Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

SMB/CIFS file carving

Help
ntkja
2011-02-28
2014-12-27
  • ntkja
    ntkja
    2011-02-28

    Hello, there,

    It appears that NM1.0 skips a fair amount of SMB files. For some SMB shares - almost all of them.

     
  • RichRumble
    RichRumble
    2011-06-07

    I've found the same issue in my testing of the free version. I suspect that it's looking at port 139 rather than 445? It only seems to catch files transferred via workgroups, not domains, that's why I suspect this is so.
    -rich

     
  • Erik Hjelmvik
    Erik Hjelmvik
    2011-06-08

    The next release (1.1) of NetworkMiner will contain fixes for the SMB parser that most likely will solve the problems you are encountering. However, please let me know if you are encountering the same problems with NetworkMiner 1.1

     
  • mori
    mori
    2014-12-01

    i have problems in detecting smb file transfers larger than 1 megabytes in size in networkminer 1.6.1. i sent some sample pcap files to your email erik (info@netresec)
    whould you please check it and answer me.

     
    • Erik Hjelmvik
      Erik Hjelmvik
      2014-12-27

      Thanks Mori, you're capturing network traffic with NetworkMiner's live capture feature. This is not a 100% reliable method for sniffing. The few packets missed while doing live captures with NetworkMiner is what is preventing you from reassembling large files sent over the network.

      Please sniff with something like dumpcap for better reliability, and then load the generated PCAP files with NetworkMiner. More information on how to best sniff network traffic is available here:

      http://netresec.com/?b=1135E10