Difference between pages "Tools:File Analysis" and "Tools:Network Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added eMule Reader.)
 
 
Line 1: Line 1:
== Image Analysis ==
+
=Network Forensics Packages and Appliances=
; [[SurfRecon LE rapid image analysis tool]] by SurfRecon, Inc.
+
; [[E-Detective]]
: http://www.surfrecon.com
+
: http://www.edecision4u.com/
 +
: http://www.digi-forensics.com/home.html
  
== Software Forensics ==
+
; [[Burst]]
; [[CodeSuite]] by Software Analysis & Forensic Engineering
+
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
: CodeSuite comprises BitMatch, CodeCross, CodeDiff, CodeMatch, and SourceDetective for comparing and analyzing source code and object code to find copyright infringement and trade secret theft. It can be used for free on small sets of code.
+
: Expensive [[IP geolocation]] service.
: CodeSuite also includes FileCount and FileIsolate for counting file attributes and quickly copying or deleting entire file trees. Both are free utilities.
+
: http://www.safe-corp.biz
+
  
== Open Source Tools ==
+
; [[chkrootkit]]
 +
: http://www.chkrootkit.org
  
; [[file]]
+
; [[cryptcat]]
: The file command determines the file type of a given file, depending on its contents and not on e.g. its extension or filename. In order to do that, it uses a magic configuration file that identifies filetypes.
+
: http://farm9.org/Cryptcat/
  
; [[ldd]]
+
; [[Enterasys Dragon]]
: List dynamic dependencies of executable files.
+
: http://www.enterasys.com/products/advanced-security-apps/index.aspx
 +
: Instrusion Detection System, includes session reconstruction.
  
; [[truss]]
 
: Solaris tool used to trace the system/library calls (not user calls) and signals made/received by a new or existing process. It sends the output to stderr.
 
: http://docs.sun.com/app/docs/doc/819-2239/truss-1?l=en&a=view&q=truss
 
  
; [[PDF Miner]]
+
; [[ipfix]]/[[netflow v5/9]]
: "...suite of programs that aims to help analyzing text data from PDF documents. It includes a PDF parser, a PDF renderer (though only rendering text is supported for now), and a couple of nice tools to extract texts. Unlike other PDF-related tools, it allows to obtain the exact location of texts in a page, as well as other layout information such as font size or font name, which could be useful for analyzing the document. It also infers text running within a page by using clustering technique."
+
: http://www.mantaro.com/products/MNIS/collector.htm
: http://www.unixuser.org/~euske/python/pdfminer/index.html
+
: MNIS Collector is an IPFIX collector which also supports legacy Netflow. It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.
  
; [[ltrace]]
 
: Library call tracer.
 
: http://linux.die.net/man/1/ltrace
 
  
; [[strace]]
+
; [[Mantaro Network Intelligence Solutions (MNIS)]]
: System Call Tracer.
+
: http://www.mantaro.com/products/MNIS/index.htm
: http://sourceforge.net/projects/strace/
+
: MNIS  is a comprehensive and scalable network intelligence platform for network forensics and various other applications.  It is built on high speed Deep Packet Inspection and metadata alerting.  It can be used to understand network events before and after an event. It scales from LAN environments to 20 Gbps service provider networks.
 +
: http://www.mantaro.com/products/MNIS/network_intelligence_applications.htm#network_forensics
  
; [[xtrace]]
 
: eXtended trace utility, similar to strace, ptrace, truss, but with extended functionality and unique features, such as dumping function calls (dynamically or statically linked), dumping call stack and more.
 
: http://sourceforge.net/projects/xtrace/
 
  
; [[ktrace]]
+
; [[MaxMind]]
: Enables kernel process tracing on OpenBSD.
+
: http://www.maxmind.com
: http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html
+
: [[IP geolocation]] services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
  
; [[Valgrind]]
+
; [[netcat]]
: Executes a program under emulation, performing analysis according to one of the many plug-in modules as desired. You can write your own plug-in module as desired.
+
: http://netcat.sourceforge.net/
: http://valgrind.org/
+
  
; [[DTrace]]
 
: Comprehensive dynamic tracing framework for Solaris (also ported to MacOS X - XRays and FreeBSD). DTrace provides a powerful infrastructure to permit investigation of the behavior of the operating system and user programs.
 
: http://www.sun.com/bigadmin/content/dtrace/
 
  
; [[strings]]
+
; [[netflow]]/[[flowtools]]
: Strings will print the strings of printable characters in files. It allows choosing different charactersets (ASCII, UNICODE). It is a quick way to browse through files/partitions/... in order to look for words, filenames, keywords etc.
+
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
 +
: http://www.splintered.net/sw/flow-tools/
 +
: http://silktools.sourceforge.net/
 +
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
  
; The [[Open Computer Forensics Architecture]]
+
; NetDetector
: http://ocfa.sourceforge.net/
+
: http://www.niksun.com/product.php?id=4
 +
: NetDetector is a full-featured appliance for network security surveillance, signature-based anomaly detection, analytics and forensics. It complements existing network security tools, such as firewalls, intrusion detection/prevention systems and switches/routers, to help provide comprehensive defense of hosted intellectual property, mission-critical network services and infrastructure
  
; [[Rifiuti]] (not GPL)
 
: Examines the INFO2 file in the Recycle Bin.
 
: http://www.foundstone.com/us/resources/proddesc/rifiuti.htm
 
  
; [[Pasco]] (not GPL)
+
; NetIntercept
: Parses ''index.dat'' files.
+
: http://www.sandstorm.net/products/netintercept
: http://www.foundstone.com/us/resources/proddesc/pasco.htm
+
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
  
; [[Galleta]] (not GPL)
+
; NetVCR
: Parses cookie files.
+
: http://www.niksun.com/product.php?id=3
: http://www.foundstone.com/us/resources/proddesc/galleta.htm
+
: NetVCR delivers comprehensive real-time network, service and application performance management. It is an integrated, single-point solution that decisively replaces multiple network performance monitoring and troubleshooting systems. NetVCR’s scalable architecture easily adapts to data centers, core networks, remote branches or central offices for LAN and WAN requirements
  
; dumpster_dive.pl
+
;NIKSUN Full Function Appliance
: MS Windows Recycle Bin INFO2 parser
+
: http://www.niksun.com/product.php?id=11
: http://jafat.sourceforge.net/files.html
+
: NIKSUN’s Full-Function Appliance combines the value of both NetDetector and NetVCR for complete network performance and security surveillance. This plug-and-play appliance offers customers a complete range of network security and performance monitoring solutions that identify, capture and analyze the root-cause of any security or network incident the first time! The unique enterprise-wide network visibility provided by this product is extremely attractive to large enterprises requiring an integrated and proactive solution to combat the constant barrage of security and network incidents such as worms, viruses, Trojan-horse attacks, Denial of Service (DoS) attacks, outages, overload and service slowdown, etc.
  
; cookie_cruncher.pl
+
; NetOmni
: MS IE cookie file parser
+
: http://www.niksun.com/product.php?id=1
: http://jafat.sourceforge.net/files.html
+
: NetOmni provides global visibility across the network so IT professionals can manage multiple products and vendors from one central location. NetOmni streamlines the network management process in a manner conducive to a “best-practices” model that ensures Service Level Agreements (SLA), Quality of Services (QoS) and maximum revenue opportunities.
  
; [[yim2text]]
+
; NISUN Puma Portable
: Extracts the 'encrypted' info in Yahoo Instant Messenger log files.
+
: http://www.niksun.com/product.php?id=15
: http://www.1vs0.com/tools.html
+
: NIKSUN's Puma, a portable network monitoring appliance, allows customers to leverage the state-of-the-art network performance, security and compliance monitoring technology as a robust luggable appliance that can be conveniently used in the field. Deployed in a few short steps, Puma offers with exceptional functionality of NIKSUN's renowned performance and security monitoring technology within minutes to field personnel. Puma, is now capable of monitoring networks at 10G speeds. The incorporation of real-time 10G monitoring to the Puma feature-set enhances the already excellent value that Puma provides to customers, making it the go-to portable monitoring and forensics tool for network professionals
  
; [[Hachoir]]
 
: Determines the file type using file header/footer (hachoir-metadata --type), able to list strings in Unicode (hachoir-grep), etc. Support more than 60 file formats.
 
  
; [[Cygwin]]
+
; [[ipfix]]/[[netflow v5/9]]
: http://www.cygwin.com/
+
: http://www.mantaro.com/products/MNIS/collector.htm
: Linux like environment for Windows.
+
: MNIS Collector is an IPFIX collector which also supports legacy Netflow.  It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.
  
; [[UnxUtils]]
+
[[NetSleuth]]
: http://unxutils.sourceforge.net/
+
: http://www.netgrab.co.uk/
: Common unix utilities compiled for a Windows environment.
+
NetSleuth is a free network analysis tool released under the GPL. NetSleuth can be used to analyse and fingerprint hosts from pcap files, designed for post event incident response and network forensics. It also supports a live sniffing mode, silently identifying and fingerprinting devices without needing to send any traffic onto a network.
  
; [[GnuWin32]]
 
: http://gnuwin32.sourceforge.net/
 
: Common GNU utilities compiled for a Windows Environment.
 
  
; [[SUA]]
+
; [[NetworkMiner]]
: http://www.microsoft.com/windowsserver2003/R2/unixcomponents/webinstall.mspx
+
: http://sourceforge.net/projects/networkminer/
: Microsoft Subsystem for UNIX-based Applications.
+
: http://www.netresec.com/?page=NetworkMiner
 +
: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner has, since the first release in 2007, become popular tool among incident responce teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.
 +
: NetworkMiner is available both as a [http://sourceforge.net/projects/networkminer/ free open source tool] and as a [http://www.netresec.com/?page=NetworkMiner commercial network forensics tool].
  
== File Sharing Analysis Tools ==
+
; [[rkhunter]]
;[http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/emule-reader eMule Reader]
+
: http://rkhunter.sourceforge.net/
:eMule Reader is a suite of command-line executables for parsing and printing configuration and log files associated with the eMule P2P client.  eMule Reader is available free of charge.
+
; [[P2PMarshal|P2P Marshal]]
+
: Tools to discover and analyze peer-to-peer files for Windows.
+
  
== [[NDA]] and [[scoped distribution]] tools ==
+
; [[ngrep]]
 +
: http://ngrep.sourceforge.net/
 +
 
 +
; [[nslookup]]
 +
: http://en.wikipedia.org/wiki/Nslookup
 +
: Name Server Lookup command line tool used to find IP address from domain name.
 +
 
 +
; [[Sguil]]
 +
: http://sguil.sourceforge.net/
 +
 
 +
; [[Snort]]
 +
: http://www.snort.org/
 +
 
 +
; [[ssldump]]
 +
: http://ssldump.sourceforge.net/
 +
 
 +
; [[tcpdump]]
 +
: http://www.tcpdump.org
 +
 
 +
; [[tcpxtract]]
 +
: http://tcpxtract.sourceforge.net/
 +
 
 +
; [[tcpflow]]
 +
: http://www.circlemud.org/~jelson/software/tcpflow/
 +
 
 +
; [[truewitness]]
 +
: http://www.nature-soft.com/forensic.html
 +
: Linux/open-source. Based in India.
 +
 
 +
; [[OmniPeek]] by [[WildPackets]]
 +
: http://www.wildpackets.com/solutions/network_forensics
 +
: http://www.wildpackets.com/products/network_analysis/omnipeek_network_analyzer/forensics_search
 +
: OmniPeek is a network forensics tool used to capture, store, and analyze historical network traffic.
 +
 
 +
; [[Whois]]
 +
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
 +
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
 +
 
 +
; [[IP Regional Registries]]
 +
: http://www.arin.net/community/rirs.html
 +
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
 +
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
 +
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
 +
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
 +
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
 +
 
 +
; [[Wireshark]] / Ethereal
 +
: http://www.wireshark.org/
 +
: Open Source protocol analyzer previously known as ethereal.
 +
 
 +
; [[Kismet]]
 +
: http://www.kismetwireless.net/
 +
: Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
 +
 
 +
; [[Xplico]]
 +
: http://www.xplico.org/
 +
: Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: [http://www.xplico.org/status HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
 +
 
 +
=Command-line tools=
 +
 
 +
[[arp]] - view the contents of your ARP cache
 +
 
 +
[[ifconfig]] - view your mac and IP address
 +
 
 +
[[ping]] - send packets to probe remote machines
 +
 
 +
[[SplitCap]] http://splitcap.sourceforge.net/ - SplitCap is a free open source pcap file splitter.
 +
 
 +
[[tcpdump]] - capture packets
 +
 
 +
[[snoop]] - captures packets from the network and displays their contents ([[Solaris]])
 +
 
 +
[[nemesis]] - create arbitrary packets
 +
 
 +
[[tcpreplay]] - replay captured packets
 +
 
 +
[[traceroute]] - view a network path
 +
 
 +
[[gnetcast]] - GNU rewrite of netcat
 +
 
 +
[[packit]] - packet generator
 +
 
 +
[[nmap]] - utility for network exploration and security auditing
 +
 
 +
[[Xplico]] Open Source Network Forensic Analysis Tool (NFAT)
 +
 
 +
==ARP and Ethernet MAC Tools==
 +
 
 +
[[arping]] - transmit ARP traffic
 +
 
 +
[[arpdig]] - probe LAN for MAC addresses
 +
 
 +
[[arpwatch]] - watch ARP changes
 +
 
 +
[[arp-sk]] - perform denial of service attacks
 +
 
 +
[[macof]] - CAM table attacks
 +
 
 +
[[ettercap]] - performs various low-level Ethernet network attacks
 +
 
 +
==CISCO Discovery Protocol Tools==
 +
[[cdpd]] - transmit and receive CDP announcements; provides forgery capabilities
 +
 
 +
==ICMP Layer Tests and Attacks==
 +
[[icmp-reset]]
 +
 
 +
[[icmp-quench]]
 +
 
 +
[[icmp-mtu]]
 +
 
 +
[[ish]] - ICMP shell (like SSH, but uses ICMP)
 +
 
 +
[[isnprober]]
 +
 
 +
==IP Layer Tests==
 +
[[iperf]] - IP multicast test
 +
 
 +
[[fragtest]] - IP fragment reassembly test
 +
 
 +
==UDP Layer Tests==
 +
 
 +
[[udpcast]] - includes UDP-receiver and UDP-sender
 +
 
 +
==TCP Layer==
 +
 
 +
[[lft]] http://pwhois.org/lft - TCP tracing
 +
 
 +
[[etrace]] http://www.bindshell.net/tools/etrace
 +
 
 +
[[firewalk]] http://www.packetfactory.net

Revision as of 05:33, 3 February 2012

Network Forensics Packages and Appliances

E-Detective
http://www.edecision4u.com/
http://www.digi-forensics.com/home.html
Burst
http://www.burstmedia.com/release/advertisers/geo_faq.htm
Expensive IP geolocation service.
chkrootkit
http://www.chkrootkit.org
cryptcat
http://farm9.org/Cryptcat/
Enterasys Dragon
http://www.enterasys.com/products/advanced-security-apps/index.aspx
Instrusion Detection System, includes session reconstruction.


ipfix/netflow v5/9
http://www.mantaro.com/products/MNIS/collector.htm
MNIS Collector is an IPFIX collector which also supports legacy Netflow. It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.


Mantaro Network Intelligence Solutions (MNIS)
http://www.mantaro.com/products/MNIS/index.htm
MNIS is a comprehensive and scalable network intelligence platform for network forensics and various other applications. It is built on high speed Deep Packet Inspection and metadata alerting. It can be used to understand network events before and after an event. It scales from LAN environments to 20 Gbps service provider networks.
http://www.mantaro.com/products/MNIS/network_intelligence_applications.htm#network_forensics


MaxMind
http://www.maxmind.com
IP geolocation services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
netcat
http://netcat.sourceforge.net/


netflow/flowtools
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
http://www.splintered.net/sw/flow-tools/
http://silktools.sourceforge.net/
http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
NetDetector
http://www.niksun.com/product.php?id=4
NetDetector is a full-featured appliance for network security surveillance, signature-based anomaly detection, analytics and forensics. It complements existing network security tools, such as firewalls, intrusion detection/prevention systems and switches/routers, to help provide comprehensive defense of hosted intellectual property, mission-critical network services and infrastructure


NetIntercept
http://www.sandstorm.net/products/netintercept
NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
NetVCR
http://www.niksun.com/product.php?id=3
NetVCR delivers comprehensive real-time network, service and application performance management. It is an integrated, single-point solution that decisively replaces multiple network performance monitoring and troubleshooting systems. NetVCR’s scalable architecture easily adapts to data centers, core networks, remote branches or central offices for LAN and WAN requirements
NIKSUN Full Function Appliance
http://www.niksun.com/product.php?id=11
NIKSUN’s Full-Function Appliance combines the value of both NetDetector and NetVCR for complete network performance and security surveillance. This plug-and-play appliance offers customers a complete range of network security and performance monitoring solutions that identify, capture and analyze the root-cause of any security or network incident the first time! The unique enterprise-wide network visibility provided by this product is extremely attractive to large enterprises requiring an integrated and proactive solution to combat the constant barrage of security and network incidents such as worms, viruses, Trojan-horse attacks, Denial of Service (DoS) attacks, outages, overload and service slowdown, etc.
NetOmni
http://www.niksun.com/product.php?id=1
NetOmni provides global visibility across the network so IT professionals can manage multiple products and vendors from one central location. NetOmni streamlines the network management process in a manner conducive to a “best-practices” model that ensures Service Level Agreements (SLA), Quality of Services (QoS) and maximum revenue opportunities.
NISUN Puma Portable
http://www.niksun.com/product.php?id=15
NIKSUN's Puma, a portable network monitoring appliance, allows customers to leverage the state-of-the-art network performance, security and compliance monitoring technology as a robust luggable appliance that can be conveniently used in the field. Deployed in a few short steps, Puma offers with exceptional functionality of NIKSUN's renowned performance and security monitoring technology within minutes to field personnel. Puma, is now capable of monitoring networks at 10G speeds. The incorporation of real-time 10G monitoring to the Puma feature-set enhances the already excellent value that Puma provides to customers, making it the go-to portable monitoring and forensics tool for network professionals


ipfix/netflow v5/9
http://www.mantaro.com/products/MNIS/collector.htm
MNIS Collector is an IPFIX collector which also supports legacy Netflow. It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.

NetSleuth

http://www.netgrab.co.uk/

NetSleuth is a free network analysis tool released under the GPL. NetSleuth can be used to analyse and fingerprint hosts from pcap files, designed for post event incident response and network forensics. It also supports a live sniffing mode, silently identifying and fingerprinting devices without needing to send any traffic onto a network.


NetworkMiner
http://sourceforge.net/projects/networkminer/
http://www.netresec.com/?page=NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner has, since the first release in 2007, become popular tool among incident responce teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.
NetworkMiner is available both as a free open source tool and as a commercial network forensics tool.
rkhunter
http://rkhunter.sourceforge.net/
ngrep
http://ngrep.sourceforge.net/
nslookup
http://en.wikipedia.org/wiki/Nslookup
Name Server Lookup command line tool used to find IP address from domain name.
Sguil
http://sguil.sourceforge.net/
Snort
http://www.snort.org/
ssldump
http://ssldump.sourceforge.net/
tcpdump
http://www.tcpdump.org
tcpxtract
http://tcpxtract.sourceforge.net/
tcpflow
http://www.circlemud.org/~jelson/software/tcpflow/
truewitness
http://www.nature-soft.com/forensic.html
Linux/open-source. Based in India.
OmniPeek by WildPackets
http://www.wildpackets.com/solutions/network_forensics
http://www.wildpackets.com/products/network_analysis/omnipeek_network_analyzer/forensics_search
OmniPeek is a network forensics tool used to capture, store, and analyze historical network traffic.
Whois
http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
IP Regional Registries
http://www.arin.net/community/rirs.html
http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
http://www.afrinic.net/ African Network Information Center (AfriNIC)
http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
Wireshark / Ethereal
http://www.wireshark.org/
Open Source protocol analyzer previously known as ethereal.
Kismet
http://www.kismetwireless.net/
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
Xplico
http://www.xplico.org/
Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...

Command-line tools

arp - view the contents of your ARP cache

ifconfig - view your mac and IP address

ping - send packets to probe remote machines

SplitCap http://splitcap.sourceforge.net/ - SplitCap is a free open source pcap file splitter.

tcpdump - capture packets

snoop - captures packets from the network and displays their contents (Solaris)

nemesis - create arbitrary packets

tcpreplay - replay captured packets

traceroute - view a network path

gnetcast - GNU rewrite of netcat

packit - packet generator

nmap - utility for network exploration and security auditing

Xplico Open Source Network Forensic Analysis Tool (NFAT)

ARP and Ethernet MAC Tools

arping - transmit ARP traffic

arpdig - probe LAN for MAC addresses

arpwatch - watch ARP changes

arp-sk - perform denial of service attacks

macof - CAM table attacks

ettercap - performs various low-level Ethernet network attacks

CISCO Discovery Protocol Tools

cdpd - transmit and receive CDP announcements; provides forgery capabilities

ICMP Layer Tests and Attacks

icmp-reset

icmp-quench

icmp-mtu

ish - ICMP shell (like SSH, but uses ICMP)

isnprober

IP Layer Tests

iperf - IP multicast test

fragtest - IP fragment reassembly test

UDP Layer Tests

udpcast - includes UDP-receiver and UDP-sender

TCP Layer

lft http://pwhois.org/lft - TCP tracing

etrace http://www.bindshell.net/tools/etrace

firewalk http://www.packetfactory.net