Network Forensics and
Network Security Monitoring
Netresec is an independent software vendor with focus on the network security field. We specialize in software for network forensics and analysis of network traffic.
Our most well known product is NetworkMiner, which is available in a professional as well as free open source version. We also develop and maintain other software tools, such as CapLoader (for big pcap files) and RawCap (a lightweight sniffer).
We at Netresec additionally maintain a comprehensive list of publicly available pcap files.
NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
CapLoader
CapLoader is a Windows tool designed to handle large amounts of captured network traffic in the tcpdump/libpcap format (PCAP). CapLoader displays the contents of opened PCAP files as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
PolarProxy
PolarProxy is a transparent TLS and SSL inspection proxy created for incident responders, malware analysts and security researchers. PolarProxy is primarily designed to intercept and decrypt TLS encrypted traffic from malware that is run in a controlled environment, such as a sandbox. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file.
Additional software from Netresec can be found on our products page.
Headlines from our Blog
I analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today. This stealer collects credentials and files of interest from the victim's computer and exfiltrates them to an FTP server. It is designed to autonomously collect and exfiltrate data rather than receiv[...]
In this video I analyze network traffic from a QakBot (QBot) infection in order to identify the Command-and-Control (C2) traffic. The analyzed PCAP file is from malware-traffic-analysis.net. IOC ListC2 IP and port: 80.47.61.240:2222C2 IP and port: 185.80.53.210:443QakBot proxy IP and port: 23.111.11[...]
PolarProxy is constantly being updated with new features, enhanced performance and bug fixes, but these updates are not always communicated other than as a short mention in the ChangeLog. I would therefore like to highlight a few recent additions to PolarProxy in this blog post. Custom TLS Redirecti[...]
Brad Duncan published IcedID (Bokbot) from fake Microsoft Teams page earlier this week. In this video I take a closer look at the PCAP file in that blog post. The video cannot be played in your browser. Note: This video was recorded in a Windows Sandbox to minimize the risk of infecting the host PC[...]
CapLoader 1.9.5 was released today! The most important addition in the 1.9.5 release is the new Alerts tab, in which CapLoader warns about malicious network traffic such as command-and-control protocols. The alerts tab also shows information about network anomalies that often are related to maliciou[...]
I will be teaching two live online network forensics classes this spring, one in March and one in April. The March class is adapted to American time and the April one is adapted to European time. Both classes focus on doing network forensics in an incident response context. The training is split int[...]
Did you know that the SCADA protocol IEC 60870-5-104 (IEC-104) can be used to transfer files? This file transfer feature is primarily used for retrieving disturbance data from electric grid protection devices, such as protective relays, but can in practice be used to transfer any type of data. In th[...]
I am happy to announce the release of NetworkMiner 2.8 today! This new version comes with an improved user interface, better parsing of IEC-104 traffic and decapsulation of CAPWAP traffic. The professional edition of NetworkMiner additionally adds port-independent detection of SMTP and SOCKS traffic[...]