Difference between revisions of "Network forensics"

From ForensicsWiki
Jump to: navigation, search
(General)
(General)
Line 23: Line 23:
 
! Supported Protocols
 
! Supported Protocols
 
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
 
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
 +
|
 +
|
 
|-
 
|-
 
| [[Argus]]
 
| [[Argus]]
Line 42: Line 44:
 
| [[DataEcho]]
 
| [[DataEcho]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| GUI
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Windows
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
+
| www, http
 
|
 
|
 
|
 
|
Line 50: Line 52:
 
| [[Junkie]]
 
| [[Junkie]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| GUI
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| unknown
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
+
| unknown
 
|
 
|
 
|
 
|
Line 58: Line 60:
 
| [[kisMAC]]
 
| [[kisMAC]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| GUI
 
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
 
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
 
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
 
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
Line 67: Line 69:
 
| [[Open Source]]
 
| [[Open Source]]
 
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
 
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Mac OS X
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
+
| unknown
 
|
 
|
 
|-
 
|-
 
| [[n2disk]]
 
| [[n2disk]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Command Line, GUI
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Ubuntu, CentOS
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
+
| unknown
 +
|
 
|
 
|
 
|-
 
|-
 
| [[net-sniff-ng]]
 
| [[net-sniff-ng]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| unknown
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| unknown
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
+
| unknown
 +
|
 +
|
 
|-
 
|-
 
| [[netfse]]
 
| [[netfse]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| GUI
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| unknown
|  
+
| TCP/IP, UDP
 
+
|
 +
|
 
|-
 
|-
 
| [[netsleuth]]
 
| [[netsleuth]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Command Line, GUI
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Windows, [[Backtrack]]
|  
+
| Apple MDNS / Bonjour, SMB / CIFS / NetBios, DHCP (using the www.fingerbank.org resource), SSDP (as used in Microsoft Zero Config)
 
+
|
 +
|
 
|-
 
|-
 
| [[NetworkMiner]]
 
| [[NetworkMiner]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Windows GUI, Commandline
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Linux / Mac OS X / FreeBSD, Windows
 +
| http, smb, ftp, tfpt, ssl , tls, tor
 
|  
 
|  
 
+
|
 
|-
 
|-
 
| [[ntop]]
 
| [[ntop]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Command Line, GUI
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Unix (including Linux, *BSD, Solaris, and MacOSX), linux, windows
 +
|
 +
|
 
|  
 
|  
 
 
|-
 
|-
 
| [[OSSEC]]
 
| [[OSSEC]]

Revision as of 22:18, 17 March 2013

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

General

System License User Interface Supported Platform Supported Protocols Refs
Argus Open Source Command Line, GUI via ArgusEye Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
Chaosreader Open Source Command Line, GUI Solaris, RedHat, Windows FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs
DataEcho Open Source GUI Windows www, http
Junkie Open Source GUI unknown unknown
kisMAC Open Source GUI Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
kismet Open Source Command Line /GUI via ArgusEye Mac OS X unknown
n2disk Open Source Command Line, GUI Ubuntu, CentOS unknown
net-sniff-ng Open Source unknown unknown unknown
netfse Open Source GUI unknown TCP/IP, UDP
netsleuth Open Source Command Line, GUI Windows, Backtrack Apple MDNS / Bonjour, SMB / CIFS / NetBios, DHCP (using the www.fingerbank.org resource), SSDP (as used in Microsoft Zero Config)
NetworkMiner Open Source Windows GUI, Commandline Linux / Mac OS X / FreeBSD, Windows http, smb, ftp, tfpt, ssl , tls, tor
ntop Open Source Command Line, GUI Unix (including Linux, *BSD, Solaris, and MacOSX), linux, windows
OSSEC Open Source Command Line /GUI via ArgusEye Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
Snort Open Source Command Line /GUI via ArgusEye Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
Wireshark Open Source Command Line /GUI via ArgusEye Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
xplico Open Source Command Line /GUI via ArgusEye Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt


System License User Interface Supported Platform Supported Protocols Refs

Open Source Network Forensics

Commercial Network Forensics

Deep-Analysis Systems

Flow-Based Systems

Hybrid Systems

These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

Tips and Tricks

  • The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

See also