Netresec naturbild

Network Forensics and
Network Security Monitoring

Netresec is an independent software vendor with focus on the network security field. We specialize in software for network forensics and analysis of network traffic.

Our most well known product is NetworkMiner, which is available in a professional as well as free open source version. We also develop and maintain other software tools, such as CapLoader (for big pcap files) and RawCap (a lightweight sniffer).

We at Netresec additionally maintain a comprehensive list of publicly available pcap files.

NetworkMiner logo

NetworkMiner

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

CapLoader logo

CapLoader

CapLoader is a Windows tool designed to handle large amounts of captured network traffic in the tcpdump/libpcap format (PCAP). CapLoader displays the contents of opened PCAP files as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.

PacketCache logo

PacketCache

PacketCache is a free Windows service designed to continuously monitor the network interfaces of a computer and store the captured packets in memory (RAM). The idea is to make full-content packets available for post-event incident response and network forensic analysis. PacketCache can be used either as a complement to solutions for centralized network packet capturing, or without any other network monitoring solution in place.

RawCap logo

RawCap

RawCap is a tiny (23 kB) command line sniffer for Windows. You can sniff packets with RawCap without having special network drivers (like WinPcap) installed. No installation is required, just download RawCap.exe and start sniffing!


rss

Headlines from our Network Security Blog:


Network Forensics Training in London
People sometimes ask me when I will teach my network forensics class in the United States. The US is undoubtedly the country with the most advanced and mature DFIR community, so it would be awesome to be able to give my class there. However, not being a U.S. person and not working for a U.S. company[...]

Domain Whitelist Benchmark: Alexa vs Umbrella
In November last year Alexa admitted in a tweet that they had stopped releasing their CSV file with the one million most popular domains. Members of the Internet measurement and infosec research communities were outraged, surprised and disappointed since this domain list had become the de-facto tool[...]

CapLoader 1.5 Released
We are today happy to announce the release of CapLoader 1.5. This new version of CapLoader parses pcap and pcap-ng files even faster than before and comes with new features, such as a built-in TCP stream reassembly engine, as well as support for Linux and macOS. Support for ICMP Flows CapLoader is d[...]

Enable file extraction from PCAP with NetworkMiner in six steps
NetworkMiner can reassemble files transferred over protocols such as HTTP, FTP, TFTP, SMB, SMB2, SMTP, POP3 and IMAP simply by reading a PCAP file. NetworkMiner stores the extracted files in a directory called 'AssembledFiles' inside of the NetworkMiner directory. Files extracted by NetworkMiner fro[...]

10 Years of NetworkMiner
I released the first version of NetworkMiner on February 16, 2007, which is exactly 10 years ago today. One of the main uses of NetworkMiner today is to reassemble file transfers from PCAP files and save the extracted files to disk. However, as you can see in the screenshot above, the early versions[...]

Network Forensics Training at TROOPERS 2017
I will come back to the awesome TROOPERS conference in Germany this spring to teach my two-day network forensics class on March 20-21. The training will touch upon topics relevant for law enforcement as well as incident response, such as investigating a defacement, finding backdoors and dealing with[...]

NetworkMiner 2.1 Released
We are releasing a new version of NetworkMiner today. The latest and greatest version of NetworkMiner is now 2.1. Yay! /throws confetti in the airBetter Email Parsing I have spent some time during 2016 talking to digital forensics experts at various law enforcement agencies. I learned that from time[...]

BlackNurse Denial of Service Attack
Remember the days back in the 90s when you could cripple someones Internet connection simply by issuing a few PING command like 'ping -t [target]'? This type of attack was only successful if the victim was on a dial-up modem connection. However, it turns out that a similar form of ICMP flooding can[...]

Reading cached packets with Wireshark
Would you like to sniff packets that were sent/received some minutes, hours or even days ago in Wireshark? Can't afford to buy a time machine? Then your best chance is to install PacketCache, which allows you to read OLD packets with Wireshark. We recently released a free tool for keeping a cache of[...]

Detect TCP content injection attacks with findject
NSA's QUANTUM INSERT attack is probably the most well-known TCP packet injection attack due to the Snowden revelations regarding how GCHQ used this method to hack into Belgacom. However, the 'Five Eyes' are not the only ones who perform this type of attack on the Internet. We now release a tool to h[...]