NetworkMiner - Revision history

Erikh at 12:28, 5 February 2011

2011-02-05T12:28:28Z

Erik at 19:59, 10 August 2009

2009-08-10T19:59:23Z

Erik at 19:57, 10 August 2009

2009-08-10T19:57:23Z

Erik at 07:41, 19 November 2008

2008-11-19T07:41:50Z

.FUF at 19:19, 24 September 2008

2008-09-24T19:19:58Z

.FUF: Infobox & category

2008-08-28T13:17:41Z

Infobox & category

.FUF at 12:13, 17 July 2008

2008-07-17T12:13:18Z

Erik: New page: [http://networkminer.wiki.sourceforge.net/NetworkMiner NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet ca...

2008-05-18T19:58:06Z

New page: [http://networkminer.wiki.sourceforge.net/NetworkMiner NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet ca...

New page

[http://networkminer.wiki.sourceforge.net/NetworkMiner NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

NetworkMiner performs OS fingerprinting based on TCP SYN and SYN+ACK packet by using OS fingerprinting databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform OS fingerprinting based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) OS fingerprinting database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).

NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and [http://networkminer.wiki.sourceforge.net/save+media+files save media files] (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. Please be considerate when displaying the contents of this tab to the public.

Another very useful feature is that the user can [http://networkminer.wiki.sourceforge.net/Keyword+Search search sniffed or stored data for keywords]. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.

Version 0.84 (and newer) of NetworkMiner support [http://networkminer.wiki.sourceforge.net/WiFi+Sniffing sniffing and parsing of WLAN (IEEE 802.11) traffic]. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.

A feature which is planned to be included in future versions of NetworkMiner is to use statistical methods to do protocol identification (protocol fingerprinting) of a TCP session or UDP data. This means that instead of looking at the port number to guess which protocol is used on top of the TCP/UDP packet NetworkMiner will identify the correct protocol based on the TCP/UDP packet content. This way NetworkMiner will be able to identify protocols even if the service is run on a non-standard port. Richard Bejtlich calls this type of functionality [http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html "Port Independent Protocol Identification" (PIPI)].

@@ Line 8: / Line 8: @@
 }}
-[http://networkminer.sourceforge.net/ NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner NetworkMiner] can be used as a passive network [[sniffer]]/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
+[http://www.netresec.com/?page=NetworkMiner NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner NetworkMiner] can be used as a passive network [[sniffer]]/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
 The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
@@ Line 22: / Line 22: @@
 Version 0.84 (and newer) of NetworkMiner support [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=WiFi_Sniffing sniffing and parsing of WLAN (IEEE 802.11) traffic]. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.
-A feature which is planned to be included in future versions of NetworkMiner is to use [http://sourceforge.net/apps/mediawiki/spid/index.php?title=Main_Page statistical methods to do protocol identification] (protocol fingerprinting) of a TCP session or UDP data. This means that instead of looking at the port number to guess which protocol is used on top of the TCP/UDP packet NetworkMiner will identify the correct protocol based on the TCP/UDP packet content. This way NetworkMiner will be able to identify protocols even if the service is run on a non-standard port. Richard Bejtlich calls this type of functionality [http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html "Port Independent Protocol Identification" (PIPI)].
+There is also a commercial version available of NetworkMiner from [http://www.netresec.com/ Netresec]. The commercial version is called [http://www.netresec.com/?page=NetworkMiner NetworkMiner Professional] and has additional features such as:
 [[Category:Network Forensics]]

@@ Line 14: / Line 14: @@
 NetworkMiner performs [[OS fingerprinting]] based on TCP SYN and SYN+ACK packet by using [[OS fingerprinting]] databases from p0f (by Michal Zalewski) and Ettercap (by Alberto Ornaghi and Marco Valleri). NetworkMiner can also perform [[OS fingerprinting]] based on DHCP packets (which usually are broadcast packets) by making use of the Satori (by Eric Kollmann) [[OS fingerprinting]] database from FingerBank. NetworkMiner also uses the MAC-vendor list from Nmap (by Fyodor).
-NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and [http://networkminer.wiki.sourceforge.net/save+media+files save media files] (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.
+NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This is a neat function that can be used to extract and [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Save_media_files save media files] (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB.
 User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. Please be considerate when displaying the contents of this tab to the public.

@@ Line 5: / Line 5: @@
    genre = Network forensics |
    license = {{GPL}} |
-   website = [http://networkminer.wiki.sourceforge.net/NetworkMiner networkminer.wiki.sourceforge.net/NetworkMiner] |
+   website = [http://networkminer.sourceforge.net/ networkminer.sourceforge.net] |
 }}
-[http://networkminer.sourceforge.net/ NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. [http://networkminer.wiki.sourceforge.net/NetworkMiner NetworkMiner] can be used as a passive network [[sniffer]]/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
+[http://networkminer.sourceforge.net/ NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner NetworkMiner] can be used as a passive network [[sniffer]]/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
 The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
@@ Line 18: / Line 18: @@
 User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. Please be considerate when displaying the contents of this tab to the public.
-Another very useful feature is that the user can [http://networkminer.wiki.sourceforge.net/Keyword+Search search sniffed or stored data for keywords]. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.
+Another very useful feature is that the user can [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=Keyword_Search search sniffed or stored data for keywords]. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.
-Version 0.84 (and newer) of NetworkMiner support [http://networkminer.wiki.sourceforge.net/WiFi+Sniffing sniffing and parsing of WLAN (IEEE 802.11) traffic]. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.
+Version 0.84 (and newer) of NetworkMiner support [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=WiFi_Sniffing sniffing and parsing of WLAN (IEEE 802.11) traffic]. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.
-A feature which is planned to be included in future versions of NetworkMiner is to use [http://spid.wiki.sourceforge.net/ statistical methods to do protocol identification] (protocol fingerprinting) of a TCP session or UDP data. This means that instead of looking at the port number to guess which protocol is used on top of the TCP/UDP packet NetworkMiner will identify the correct protocol based on the TCP/UDP packet content. This way NetworkMiner will be able to identify protocols even if the service is run on a non-standard port. Richard Bejtlich calls this type of functionality [http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html "Port Independent Protocol Identification" (PIPI)].
+A feature which is planned to be included in future versions of NetworkMiner is to use [http://sourceforge.net/apps/mediawiki/spid/index.php?title=Main_Page statistical methods to do protocol identification] (protocol fingerprinting) of a TCP session or UDP data. This means that instead of looking at the port number to guess which protocol is used on top of the TCP/UDP packet NetworkMiner will identify the correct protocol based on the TCP/UDP packet content. This way NetworkMiner will be able to identify protocols even if the service is run on a non-standard port. Richard Bejtlich calls this type of functionality [http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html "Port Independent Protocol Identification" (PIPI)].
 [[Category:Network Forensics]]

@@ Line 8: / Line 8: @@
 }}
-[http://networkminer.wiki.sourceforge.net/NetworkMiner NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network [[sniffer]]/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
+[http://networkminer.sourceforge.net/ NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. [http://networkminer.wiki.sourceforge.net/NetworkMiner NetworkMiner] can be used as a passive network [[sniffer]]/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
 The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
@@ Line 22: / Line 22: @@
 Version 0.84 (and newer) of NetworkMiner support [http://networkminer.wiki.sourceforge.net/WiFi+Sniffing sniffing and parsing of WLAN (IEEE 802.11) traffic]. NetworkMiner does however currently only support WiFi sniffing with AirPcap adapters.
-A feature which is planned to be included in future versions of NetworkMiner is to use statistical methods to do protocol identification (protocol fingerprinting) of a TCP session or UDP data. This means that instead of looking at the port number to guess which protocol is used on top of the TCP/UDP packet NetworkMiner will identify the correct protocol based on the TCP/UDP packet content. This way NetworkMiner will be able to identify protocols even if the service is run on a non-standard port. Richard Bejtlich calls this type of functionality [http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html "Port Independent Protocol Identification" (PIPI)].
+A feature which is planned to be included in future versions of NetworkMiner is to use [http://spid.wiki.sourceforge.net/ statistical methods to do protocol identification] (protocol fingerprinting) of a TCP session or UDP data. This means that instead of looking at the port number to guess which protocol is used on top of the TCP/UDP packet NetworkMiner will identify the correct protocol based on the TCP/UDP packet content. This way NetworkMiner will be able to identify protocols even if the service is run on a non-standard port. Richard Bejtlich calls this type of functionality [http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html "Port Independent Protocol Identification" (PIPI)].
 [[Category:Network Forensics]]

← Older revision		Revision as of 13:17, 28 August 2008
Line 1:		Line 1:
		+	{{Infobox_Software \|
		+	name = NetworkMiner \|
		+	maintainer = Erik Hjelmvik \|
		+	os = {{Windows}} \|
		+	genre = Network forensics \|
		+	license = {{GPL}} \|
		+	website = [http://networkminer.wiki.sourceforge.net/NetworkMiner networkminer.wiki.sourceforge.net/NetworkMiner] \|
		+	}}
		+
	[http://networkminer.wiki.sourceforge.net/NetworkMiner NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.		[http://networkminer.wiki.sourceforge.net/NetworkMiner NetworkMiner] is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

Line 14:		Line 23:

	A feature which is planned to be included in future versions of NetworkMiner is to use statistical methods to do protocol identification (protocol fingerprinting) of a TCP session or UDP data. This means that instead of looking at the port number to guess which protocol is used on top of the TCP/UDP packet NetworkMiner will identify the correct protocol based on the TCP/UDP packet content. This way NetworkMiner will be able to identify protocols even if the service is run on a non-standard port. Richard Bejtlich calls this type of functionality [http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html "Port Independent Protocol Identification" (PIPI)].		A feature which is planned to be included in future versions of NetworkMiner is to use statistical methods to do protocol identification (protocol fingerprinting) of a TCP session or UDP data. This means that instead of looking at the port number to guess which protocol is used on top of the TCP/UDP packet NetworkMiner will identify the correct protocol based on the TCP/UDP packet content. This way NetworkMiner will be able to identify protocols even if the service is run on a non-standard port. Richard Bejtlich calls this type of functionality [http://taosecurity.blogspot.com/2006/09/port-independent-protocol.html "Port Independent Protocol Identification" (PIPI)].
		+
		+	[[Category:Network Forensics]]