SMB/CIFS file carving

  • ntkja

    ntkja - 2011-02-28

    Hello, there,

    It appears that NM1.0 skips a fair amount of SMB files. For some SMB shares - almost all of them.

  • RichRumble

    RichRumble - 2011-06-07

    I've found the same issue in my testing of the free version. I suspect that it's looking at port 139 rather than 445? It only seems to catch files transferred via workgroups, not domains, that's why I suspect this is so.

  • Erik Hjelmvik

    Erik Hjelmvik - 2011-06-08

    The next release (1.1) of NetworkMiner will contain fixes for the SMB parser that most likely will solve the problems you are encountering. However, please let me know if you are encountering the same problems with NetworkMiner 1.1

  • mori

    mori - 2014-12-01

    i have problems in detecting smb file transfers larger than 1 megabytes in size in networkminer 1.6.1. i sent some sample pcap files to your email erik (info@netresec)
    whould you please check it and answer me.

    • Erik Hjelmvik

      Erik Hjelmvik - 2014-12-27

      Thanks Mori, you're capturing network traffic with NetworkMiner's live capture feature. This is not a 100% reliable method for sniffing. The few packets missed while doing live captures with NetworkMiner is what is preventing you from reassembling large files sent over the network.

      Please sniff with something like dumpcap for better reliability, and then load the generated PCAP files with NetworkMiner. More information on how to best sniff network traffic is available here:


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks