NetworkMiner

From NSMWiki
Jump to: navigation, search

Background

About NetworkMiner

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

There are two versions of NetworkMiner; a free open source version at SourceForge and a commercial version from NETRESEC AB called NetworkMiner Professional. The commercial "NetworkMiner Professional" version includes additional features such as

* Port Independent Protocol Identification (PIPI)
* Export results to CSV / Excel
* Configurable file output directory
* Geo IP localization
* Command line scripting support with NetworkMinerCLI.exe

Usage (NetworkMinerCLI.exe)

Usage: F:\NetworkMinerProfessional_1-0\NetworkMinerCLI.exe [OPTIONS]

-r <input_file>        : Set the pcap file to read
-w <output_directory>  : Directory to store output files in
-b <frame_buffer_size> : Number of frames to buffer in memory (5000 = default)
-noHeader              : Disables column headers for CSV files
Example: F:\NetworkMinerProfessional_1-0\NetworkMinerCLI.exe -r evidence.pcap -w D:\exported_data\