Network Forensics Packages and Appliances
- Expensive IP geolocation service.
- Enterasys Dragon
- Instrusion Detection System, includes session reconstruction.
- IP geolocation services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
- NetDetector is a full-featured appliance for network security surveillance, signature-based anomaly detection, analytics and forensics. It complements existing network security tools, such as firewalls, intrusion detection/prevention systems and switches/routers, to help provide comprehensive defense of hosted intellectual property, mission-critical network services and infrastructure
- http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
- NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
- NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for off-line analysis.
- Name Server Lookup command line tool used to find IP address from domain name.
- OmniPeek by WildPackets
- OmniPeek is a network forensics tool used to capture, store, and analyze historical network traffic.
- http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
- http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
- IP Regional Registries
- http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
- http://www.afrinic.net/ African Network Information Center (AfriNIC)
- http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
- http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
- http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
- Wireshark / Ethereal
- Open Source protocol analyzer previously known as ethereal.
- Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
- Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...
arp - view the contents of your ARP cache
ifconfig - view your mac and IP address
ping - send packets to probe remote machines
tcpdump - capture packets
nemesis - create arbitrary packets
tcpreplay - replay captured packets
traceroute - view a network path
gnetcast - GNU rewrite of netcat
packit - packet generator
nmap - utility for network exploration and security auditing
Xplico Open Source Network Forensic Analysis Tool (NFAT)
ARP and Ethernet MAC Tools
arping - transmit ARP traffic
arpdig - probe LAN for MAC addresses
arpwatch - watch ARP changes
arp-sk - perform denial of service attacks
macof - CAM table attacks
ettercap - performs various low-level Ethernet network attacks
CISCO Discovery Protocol Tools
cdpd - transmit and receive CDP announcements; provides forgery capabilities
ICMP Layer Tests and Attacks
ish - ICMP shell (like SSH, but uses ICMP)
IP Layer Tests
iperf - IP multicast test
fragtest - IP fragment reassembly test
UDP Layer Tests
udpcast - includes UDP-receiver and UDP-sender