions of the tool but has just recently provided the details of its new functionality. Here is a quick rundown of the updates for both the free and professional versions.
NetworkMiner (free edition)
New features in the free and open source version of NetworkMiner:
- Parser for PPPoE (RFC 2615)
- Keywords can be loaded from text file (useful in investigations where you have lots of strings to search for)
- Support for LLMNR DNS (RFC 4795) queries over UDP 5355
The professional version of NetworkMiner additionally contains the following new features:
- NetworkMinerCLI generates a Keywords CSV file when one or several keywords are detected
- NetworkMinerCLI can read a custom keyword list and cleartext dictionary from file using command line arguments
- Parsing of PcapNG (aka pcap-ng) files
- Extraction of metadata from PcapNG files (including stored name resolution blocks)
- Alexa top 1M check for DNS responses
Looking for additional tools for performing network forensics? The latest versions of Backtrack and Kali Linux include an open source web-based tool called Xplico and of course you could always grab the freeware version of Netwitness Investigator.
Source: “New features in NetworkMiner 1.5” – Netresec Blog
Do you use any other tools in performing network forensics? Let us know in the comments below. Today’s post pic is from Netresec.com. See ya!