- Incident Handling Life Cycle
- Volatility: Perform Memory Forensics with Volatility (Part 01)
- Introduction to Network Forensics
- Netminer
- Splunk SPL 101
- Splunk Fundamentals
- Wireshark 101 | Packet Operations
- Wireshark 101 | Traffic Analysis
- Analysis with Wireshark
- Windows Event Logs
- Incident Report Template
- Code Obfuscation and Deobfuscation
Views: 13
NetworkMiner
| Capability | Description |
| Traffic sniffing | It can intercept the traffic, sniff it, and collect and log packets that pass through the network. |
| Parsing PCAP files | It can parse pcap files and show the content of the packets in detail. |
| Protocol analysis | It can identify the used protocols from the parsed pcap file. |
| OS fingerprinting | It can identify the used OS by reading the pcap file. This feature strongly relies on Satori and p0f. |
| File Extraction | It can extract images, HTML files and emails from the parsed pcap file. |
| Credential grabbing | It can extract credentials from the parsed pcap file. |
| Clear text keyword parsing | It can extract cleartext keywords and strings from the parsed pcap file. |
Operating Modes
There are two main operating modes;
- Sniffer Mode: Although it has a sniffing feature, it is not intended to use as a sniffer. The sniffier feature is available only on Windows. However, the rest of the features are available in Windows and Linux OS. Based on experience, the sniffing feature is not as reliable as other features. Therefore we suggest not using this tool as a primary sniffer. Even the official description of the tool mentions that this tool is a “Network Forensics Analysis Tool”, but it can be used as a “sniffer”. In other words, it is a Network Forensic Analysis Tool with but has a sniffer feature, but it is not a dedicated sniffer like Wireshark and tcpdump.
- Packet Parsing/Processing: NetworkMiner can parse traffic captures to have a quick overview and information on the investigated capture. This operation mode is mainly suggested to grab the “low hanging fruit” before diving into a deeper investigation.
Differences Between Wireshark and NetworkMiner
| Feature | NetworkMiner | Wireshark |
| Purpose | Quick overview, traffic mapping, and data extraction | In-Depth analysis |
| GUI | ✅ | ✅ |
| Sniffing | ✅ | ✅ |
| Handling PCAPS | ✅ | ✅ |
| OS Fingerprinting | ✅ | ❌ |
| Parameter/Keyword Discovery | ✅ | Manual |
| Credential Discovery | ✅ | ✅ |
| File Extraction | ✅ | ✅ |
| Filtering Options | Limited | ✅ |
| Packet Decoding | Limited | ✅ |
| Protocol Analysis | ❌ | ✅ |
| Payload Analysis | ❌ | ✅ |
| Statistical Analysis | ❌ | ✅ |
| Cross-Platform Support | ✅ | ✅ |
| Host Categorisation | ✅ | ❌ |
| Ease of Management | ✅ | ✅ |
Case Panel
The case panel shows the list of the investigated pcap files. You can reload/refresh, view metadata details and remove loaded files from this panel.
Hosts
The “hosts” menu shows the identified hosts in the pcap file. This section provides information on;
- IP address
- MAC address
- OS type
- Open ports
- Sent/Received packets
- Incoming/Outgoing sessions
- Host details
OS fingerprinting uses the Satori GitHub repo and p0f, and the MAC address database uses the mac-ages GitHub repo.
Sessions
The session menu shows detected sessions in the pcap file. This section provides information on;
- Frame number
- Client and server address
- Source and destination port
- Protocol
- Start time
You can search for keywords inside frames with the help of the filtering bar. It is possible to filter specific columns of the session menu as well. This menu accepts four types of inputs;
- “ExactPhrase”
- “AllWords”
- “AnyWord”
- “RegExe”
The DNS menu shows DNS queries with details. This section provides information on;
- Frame number
- Timestamp
- Client and server
- Source and destination port
- IP TTL
- DNS time
- Transaction ID and type
- DNS query and answer
- Alexa Top 1M
Credentials
The credentials menu shows extracted credentials and password hashes from investigated pcaps. You can use Hashcat (GitHub) and John the Ripper (GitHub) to decrypt extracted credentials. NetworkMiner can extract credentials including;
Files
The file menu shows extracted files from investigated pcaps. This section provides information on;
- Frame number
- Filename
- Extension
- Size
- Source and destination address
- Source and destination port
- Protocol
- Timestamp
- Reconstructed path
- Details
Images
The file menu shows extracted images from investigated pcaps. The right-click menu is helpful in this part as well. You can open files and zoom in & out easily.
Parameters
The file menu shows extracted parameters from investigated pcaps. This section provides information on;
- Parameter name
- Parameter value
- Frame number
- Source and destination host
- Source and destination port
- Timestamp
- Details
Keywords
The file menu shows extracted keywords from investigated pcaps. This section provides information on;
- Frame number
- Timestamp
- Keyword
- Context
- Source and destination host
- source and destination port
How to filter keywords;
- Add keywords
- Reload case files!
Note: You can filter multiple keywords in this section; however, you must reload the case files after updating the search keywords. Keyword search investigates all possible data in the processed pcaps.
Messages
The messages menu shows extracted emails, chats and messages from investigated pcaps. This section provides information on;
- Frame number
- Source and destination host
- Protocol
- Sender (From)
- Receiver (To)
- Timestamp
- Size
Anomalies
The anomalies menu shows detected anomalies in the processed pcap. Note that NetworkMiner isn’t designated as an IDS. However, developers added some detections for EternalBlue exploit and spoofing attempts.