No more Wine - NetworkMiner in Linux with Mono

UPDATE
See our blog post How To install NetworkMiner in Linux for a more up to date installation guide.

NetworkMiner is a network forensics tool that is primarily designed to run under Windows. But it is now (as of version 1.2 of NetworkMiner) also possible to run NetworkMiner on non-Windows OS's like Linux, Mac, FreeBSD etc. with help of Mono. This means that there is no longer any need to run NetworkMiner under Wine, since Mono is a much better alternative.

So what is Mono? Here is a description from the mono-project's website:

“Mono is a software platform designed to allow developers to easily create cross platform applications. Sponsored by Xamarin, Mono is an open source implementation of Microsoft's .NET Framework based on the ECMA standards for C# and the Common Language Runtime. A growing family of solutions and an active and enthusiastic contributing community is helping position Mono to become the leading choice for development of Linux applications.”

Here are some of the features in NetworkMiner that work better under Mono compared to Wine:

• Drag-and-drop pcap files onto NetworkMiner works under Mono
• Extracted/reassembled files are put in OS-native folders (under the NetworkMiner/AssembledFiles folder)
• Right-clicking an extracted file or image and selecting “Open file” or “Open containing folder” works under Mono
• No big Wine install required, the Mono framework only requires 32 MB to install

Here are the commands required to install Mono and NetworkMiner on Ubuntu Linux:

sudo apt-get install libmono-winforms2.0-cil
wget www.netresec.com/?download=NetworkMiner -O /tmp/networkminer.zip
sudo unzip /tmp/networkminer.zip -d /opt/
cd /opt/NetworkMiner_*
sudo chmod +x NetworkMiner.exe
sudo chmod -R go+w AssembledFiles/
sudo chmod -R go+w Captures/
mono NetworkMiner.exe

Update: See our blog post How to install NetworkMiner in Linux for an installation guide for other linux flavors.

Posted by Erik Hjelmvik on Monday, 26 December 2011 20:30:00 (UTC/GMT)

Tags: #NetworkMiner​ #Mono​ #Wine​ #Linux​ #Ubuntu​

REMnux now includes NetworkMiner

Lenny Zeltser recently released version 3 of his Reverse-Engineering Malware Linux distro REMnux.

Here are a few of the improvements in REMnux 3 compared to the previous version:

• The REMnux distro is now based on Ubuntu
• Updated versions of Volatility and Origami
• NetworkMiner is included for forensic analysis of network traffic

As of version 1.2 of NetworkMiner it is possible to use mono to run it on non-Windows OS's like Linux, Mac and FreeBSD. Lenny used this functionality in order to run NetworkMiner under mono instead of using Wine, which I think is a great decision since NetworkMiner integrates much better with the OS when it is run with mono.

NetworkMiner running on REMnux

There is, however, one caveat to be aware of when running NetworkMiner under REMnux; you either have to run it as root (as in the screenshot above) or add write permissions to the AssembledFiles directory with:

sudo chmod -R go+w /usr/local/NetworkMiner/AssembledFiles

NetworkMiner will otherwise not be able to extract any files from the analyzed pcap files to disk since it won't have right to write them to the AssembledFiles folder.

Luckily, Lenny has already confirmed to me that he will have this fixed in the next release of REMnux.

Posted by Erik Hjelmvik on Friday, 16 December 2011 21:46:00 (UTC/GMT)

Tags: #REMnux​ #Linux​ #NetworkMiner​ #mono​

Richard, Russ and Adrian trying NetworkMiner Professional

I recently sent out a copy of NetworkMiner Professional to three persons, who I respect for their contributions to different parts of the IT security community.

NetworkMiner Professional USB flash drive

All three persons have now publicly shared their experiences from analyzing network traffic with NetworkMiner Professional.

Richard Bejtlich

First out was Richard Bejtlich – blogger, black hat instructor and CSO at Mandiant.

Richard wrote a blog post titled “Trying NetworkMiner Professional 1.2”, where he analyzes a pcap file from his TCP/IP Weapons School class. Richard also shared some new ideas on new features that he'd like to see in NetworkMiner.

Russ McRee

Russ McRee is a hard-working vulnerability discoverer, blogger and journal author, who also is team leader of Microsoft Online Service’s Security Incident Management team. Russ published his blog post titled “Tool review: NetworkMiner Professional 1.2” shortly after Richard's blog post.

In his blog post Russ looks closer at the features of NetworkMiner Professional that are not included in the free version of NetworkMiner. These features include:

• Port Independent Protocol Identification (PIPI), which is provided through an implementation of the SPID algorithm.
• Geo-IP localization of hosts
• Host coloring
• The command line tool NetworkMinerCLI (more info in our blog post Command-line Network Forensics with NetworkMinerCLI)

Adrian Crenshaw

Adrian Crenshaw, the guy behind Irongeek.com and co-founder of Derbycon, went one step further by recording a video titled “NetworkMiner Professional for Network Forensics”.

In the video Adrian shows features such as:

• PcapOverIP
• Running NetworkMiner on Mac OS X (NetworkMiner 1.2 and later supports both Linux and Mac)
• Exporting results to CSV-files for viewing in Excel
• Command line scripting support

Posted by Richard Bejtlich on Friday, 09 December 2011 18:45:00 (UTC/GMT)

Tags: #NetworkMiner Professional​