Network Miner - Forensic Analysis Tool

Found this forensic analysis tool used to sniff...and more importantly reconstruct known file types that are sent across FTP, TFTP, HTTP and SMB. After it reconstructs the files, it then sorts them by type. I was pretty happy to find this.

NETRESEC NetworkMiner - The Network Forensics Analysis Tool

Find more posts tagged with

Comments

veritas_libertas

Nice. Network Forensics interests me a lot.

the_hutch

I am currently sniffing my wireless network with wireshark and dumping the pcap file. As soon as the first **** finishes, I'm going to use this post as a test. I am hoping, that I will be able to use the Network Miner software to parse out both my username and password for this site (if you haven't noticed, techexams does not use https for login)...and also my entire post, in clear text. Fingers crossed

. I'll let you know how it works shortly. I set the **** size to 200MB, so it shouldn't take long

AlexNguyen

If you're looking for an enterprise-grade ($$$) solution, check out RSA NetWitness: NetWitness Corporation | Know Everything. Answer Anything.

I've seen a demo of it last year. It can even replay a video file or your video chat session.

JDMurray

Network forensics analysis tools typically operate on network traffic--both live and pcapped--like a conventional digital forensics tool would operate on a hard drive or hard drive image file. They are very useful for finding out what data is traveling between a source and destination and when. The bigger tools can correlate information taken from multiple network taps to follow a flow through a network. It looks like each instance of NetworkMiner works on on a single tap at an endpoint and not on a span port at a switch, so this is a smaller tool. I don't see any information on the CPU load NetworkMiner causes with high data throughput interfaces you would find on a busy server. If it generates too much of a load I wouldn't want to use it on proxy server. For a server moving a lot of traffic, I would want to run NetworkMiner on something with its own CPU, like a Rasberry Pi.

the_hutch

JDMurray wrote: »

I would want to run NetworkMiner on something with its own CPU, like a Rasberry Pi.

I think right now its only supported on Windows :-/

JDMurray

the_hutch wrote: »

I think right now its only supported on Windows :-/

Virtualization to the rescue!

Raspberry Pi delivers cheap Windows for SMBs

the_hutch

Have you been able to virtualize a windows OS on one of the raspberry pi devices? I would have thought the hardware would not be sufficient.

Nevermind. Just saw the reference you cited.

AlexNguyen

JDMurray wrote: »

Virtualization to the rescue!
Raspberry Pi delivers cheap Windows for SMBs

That link shows Linux Citrix Receiver installed on Raspberry Pi. It's like using VNC on a Linux box to connect to a remote Windows desktop, Windows is not running locally. You still need to install the NetworkMiner software on a Windows box. You can't install it on Raspberry Pi.

JDMurray

NetworkMiner (written in C# .NET) apparently runs under Linux using Mono: No more Wine - NetworkMiner in Linux with Mono - NETRESEC Blog

I'll try it it under BT5R2 and let you know.

RTmarc

There is a free version of NetWitness you can use. You are limited on the size of the PCap you can analyze though.

JDMurray

The instructions in the previously referenced blog article are to install Mono 2.0 and NetworkMiner 1.2 in Ubuntu Linux (10 or 11). From the information in the article, I assume NetworkMiner fully works in that configuration.

The latest NetworkMiner 1.3 with the default install of Mono (v2.4.4) under BT5R4 (aka Ubuntu 10.04) in VMware Player 4 causes NetworkMiner to throw a "The requested feature is not implemented." error when selecting a network adapter to capture from. It may be that NetworkMiner 1.3 is calling a method in a .NET API not implemented in Mono 2.4.4. I installed Mono 2.10.8.1 under BT5R2 (using the badgerports.org repository) got the same error message.

I then installed Ubuntu 12 Desktop in VMware Player 4 (if you have not played with Ubuntu in a while, you have got to check out 12) with Mono 2.10.8.1, libmono-winforms2.0-cil, all Ubuntu updates, and NetworkMiner 1.3 still threw the same error when selecting the capture interface.

Just for grins, I installed NetworkMiner 1.2 under Ubuntu 12 and got the same error again.

I sure would like to know if it's possible to fix this error in NetworkMiner. I'll have to dig into the C# source code to check if NetworkMiner is calling a .NET method that is unimplemented in Mono. If so, this is a useless endeavor.

doobies

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

ouch.. but as you said... VMware to the rescue. Its currently my favorite lazy day tool. ONly thing is it drops exploits directly on the box which can be risky.

but honestly if i don't wanna comb through get requests... i pop it open and grab the files and upload for scanning. its a great tool. would be nice if it worked better on ubuntu.... *sighs*