NetworkMiner Professional is a portable network traffic analysis tool that is delivered on a USB flash drive. It can perform live sniffing of network traffic or parse existing PCAP files. The tool extracts metadata like hosts, files, images, messages, credentials and parameters from PCAP files. It identifies operating systems, resolves host names, and determines geographical locations of IP addresses. Users can color-code hosts, search for keywords, and view extracted data in different tabs.
NetworkMiner Professional is a portable network traffic analysis tool that is delivered on a USB flash drive. It can perform live sniffing of network traffic or parse existing PCAP files. The tool extracts metadata like hosts, files, images, messages, credentials and parameters from PCAP files. It identifies operating systems, resolves host names, and determines geographical locations of IP addresses. Users can color-code hosts, search for keywords, and view extracted data in different tabs.
NetworkMiner Professional is a portable network traffic analysis tool that is delivered on a USB flash drive. It can perform live sniffing of network traffic or parse existing PCAP files. The tool extracts metadata like hosts, files, images, messages, credentials and parameters from PCAP files. It identifies operating systems, resolves host names, and determines geographical locations of IP addresses. Users can color-code hosts, search for keywords, and view extracted data in different tabs.
NetworkMiner Professional is a portable network traffic analysis tool that is delivered on a USB flash drive. It can perform live sniffing of network traffic or parse existing PCAP files. The tool extracts metadata like hosts, files, images, messages, credentials and parameters from PCAP files. It identifies operating systems, resolves host names, and determines geographical locations of IP addresses. Users can color-code hosts, search for keywords, and view extracted data in different tabs.
NETRESEC NetworkMiner Professional Reference Manual
rev. D
NetworkMiner Professional The NetworkMiner USB flash drive NetworkMiner Professional is delivered on a customized USB flash drive. NetworkMiner Professional is a portable application, which means that it doesn't require any installation and can be run directly from the USB flash drive. Our recommendation is, however, that you copy the NetworkMinerProfessional directory to your local hard drive and run it from there for improved performance. It is up to you to decide if you will copy NetworkMiner to your computer's desktop, put it in your Program Files directory or place it in the root of your favorite HDD partition.
Illustration 1: NetworkMiner Professional USB flash drive
Sniffing Network Traffic
You can use NetworkMiner in order to perform live sniffing, i.e. to capture network traffic from a network interface to a pcap file on disk. Simply select the desired network interface in the drop-down list at the top of the GUI and click the green play button or hit he F5 key to start sniffing.
Illustration 2: NetworkMiner GUI - Press "Start" button to sniff
If you need to perform high performance sniffing with minimal packet loss we recommend that you instead use the command line application dumpcap, which is included in the Wireshark and tshark packages.
-1-
NETRESEC NetworkMiner Professional Reference Manual
rev. D
Parsing PCAP files
NetworkMiner is primarily designed to parse pcap files, i.e. network traffic captured to a file. You can open a pcap file in NetworkMiner by clicking File Open or simply by drag-anddropping a pcap file onto NetworkMiner. You can even open multiple files, in which case NetworkMiner will aggregate the extracted information from the pcap files in the GUI. The pcap aggregation functionality is important when the captured network traffic is fragmented into multiple pcap files. Just make sure to load the pcap files into NetworkMiner in chronological order. Pcap files and live network traffic can also be retrieved from remote machines by using the Pcap-over-IP feature found under the Files menu. More on how to use Pcap-over-IP can be found on our website: www.netresec.com.
Hosts Tab The hosts tab contains a list of all IP address in the analyzed traffic. Each host in the list is displayed as an icon specifying the fingerprinted operating system (OS), the IP address and any potentially identified host name of the machine. Host Icon Meaning OS is FreeBSD OS is Linux OS is Mac OS is NetBSD OS is Solaris OS is Unix OS is Windows Unknown OS IP is multicast (RFC 3171) IP is broadcast (RFC 919) IP is reserved by IANA
Each host node can be expanded in order to reveal properties about the host, such as the geographical location of the IP address and detected open ports. Right-clicking a host brings up a context menu that enables host coloring. The host coloring feature can be used to associate a color with a certain host (or IP address). Rows containing a color coded host in other tabs in NetworkMiner are automatically colored according to the users color selection. The color coding can be a very useful and time saving feature that makes it easier to for example follow the actions of a particular user or identify files retrieved from a particular server. -2-
NETRESEC NetworkMiner Professional Reference Manual
rev. D
Files Tab The files tab contains a list of all files that have been reassembled and extracted by NetworkMiner. Protocols from which files are extracted include common file transfer protocols like HTTP, SMB, FTP and TFTP, but also extracted certificates from SSL and TLS encrypted traffic (including the TOR protocol). An extracted file can be opened by right clicking a row in the files tab, but we always recommend selecting open folder in the context menu unless you are sure the extracted file does not contain malicious code. The list of files can be sorted based on the contents of a particular column simply by clicking the column's header.
Illustration 3: Files tab
Images Tab The images tab shows thumbnail pictures of all images that have been extracted to a file by NetworkMiner. Right-click an image to open it in an external viewer.
-3-
NETRESEC NetworkMiner Professional Reference Manual
rev. D
Messages Tab All messages extracted from e-mails1, IRC chats, IM chats and social media (Facebook, Twitter etc.) are accessible from the messages tab. The leftmost pane contains a list of all extracted messages. Contents and details of a particular message can be displayed by selecting a message in the left pane.
Credentials Tab The credentials tab contains user credentials, such as usernames and passwords, as well as other details that might be useful in order to identify a particular user on the network. HTTP Cookies are also displayed in the credentials tab.
Parameters Tab The parameters tab displays all sorts of information extracted from network traffic where there is a notion of a name-and-value combination. NetworkMiner extracts parameters such as HTTP query string names and values, HTTP POST variables, HTTP cookie parameters and FTP commands.
Keywords Tab Any keywords that are of relevance for a particular case can be searched for by adding them to the keywords tab. Every keyword match is displayed in together with the frame number and source and destination of the packet. The keywords are case sensitive, so make sure to enter them as both upper- and lowercase if needed. Arbitrary byte sequences can also be queried for by entering them in hex format, i.e. for example 0x010203. Remember that already loaded network traffic is not re-inspected when a new keyword is added, so make sure to hit the Reload Case Files button after you have updated the keyword list in order to re-crawl the traffic.
Acknowledgments NetworkMiner Professional includes databases for operating system fingerprinting created by Micha Zalewski and Eric Kollmann. Micha has developed the LGPL licensed software p0f2, from where the TCP based fingerprinting databses p0f.fp and p0fa.fp originate. Eric has created databases for OS fingerprinting though TCP handshakes as well as DHCP requests as part of his Satori3 program. Eric is also continuously keeping his databases up to date with new OS fingerprints. NetworkMiner also includes a Geo IP database from GeoLite data created by MaxMind4.
NetworkMiner can extract e-mails from numerous webmail solutions as well as from traditional SMTP traffic
P0f is available from http://lcamtuf.coredump.cx/p0f.shtml
Satori is available from http://myweb.cableone.net/xnih/
