Network Forensics Packages and Appliances
- Expensive IP geolocation service.
- Enterasys Dragon
- Instrusion Detection System, includes session reconstruction.
- IP geolocation services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
- http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
- NetDetector is a full-featured appliance for network security surveillance, signature-based anomaly detection, analytics and forensics. It complements existing network security tools, such as firewalls, intrusion detection/prevention systems and switches/routers, to help provide comprehensive defense of hosted intellectual property, mission-critical network services and infrastructure
- NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
- NetVCR delivers comprehensive real-time network, service and application performance management. It is an integrated, single-point solution that decisively replaces multiple network performance monitoring and troubleshooting systems. NetVCR’s scalable architecture easily adapts to data centers, core networks, remote branches or central offices for LAN and WAN requirements
- NIKSUN Full Function Appliance
- NIKSUN’s Full-Function Appliance combines the value of both NetDetector and NetVCR for complete network performance and security surveillance. This plug-and-play appliance offers customers a complete range of network security and performance monitoring solutions that identify, capture and analyze the root-cause of any security or network incident the first time! The unique enterprise-wide network visibility provided by this product is extremely attractive to large enterprises requiring an integrated and proactive solution to combat the constant barrage of security and network incidents such as worms, viruses, Trojan-horse attacks, Denial of Service (DoS) attacks, outages, overload and service slowdown, etc.
- NetOmni provides global visibility across the network so IT professionals can manage multiple products and vendors from one central location. NetOmni streamlines the network management process in a manner conducive to a “best-practices” model that ensures Service Level Agreements (SLA), Quality of Services (QoS) and maximum revenue opportunities.
- NISUN Puma Portable
- NIKSUN's Puma, a portable network monitoring appliance, allows customers to leverage the state-of-the-art network performance, security and compliance monitoring technology as a robust luggable appliance that can be conveniently used in the field. Deployed in a few short steps, Puma offers with exceptional functionality of NIKSUN's renowned performance and security monitoring technology within minutes to field personnel. Puma, is now capable of monitoring networks at 10G speeds. The incorporation of real-time 10G monitoring to the Puma feature-set enhances the already excellent value that Puma provides to customers, making it the go-to portable monitoring and forensics tool for network professionals
- NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner has, since the first release in 2007, become popular tool among incident responce teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.
- NetworkMiner is available both as a free open source tool and as a commercial network forensics tool.
- Name Server Lookup command line tool used to find IP address from domain name.
- OmniPeek by WildPackets
- OmniPeek is a network forensics tool used to capture, store, and analyze historical network traffic.
- http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
- http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
- IP Regional Registries
- http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
- http://www.afrinic.net/ African Network Information Center (AfriNIC)
- http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
- http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
- http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
- Wireshark / Ethereal
- Open Source protocol analyzer previously known as ethereal.
- Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
- Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...
arp - view the contents of your ARP cache
ifconfig - view your mac and IP address
ping - send packets to probe remote machines
tcpdump - capture packets
nemesis - create arbitrary packets
tcpreplay - replay captured packets
traceroute - view a network path
gnetcast - GNU rewrite of netcat
packit - packet generator
nmap - utility for network exploration and security auditing
Xplico Open Source Network Forensic Analysis Tool (NFAT)
ARP and Ethernet MAC Tools
arping - transmit ARP traffic
arpdig - probe LAN for MAC addresses
arpwatch - watch ARP changes
arp-sk - perform denial of service attacks
macof - CAM table attacks
ettercap - performs various low-level Ethernet network attacks
CISCO Discovery Protocol Tools
cdpd - transmit and receive CDP announcements; provides forgery capabilities
ICMP Layer Tests and Attacks
ish - ICMP shell (like SSH, but uses ICMP)
IP Layer Tests
iperf - IP multicast test
fragtest - IP fragment reassembly test
UDP Layer Tests
udpcast - includes UDP-receiver and UDP-sender