1. Summary
  2. Files
  3. Support
  4. Report Spam
  5. Create account
  6. Log in


From networkminer

(Difference between revisions)
Jump to: navigation, search
(Articles and Papers)
(Articles and Papers)
Line 23: Line 23:
=Articles and Papers=
=Articles and Papers=
* [http://spid.sourceforge.net/hjelmvik_breaking.pdf Erik Hjelmvik & Wolfgang John, "Breaking and Improving Protocol Obfuscation", July 2010] [http://publications.lib.chalmers.se/cpl/record/index.xsql?pubid=123751 alt. link]
* [http://spid.sourceforge.net/hjelmvik_breaking.pdf Erik Hjelmvik & Wolfgang John, "Breaking and Improving Protocol Obfuscation", July 2010] [http://publications.lib.chalmers.se/cpl/record/index.xsql?pubid=123751 alt. link (Chalmers)] [http://www.iis.se/docs/hjelmvik_breaking.pdf alt. link (.SE)]

Revision as of 16:37, 17 August 2010

NetworkMiner screenshot
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble/rebuild transmitted files, directory structures and certificates from PCAP files.

The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner also comes in very handy when analyzing malware traffic, such as C&C (command-and-control) traffic from a BotNet, since uploaded and downloaded files are extracted to disk.



NetworkMiner performs OS fingerprinting based on TCP SYN and SYN+ACK packet by using OS fingerprinting databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform OS fingerprinting based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) OS fingerprinting database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).

NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and save media files (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. Please be considerate when displaying the contents of this tab to the public.

Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.

Version 0.84 (and newer) of NetworkMiner support sniffing and parsing of WLAN (IEEE 802.11) traffic. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.


You can download NetworkMiner packet analyzer here.

NetworkMiner logo
NetworkMiner Logo

Articles and Papers




Videos and Screencasts

Personal tools