Showing blog posts from April 2012
Below is a short video tutorial showing some of the cool features in CapLoader 1.0.
The functionality showed in the video includes:
- Loading multiple pcap files into a single flow view
- Port Independent Protocol Identification (PIPI)
- Fast extraction of packets related to one or several flows
- Exporting packets to Wireshark and NetworkMiner
- Drag-and-dropping packets to Wireshark
- Selecting a flow based on an IDS alert from Snort
- Extracting packets from a selected flow to a new pcap file
The video can also be seen on YouTube at the following URI:
The three pcap files loaded in the video tutorial are from the DFRWS 2009 Challenge.
Posted by Erik Hjelmvik on Monday, 30 April 2012 14:35:00 (UTC/GMT)
NetworkMiner 1.3 was released earlier today, and there was much rejoicing!
HTTP Digest credentials from USCC's web_recon.pcap and hmi_web_recon.pcap
Some of the features added to this new release of NetworkMiner include:
- Extraction of user names from HTTP Digest Authentication (RFC 2617), such as those found in US Cyber Challenge “Cyber Quest February 2012”.
- HTTP headers are shown on the Parameters tab (including common headers like “Host” and “User-Agent” as well as rare ones).
- HTTP X headers are shown for hosts under the “Host Details” > “Extra Details” node. These X headers include “x-up-calling-line-id” and “HTTP_X_UP_CALLING_LINE_ID”, which can be used to identify the phone number of the mobile device used to access a web page. This type of information leakage can be detected with Collin Mulliner's MNO Privacy Checker.
- Support for the Null / Loopback link layer packets that are written when sniffing localhost on BSD operating systems.
- Ability to select a custom cleartext dictionary file for the "Cleartext" tab. This feature can be used in order to look for text in a specific language.
- Files with “.raw” extension are now treated as pcap files since this is the extension used by Sguil (hat tip to Doug Burks for this idea).
- The alert window about WinPcap not being installed has been removed.
The professional edition of NetworkMiner additionally includes a new feature for performing offline whois lookups of IP addresses against the RIPE database. This offline whois lookup can be used to find out which organization that owns the IP network for a particular IP address. The whois information can be found in the “Host Details” node in the “Hosts” tab.
Offline RIPE lookup of IP address belonging to Danish TDC A/S
There is at this point only support for whois lookups of European IP addresses. NetworkMiner Professional is also not shipped with the RIPE database installed. Downloading the RIPE database to NetworkMiner Professional is very easy though, simply click “Tools” > “Download RIPE DB”.
How to download the RIPE database to NetworkMiner Professional
Customers who have purchased a previous version of NetworkMiner Professional can download an update for free from our customer portal. If you are unable to log in, then please send an email to info [at] netresec.com with your current version number as well as license number (which you can find under the menu “Help” > “About Network Miner”).
Posted by Erik Hjelmvik on Thursday, 12 April 2012 21:55:00 (UTC/GMT)
Are you working with large pcap files and need to see the “whole picture” while still being able to quickly drill down to individual packets for a TCP or UDP flow? Then this is your lucky day, since we at Netresec are releasing our new tool CapLoader today!
Here are the main features of CapLoader:
- Fast loading of multi-gigabyte PCAP files (1 GB loads in less than 2 minutes on a standard PC and even faster on multi-core machines).
- GUI presentation of all TCP and UDP flows in the loaded PCAP files.
- Automatic identification of application layer protocols without relying on port numbers.
- Extremely fast drill-down functionality to open packets from one or multiple selected flows.
- Possibility to export packets from selected flows to a new PCAP file or directly open them in external tools like Wireshark and NetworkMiner.
CapLoader with files from Honeynet SOTM 28 loaded. The application layer protocol from the rootkit backdoor on TCP 5001 is automatically identified as "SSH".
The typical process of working with CapLoader is:
Open one or multiple pcap files, typically by drag-and-dropping them onto the CapLoader GUI.
Mark the flows of interest.
Double click the PCAP icon to open the selected sessions in your default pcap parser (typically Wireshark) or better yet,
do drag-and-drop from the PCAP icon to your favorite packet analyzer.
In short, CapLoader will significantly speed up the analysis process of large network captures while also empowering analysts with a unique protocol identification ability. We at Netresec see CapLoader as the perfect tool for everyone who want to perform analysis on “big data” network captures.
More information about CapLoader is available on caploader.com.
Posted by Erik Hjelmvik on Monday, 02 April 2012 19:55:00 (UTC/GMT)