It appears that NM1.0 skips a fair amount of SMB files. For some SMB shares - almost all of them.
I've found the same issue in my testing of the free version. I suspect that it's looking at port 139 rather than 445? It only seems to catch files transferred via workgroups, not domains, that's why I suspect this is so.
The next release (1.1) of NetworkMiner will contain fixes for the SMB parser that most likely will solve the problems you are encountering. However, please let me know if you are encountering the same problems with NetworkMiner 1.1
i have problems in detecting smb file transfers larger than 1 megabytes in size in networkminer 1.6.1. i sent some sample pcap files to your email erik (info@netresec)
whould you please check it and answer me.
Thanks Mori, you're capturing network traffic with NetworkMiner's live capture feature. This is not a 100% reliable method for sniffing. The few packets missed while doing live captures with NetworkMiner is what is preventing you from reassembling large files sent over the network.
Please sniff with something like dumpcap for better reliability, and then load the generated PCAP files with NetworkMiner. More information on how to best sniff network traffic is available here:
Log in to post a comment.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.