networkminer extracting messages

2012-05-12
2013-04-29
  • Ok so im pretty new to network miner. basically, i have a cap file, and i want to analyse the contents of this file. So far with wireshark, ive managed to download a whole lot of images/ css files for a site that someone has been on, but i know there is more inside, such as messages 2 people have been senduing to eachother. With the keyword search in NetworkMiner, i have been able to pull up short sections of some of the messages, but i have not been able to see the full messages. I also know attachments have been sent.

    I have the Source host ip address and the Destination host ip address, and i also have the username of the person who has been sending the information out (as its one of the users of a computer)…

    It shows the person has been on myspace.com and aussiemail.com.au, so this might be where they are sending the messages from, but they could be using something else, im not sure.

    Is there any way, either by using networkminer, or any similar tool, that i can view all the messages that these 2 people have been sending to each other?

    I would really appreciate it.

     
  • Erik Hjelmvik
    Erik Hjelmvik
    2012-05-12

    The full content of the message should be retrievable if you can find it with the keyword search.

    If the keyword matched a session to or from TCP port 80 then you'll most likely be able to find the full message in the parameters tab of NetworkMiner.

    Another alternative is to run the pacp through the tool tcpflow and look inside the generated file that matches the IP addresses and port numbers shown in NetworkMiner's keyword tab.

     
  • Thanks a lot for the reply. I went to the parameters tab, but only half the message is visible :-s In the message, it also mentions something about an attachment, so the person sending the messages has also attached a file with confidential information. So how would i be able to view the full contents of the message, as well as be able to open and view the files that have been attached with the message?

    Unfortunately i cannot use tcpflow, as its only compatible with unix, and im working on a windows machine

     
  • Erik Hjelmvik
    Erik Hjelmvik
    2012-05-13

    If you're on Windows, then I suggest that you run Split Cap. It is a command line tool that can extract the payload.

    You can run this command to extract the payload from the TCP session:
    SplitCap -r your_cap_file.pcap -s flow -y L7 -ip 1.2.3.4 -o "C:\case1\extracted_message_out\"

    Just make sure you replace "your_cap_file.pcap", "1.2.3.4" and "C:\…" with the correct settings for you. You can also add "-port 1234" if you have the TCP port of the client.

    All the contents of the message (plus additional data) will then be written to a file in the directory you've specified. So you might have to search through the generated data.

    Good luck!