NIP Tip: Carve PCAPs with Ease Using NetworkMiner

NetworkMinerI can’t believe we haven’t discussed NetworkMiner here before … it’s one of those must-have Windows (and Wine) based tools for packet junkies to quickly carve up PCAPs. We’ve used it a lot at the Packet Parties held periodically at NoVA Labs to quickly extract the data we needed when participating in PCAP-focused CTF challenges. From within NetworkMiner just open up a PCAP and instantly get access to pertinent data, including IPs, files, TCP sessions, DNS traffic, and much more as illustrated below.

NetworkMiner Professional 1-5 DNS eee-pcapng

In August the developer behind NetworkMiner quietly released version 1.5 of the free/open source and professional versions of the tool but has just recently provided the details of its new functionality. Here is a quick rundown of the updates for both the free and professional versions.

NetworkMiner (free edition)

New features in the free and open source version of NetworkMiner:

  • Parser for PPPoE (RFC 2615)
  • Keywords can be loaded from text file (useful in investigations where you have lots of strings to search for)
  • Support for LLMNR DNS (RFC 4795) queries over UDP 5355

NetworkMiner Professional

The professional version of NetworkMiner additionally contains the following new features:

  • NetworkMinerCLI generates a Keywords CSV file when one or several keywords are detected
  • NetworkMinerCLI can read a custom keyword list and cleartext dictionary from file using command line arguments
  • Parsing of PcapNG (aka pcap-ng) files
  • Extraction of metadata from PcapNG files (including stored name resolution blocks)
  • Alexa top 1M check for DNS responses

Looking for additional tools for performing network forensics? The latest versions of Backtrack and Kali Linux include an open source web-based tool called Xplico and of course you could always grab the freeware version of Netwitness Investigator.

Source: “New features in NetworkMiner 1.5” – Netresec Blog

#####

Do you use any other tools in performing network forensics? Let us know in the comments below. Today’s post pic is from Netresec.com. See ya!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.