The keyword search functionality in NetworkMiner v0.82 (and later) allows you to enter your own set of words to search for in packets sniffed on the wire or previously captured to a PCAP file.
The keyword search function can be used for any of the following tasks:
- To locate the frame, which you know contains a specific keyword or byte-pattern, from a .PCAP file
- See if your password is sent unencrypted across the network when you are logging into a remote service over the network
- Pretending you are some Signals Intelligence Agency (SIGINT) who is looking for keywords (spook words) such as “bomb”, “drugs”, “terrorist”, “nuclear” or “Al-Qaida” (i.e. using NetworkMiner as if it was an Echelon or Big Brother system that screens traffic).
- To search for specific application level commands (such as “OPTIONS”)
- To search for virus signatures transferred over the network (for example the EICAR Standard Anti-Virus Test File signature: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
- To look for specific Intrusion Detection System (IDS) attack signatures sent over the network.
- To see how often your e-mail address is sent unencrypted from your computer to other servers on the internet (Gmail’s chat function does this very extensively for example)
- Look for sings of users running the "Off-the-Record Messaging Protocol" (OTR) by searching for the keyword ?OTR or both keywords 0x2009202009090909 and 0x2009200920092020
When NetworkMiner matches a keyword in a frame/packet it displays the frame number, timestamp, detected keyword, context (data surrounding the keyword) as well as source and destination hosts and ports (in case of TCP/UDP). The keyword search functionality works regardless of which protocol is being used to send the data (even ICMP or layer 2 protocols can be sniffed). This means that keywords can be detected also in proprietary protocols. The keyword search can be applied to live traffic sniffed from a network as well when doing off-line analysis of a PCAP file.
Follow these steps in order to use NetworkMiners keyword search functionality:
- Start NetworkMiner
- Select the "Keywords" tab
- Enter a keyword in the textbox (either as a simple string or in hex format like 0x0AD9)
- Press the "Add" button
- Repeat step 3 and 4 to add more keywords
- Open a PCAP file (File > Open) or start sniffing traffic (select network adapter and press "Start")
- See how the table is filled with keyword matches