From networkminer

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble/rebuild transmitted files, directory structures and certificates from PCAP files.

The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner also comes in very handy when analyzing malware traffic, such as C&C (command-and-control) traffic from a BotNet, since uploaded and downloaded files are extracted to disk.

Contents 1 Features 2 Download 3 Troubleshooting and Bug Reports 4 Articles and Papers 4.1 2010 4.2 2009 4.3 2008 5 Presentations 6 Videos and Screencasts

Features

NetworkMiner performs OS fingerprinting based on TCP SYN and SYN+ACK packet by using OS fingerprinting databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform OS fingerprinting based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) OS fingerprinting database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).

NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and save media files (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. Please be considerate when displaying the contents of this tab to the public.

Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.

Version 0.84 (and newer) of NetworkMiner support sniffing and parsing of WLAN (IEEE 802.11) traffic. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.

Download

You can download NetworkMiner packet analyzer here.

NetworkMiner Logo

Troubleshooting and Bug Reports

Are you experiencing errors or crashes when running NetworkMiner? A common problem is not having .NET Framework 2.0 installed. Please feel free to submit any bugs or instability issues you might experience to the NetworkMiner bug tracker. Requests for new features or new protocols you'd like to see implemented in NetworkMiner can be submitted to the NetworkMiner feature request tracker.

Articles and Papers

• "Capture and analyse your network traffic with the free NetworkMiner". SoftwareCrew, May 12 2011
• "NetworkMiner 1.0". DownloadCrew, May 12 2011

2010

• Erik Hjelmvik, "Network neutrality and protocol discrimination". CIO.com, November 22 2010 alt. link (cio.com.au)
• Nate Anderson, "Encrypted and obfuscated? Your P2P protocol can still be IDed". Ars Technica, August 25 2010
• Erik Hjelmvik & Wolfgang John, "Breaking and Improving Protocol Obfuscation". July 2010 alt. link (Chalmers) alt. link (.SE)

2009

• Brandon Gregg, "4 Cheap Options to Monitor Networks for Evidence". CSO Online Magazine, November 23 2009
• Dimitrios Slamaris, "NetworkMiner: Netzwerk Forensik Tool". IT-blogger, November 7 2009
• Claus Valca, "Network Capture Tools and Utilities". Grand Stream Dreams blog, August 23rd 2009
• Jim Clausing, "Tools for extracting files from pcaps". SANS Internet Storm Center, August 13 2009
• Jens Zerbst, Erik Hjelmvik & Iiro Rinta-Jouppi, "Zoning Principles in Electricity Distribution and Energy Production Environments". CIRED 20th International Conference on Electricity Distribution, Prague, June 2009
• Erik Hjelmvik, "Nothing but Network Forensics". DFRWS 2009 Forensics Challenge, June 7th 2009
• Erik Hjelmvik & Wolfgang John, "Statistical Protocol IDentification with SPID: Preliminary Results". SNCNW'09: 6th Swedish National Computer Networking Workshop, Uppsala, Sweden. May 4, 2009. alt. link BibTeX
• John Sawyer, "Making The Most Of Open-Source Forensics Tools". Dark Reading - Evil Bits blog, April 10 2009
• PenTestIT, "NetworkMiner: A packet analyzer", February 24 2009

2008

• C.S. Lee, "Drunken Monkey: Running Network Miner with Wine". When {Puffy} Meets ^RedDevil^ blog, December 1st 2008
• Erik Hjelmvik, "Passive network security analysis with NetworkMiner". (IN)SECURE Magazine Issue 18 (October 2008) Issuu online magazine version Republished HTML version on Forensic Focus
• John Sawyer, "Network Forensics". Dark Reading - Evil Bits blog, September 22 2008
• Leonel Munguia, "NetworkMiner - Analizador de trafico de red". Soporte de Redes blog, September 4th 2008
• Richard Bejtlich, "NetworkMiner". TaoSecurity blog, September 1st 2008
• Russ McRee, "NetworkMiner: Network Forensic Analysis Tool". The ISSA Journal August 2008

Presentations

• Erik Hjelmvik, "SPID och identifiering av obfuskerade protokoll", SNUS seminar "Paketanalys och informationsutvinning ur stora mängder nätverkstrafik", September 29, 2010
• Erik Hjelmvik, "Forensisk Analys av Nätverkstrafik", SNUS seminar "Paketanalys och informationsutvinning ur stora mängder nätverkstrafik", September 29, 2010
• Erik Hjelmvik, "Network Forensics Workshop with NetworkMiner", Europol High Tech Crime Experts Meeting 2009 (December 4, 2009)
• Erik Hjelmvik, "Security Posture of our Critical Infrastructure". SEC-T, September 10 2009 alt. link
• Erik Hjelmvik, "Forensisk analys av nätverkstrafik med NetworkMiner", May 7, 2009
• Erik Hjelmvik and Wolfgang John, "Statistical Protocol IDentification with SPID: Preliminary Results". Presentation at SNCNW 2009
• Erik Hjelmvik, "NetworkMiner", Sec-Heads gathering 2008 (November 2008)
• Adrian Crenshaw, "Intro To Sniffers", Louisville Infosec 2008 conference (October 2008)

Videos and Screencasts

• Anton Schieffer, "Network Miner Tutorial" (February 2011)
• Adrian Crenshaw (Irongeek), "NetworkMiner for Network Forensics", Irongeek.com "Hacking Illustrated Videos" (December 2008)
• Peter Giannoulis, "How to gather host-level data with Network Miner", SearchSecurity.com "Network Security Tactics" (December 2008)
• Mubix, "Network Tap Analyzers, Streaming Music with Netcat and Wii Homebrew on System Menu 4.0", Hak5 - Episode 514 (May 2009) alt. link