NETRESEC Network Security Blog

NetworkMiner 2.4 Released

NetworkMiner 2.4

We are proud to announce the release of NetworkMiner 2.4 today! The new version comes with several improvements, such as username extraction from Kerberos traffic, better OS fingerprinting and even better Linux support.

Protocol Updates

The Kerberos v5 implementation in NetworkMiner 2.4 can be used to to extract usernames, hostnames and realms (domains) from unencrypted Kerberos requests/responses on port 88. NetworkMiner also parses and extracts usernames etc. from HTTP auth headers and SMB security blobs when they use Kerberos for authentication.

Kerberos username (Administrator) and realm (DENYDC.COM) in NetworkMiner's Host tab
Image: NetworkMiner showing extracted username (Administrator) and realm (DENYDC.COM) from the Wireshark sample capture file “Krb-contrained-delegation.cap”.

NetworkMiner also automatically attempts to parse traffic to TCP port 11371 as HTTP in order to extract GPG keys sent using the HKP protocol.

MAC Address Magic

We’ve added two new features related to MAC addresses to this release. One of them is the “MAC Age” field (showing “2000-11-09” in the previous screenshot), which is a guesstimate of how hold a device/host is based on its MAC address. This functionality uses HD Moore’s mac-ages database, which contains approximate dates for when hardware address ranges were allocated by IEEE (original concept from DeepMac).

The second MAC feature is a simple yet useful feature that adds links between hosts that share the same MAC address. This feature is useful for linking a host's IPv6 and IPv4 addresses with each other, but it can also be used to track if a physical host has changed its IP address. The MAC address links can be accessed by expanding the MAC address node in NetworkMiner’s Hosts tab.

IPv4 and IPv6 address with the same MAC address
Image: NetworkMiner with a PCAP file from ISTS 2012

ICS Asset Inventory

Hard Hat

We’ve put in some ground work in order to create OS fingerprinting signatures for several Industrial Control System (ICS) devices. Our signatures have been submitted and merged into Eric Kollmann’s Satori TCP database, which NetworkMiner uses to passively fingerprint hosts by examining various TCP and IP fields in the initial SYN/SYN+ACK packets of TCP sessions. The ICS devices we’ve added include PLCs, RTUs as well as rugged network equipment from vendors like ABB, Allen-Bradley, Modicon, Moxa, Phoenix Contact and Siemens. Some ICS vendors even got an icon showing their logo in the Hosts tab (see the Siemens/RUGGEDCOM device in the screenshot below) while the others got a yellow hard hat.

Asset inventory list with ICS devices
Image: Asset inventory list generated by NetworkMiner using PCAP files from the 4SICS 2015 ICS Lab.


NetworkMiner isn’t designed to be used as an IDS. Nevertheless we decided to add detection for the EternalBlue exploit to NetworkMiner 2.4. The fact that NetworkMiner parses NetBIOS and SMB makes it pretty straightforward to identify when an attacker is attempting to allocate a large non-paged pool in srvnet.sys by using a vulnerability in Microsoft’s SMB implementation (see MS17-010 for reference). This type of detection is difficult to perform using a standard IDS solution that cannot parse the NetBIOS and SMB protocols. Detected EternalBlue exploit attempts are listed in NetworkMiner's “Anomalies” tab. Example PCAP files with attackers/malware using the EternalBlue exploit can be found here:

NetworkMiner in Linux

NetworkMiner Loves Linux

NetworkMiner is a Windows tool, but it actually runs just fine also in other operating systems with help of the Mono Framework (see our guide “HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux”). However, there are a few pitfalls that must be avoided to get the software running smoothly using Mono. With this release we’ve implemented workarounds for two bugs in Mono’s GUI implementation (System.Windows.Forms).

The first workaround handles a Mono bug that sometimes could be triggered by Drag-and-Dropping a file or image from NetworkMiner to another application, such as a browser, text editor or image viewer. Doing so would previously trigger a NullReferenceException in System.Windows.Forms.X11Dnd+TextConverter.SetData under certain conditions. We’re happy to report that you can now reliably drag and drop files extracted by NetworkMiner to other tools, even when running Linux.

The second workaround handles a bug in Mono’s GDIPlus implementation related to rendering of Unicode characters. We were unfortunately not able to reliably get Mono to render Unicode characters, NetworkMiner will therefore convert all Unicode MIME data to ASCII when using Mono (typically in Linux). Windows users will still get the proper Unicode representations of exotic characters and emojis in NetworkMiner though. ☺

NetworkMiner Professional

The commercial version of NetworkMiner, i.e. NetworkMiner Professional, comes with a few additional improvements. One of them is is that the following additional online sources have been added to the OSINT lookup feature:

OSINT lookup of file hash in NetworkMiner Professional
Image: OSINT lookup menu for .exe file extracted from’s 2018-10-16-trickbot.pcap.

The CSV export from NetworkMinerCLI has been updated to use the ISO 8601 format with explicit time zone for timestamps. An exported timestamp now look something like this:


NetworkMiner Professional 2.4 also identifies application layer protocols regardless of port number (a.k.a. PIPI) with much better precision than earlier versions. It also extracts audio from VoIP calls (SIP) more reliably than before.


I would like to thank Chris Sistrunk for requesting GUI support to link IPv4 and IPv6 hosts with the same MAC address and Jonas Lejon for the HKP GPG key extraction idea. I would also like to thank Phil Hagen for notifying us about the issue with Unicode in emails when running NetworkMiner under Mono and Ahmad Nawawi for notifying us about the protocol identification shortages in the previous version.

Upgrading to Version 2.4

Users who have purchased a license for NetworkMiner Professional 2.x can download a free update to version 2.4 from our customer portal. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.


Posted by Erik Hjelmvik on Thursday, 10 January 2019 14:20:00 (UTC/GMT)

Tags: #NetworkMiner #ICS #SIP #VoIP #IPv6 #Mono #Linux #Satori #OSINT #PIPI

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL:

TorPCAP - Tor Network Forensics


Unencrypted network traffic, destined for the Tor network, is sent between localhost TCP sockets on computers running Tor clients, such as the Tor Browser. In this blog post I show how anonymous Tor browsing can be visualized, by loading a PCAP file with localhost traffic into NetworkMiner. We call this technique TorPCAP.

Tor is a secure platform that enables users to browse the web anonymously. The Tor Project website describes the tool as:

“Tor is free software and an open network that helps you defend against traffic analysis”

It is also possible to host anonymous “onion services” on the Dark Web using Tor:

“Tor makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Using Tor "rendezvous points," other Tor users can connect to these onion services, formerly known as hidden services, each without knowing the other's network identity.”

Capturing Tor Traffic Before it gets Encrypted

Tor installations include a SOCKS proxy listening on TCP port 9150 on localhost ( This local SOCKS proxy is used by the Tor Browser, which connects to the proxy in order to have its traffic encrypted and forwarded to the Tor network. This means that by sniffing traffic on localhost it’s actually possible to create a solid forensic trail of all traffic a PC sends to and from the Tor network.

Tor Browser and SOCKS

You can use tcpdump to capture the localhost traffic on PCs running the Tails OS or Tor Browser in MacOS or Linux. If you’re running the Tor Browser in Windows, then we recommend using RawCap to sniff the localhost traffic (RawCap is a portable standalone tool that doesn’t need WinPcap or NDIS drivers to work).

In order to make sense of the captured traffic you need a tool that can parse the SOCKS protocol (RFC 1928). NetworkMiner includes a SOCKS parser since version 2.1, which can be used to extract and reassemble data going to and from the Tor network.

   Image Credit: Ken Edge    Eldon by @kenedgeiscool

Demo: Analysing TorPCAP Network Traffic

A user, let’s call him “Eldon”, used Tor for some dark-web activity on November 30, 2018. Eldon was using the Tor Browser on a Windows PC and RawCap was used to capture the localhost network traffic from Eldon’s computer. A PCAP file with the captured packets from Eldon’s PC can be accessed here. Please feel free to open this capture file with NetworkMiner, in order to follow along in this analysis.

File   : rawcap-localhost-tor.pcap
Size   : 1.47 MB
SHA256 : 9134FA542B388498C2A58A2E1424FCD4AF466CE7117DBE9AAFD0A031CC8209B8

The “Files” tab in NetworkMiner contains a list of all files that have been reassembled from the analyzed PCAP file. This file listing reveals that Eldon used the “not Evil” search engine (hss3uro2hsxfogfq[.]onion) to search for “buy fake passports” in frame 1136.

NetworkMiner's Files tab with not Evil search

The search result page from not Evil has been reassemled by NetworkMiner as “index.php.CB66877E.html”. By opening this HTML document in a browser we can see which search results Eldon got (no Internet connection is needed to open the reassembled html).

not Evil search in Tor

The “Browsers” tab in NetworkMiner Professional shows that Eldon followed the link for entry #2 in his search results (BUY FAKE PASSPORTS [...]), leading him to the “fakeimz[...].onion” website.

HTML document in Edge reassembled by NetworkMiner

Eldon then proceeded to list the available passports (see the reassembled file “novelty_fake_id_samples.shtml” in frame 1837) and chose the UK passport (“pp-uk-open-big.jpg”).

novelty_fake_id_samples.shtml NetworkMiner Professional Images tab with pp-uk-open-big.jpg

As Eldon proceeded he got a price list for the fake passports offered at this site (“novelty_fake_id_pricing.shtml”), but we don’t see any evidence of him actually completing a purchase of a fake UK passport.

HTML file reassembled by NetworkMiner opened in Edge browser

If we go back to the Images tab in NetworkMiner, and scroll a bit further down we see a picture of a gun. Let’s see where it comes from.

NetworkMiner Images tab with gun pic

It turns out Eldon also searched for “buy guns for bitcoin UK”. You can list all search engine queries by looking for entries in the “Parameters” tab with parameter name “q”. This technique is applicable for the “not Evil” search engine as well as most clearnet search engines, like Google, Bing, Yahoo! and DuckDuckGo (disregarding the fact that they use TLS).

NetworkMiner Parameters tab with web searches

The Browsers tab shows us that Eldon clicked on a link to the “UK Guns and Ammo Store” (tuu66[...].onion).

not Evil search in NetworkMiner Professional Browsers tab

This website has also been passively reassembled by NetworkMiner and can be opened offline in a browser (see “index[2].html”).

UK Guns and Ammo Store (dark web)

The Credentials tab in NetworkMiner shows the username and password used by Eldon to log into the website:

Credentials tab in NetworkMiner Professional 2.3.1 showing username and password sent over Tor to an onion service

After logging in, Eldon puts two items in his shopping cart (see “cart.php[1].html”), but gets a message saying “Not enough balance for this order” when clicking the “Continue to Checkout” link. It seems Eldon’s account at the dark-web weapons store doesn’t have any Bitcoins (see “wallet.php.html”)

UK Guns and Ammo Store - Shopping Cart (dark web) UK Guns and Ammo Store - Bitcoin Wallet (dark web)

Side Note - Web Trackers and Tor

It is considered bad practice to use clear-net tracking services, like Google Analytics, to track users visiting an onion service. However, we noticed that the fake passports website uses a Google Analytics script with tracking ID “UA-19359933-1”.

Dark Web HTML with Googla Analytics ID UA-19359933-1

Googling this ID led us to this very similar website:


Posted by Leon Kowalski on Wednesday, 12 December 2018 09:33:00 (UTC/GMT)

Tags: #PCAP #NetworkMiner #RawCap #SOCKS

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL:

Remote Packet Dumps from PacketCache

PacketCache logo

This blog post describes how to dump a packet capture (pcap file) on a remote computer, which runs the PacketCache service, and retrieve that pcap file using only PowerShell.

PacketCache is a free Windows service that continously sniffs network traffic on all interfaces (Ethernet, WiFi, 3G, LTE etc) and maintains a cache of the most recent traffic in RAM. This enables incident responders to read PCAP data out of a PC's PacketCache, for example when an IDS or anti-virus alerts on something potentially malicious. Unfortunately, there is no central management tool for PacketCache, which means that the PCAP data has to be dumped locally at the PC that triggered the IDS or AV alert.

There are a few workarounds "hacks" available to solve this problem, but the most elegant solution is to leverage PowerShell Remoting / WinRM in order to trigger a remote PacketCache instance to create a PCAP file and then copy the PCAP file through the same PowerShell session. To make things even simpler we've created a PowerShell script that can be used to download a PCAP file from any machine running PacketCache. Okay, maybe not *any* machine, the script only works on PCs that you have admin credentails for. Nevertheless, here's how you run the script from a PowerShell prompt:

PS C:\> .\ReadRemotePacketCache.ps1 DESKTOP-LT4711 Administrator
[*] Dumping PacketCache at DESKTOP-LT4711
[*] Copying PCAP dump from DESKTOP-LT4711
[*] Remote PacketCache data saved to DESKTOP-LT4711_181112_1337.pcap
PS C:\>

The ReadRemotePacketCache.ps1 script can be downloaded from the PacketCache product page.

Configuring Hosts for PowerShell Remoting

If you have not previously set up your environment for PowerShell remoting, then you will need to follow these steps before invoking the "ReadRemotePacketCache.ps1" script as above.

On the remote PC, start PowerShell as administrator and enable PowerShell remoting with the "Enable-PSRemoting" command as shown here:

PS C:\> Enable-PSRemoting -SkipNetworkProfileCheck -Force
WinRM has been updated to receive requests.
WinRM service type changed successfully.
WinRM service started.

WinRM has been updated for remote management.
WinRM firewall exception enabled.
Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely
to local users.

PS C:\>

Configuring TrustedHosts for Workgroups

You will also need to set up a trust relationship between the local and remote host. If the remote PC is member of an Active Directory domain, then this trust is already in place. However, if you're in a workgroup or the computers are not in the same domain, then you will need to set the TrustedHosts item like this on both the local PC and the remote PC:

PS C:\> Set-Item WSMan:\localhost\Client\TrustedHosts [IP or Hostname of the other PC]
PS C:\> Get-Item WSMan:\localhost\Client\TrustedHosts
PS C:\> Restart-Service WinRM

Note: if you need to dump PacketCache data from several remote hosts, then you can replace the IP/hostname with '*' to trust any PC or supply a comma separated list of individual hostnames or IPs to trust.

If you've configured TrustedHosts correctly, then you should be able to run the "ReadRemotePacketCache.ps1" script as shown previously. However, if the remote PC isn't in TrustedHosts, then you'll most likely get an error message like this:

PS C:\> .\ReadRemotePacketCache.ps1 Administrator
New-PSSession : [] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.

Automating Remote Artifact Collection

With PowerShell remoting in place you're not limited to just dumping packets from a remote PacketCache service, you can also dump the RAM or copy individual files from the remote computer. This comes in handy in order to implement an automated evidence/artifact collection, for example when a high-severity alert is received by your SIEM.

There are frameworks in place that can help with aquisition of memory and files, such as Matthew Green's Invoke-LiveResponse tool, which can dump memory with WinPMEM and leverage PowerForensics to enable remote raw disk access. Some organizations even start sniffing packets at events like this, but this will only capture the traffic from after a potential compromize. This is where PacketCache comes in, since it can allow you to retrieve packets ranging back as far as a couple of days before the alert.

Credential Theft

It is recommended to use unique passwords for each local account with administrator rights. This practice is extra important if you plan to log into a potentially compromized host using administrator credentails, as described in this blog post. You might also want to lock down the local admin accounts even further in order to minimize the consequences of the admin credentials falling into the wrong hands. See Microsoft's articles on "Local Accounts" and "Attractive Accounts for Credential Theft" for more recommendations regarding how to secure local admin accounts.

PacketCache is Free

CC BY-ND PacketCache is free to use, even commercially. It is released under a Creative Commons Attribution-NoDerivatives 4.0 International License, which means that you can copy and redistribute PacketCache in any medium or format for any purpose. You can download PacketCache here:

The PowerShell script presented in this blog post is also shared under the same CC license and can be downloaded from the PacketCache product page.


I'd like to thank Dick Svensson for suggesting the use of PowerShell Remoting to read PacketCache data remotely!

Posted by Erik Hjelmvik on Wednesday, 14 November 2018 08:00:00 (UTC/GMT)

Tags: #Netresec #PCAP #PacketCache #Windows

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL:

Reverse Engineering Proprietary ICS Protocols

Steve Miller at SEC-T

One of the highlights at this year’s SEC-T conference in Stockholm was Steve Miller’s talk titled "Reversing the TriStation Network Protocol". In this talk Steve covered his quest to better understand the TRITON malware, which had been used in a targeted attack of an industrial control system (ICS). Steve didn’t disclose the type or location of the plant, saying “Don’t ask me who it was, ‘cause I can’t say” when the Q&A started. However, an article in the Wall Street Journal points out that it was a petrochemical plant in Saudi Arabia that had been hacked.

Targeting Safety Instrumented System

The TRITON malware (also called TRISIS) was used to target a safety instrumented system (SIS) from Schneider Electric called Triconex. A SIS is typically not used to control the process of a plant, but rather to detect abnormal operating conditions and safely shut down the industrial process if needed.

I could elaborate a lot regarding the consequences of attacking the SIS, but the good guys from Dragos have already done a great job explaining this in their “TRISIS Malware” report.

Reverse Engineering the ICS Protocol

The communication protocol used by the Triconex controllers is called TriStation, which is a proprietary protocol. This means that there were no publicly available specifications available for the protocol at that time. There was also no Wireshark dissector that could parse TriStation traffic. Nevertheless, Steve’s initial reaction to this was “Awesome, undocumented things are my favorite things!”

Steve Miller: Awesome, undocumented things are my favorite things!

Unfortunately Steve wasn’t able to get hold of a single PCAP file with the TriStation network protocol, which made it really difficult to reverse engineer the protocol implementation in the TRITON malware. The only piece of actual TriStation network traffic he was able to get hold of was a hex dump of a TriStation packet in an academic paper.

Exceprt from: Attack Induced Common-Mode Failures on PLC-Based Safety System in a Nuclear Power Plant: Practical Experience Report

Armed with only the hexdump and Wireshark’s text2pcap Steve managed to piece together an actual PCAP file containing a single frame with a TriStation packet inside.

Wireshark with Steve's re-created TriStation PCAP

As you can see in the image above, Wireshark doesn’t decode any of the application layer data coming from TCP port 1502 (which TriStation uses). He therefore implemented a Wireshark Lua dissector for the TriStation protocol. And some time later the people from Nozomi Networks even implemented a proper Wireshark dissector for the TriStation protocol.

BSI’s ICS-SEC team have now also created Snort IDS rules specifically for the TriStation protocol. These IDS rules trigger on events like:

  • Packets sent to the controller from an unauthorized host
  • Malicious commands used by the TRITON malware to read and write to the RAM of the SIS controller as well as to execute code

The Importance of Sniffing ICS Traffic

I’ve been trying to convince asset owners, who use ICS in their power plants, factories, water treatment facilities etc, to start capturing the network traffic and storing it as PCAP files for many years now. However, asset owners sometimes try to argue that there is no point in capturing their traffic since it is using a proprietary protocol. Even Ralph Langner has opposed to the idea of capturing ICS network traffic in a blog post, which I have criticized. So, how difficult is it to write a parser for a proprietary protocol?

I have personally implemented support for over 30 application layer protocols in NetworkMiner, but unlike Steve I’ve always had access to at least one PCAP file and some form of documentation of the protocol. However, I’ve found that many real-world protocol implementations don’t follow specifications properly. In these cases I’ve found that having access to PCAP files with real-world network traffic is more important than having a full protocol specification.

Even complex proprietary protocols like the old proprietary Skype protocol has been reverse engineered, so with access to network traffic of a protocol combined with a binary that uses this protocol I’d say that pretty much any network protocol can be reverse engineered.

Steve’s SEC-T talk also proves that ICS protocols are no different, since they too can be reverse engineered without having a protocol specification or RFC.

Capturing network traffic in ICS networks is never wrong. There might not be parsers available today for all the protocols you’re using. But once a parser or IDS signature becomes available for the protocol you’re using, you can simply use that to analyze previously captured network traffic from your ICS network. Also, in the wake of an incident you might actually end up writing a parser (as in the TRITON case) or a custom IDS rule, in which case having historical network traffic from your plant in invaluable!

For more information on this topic I’d suggest reading my blog post titled “Monitor those Control System Networks!” from 2011, which still is highly relevant.

I’m also happy to announce that two PCAP files containing TriStation network traffic have been linked from our list of publicly accessible PCAP files today (see the “SCADA/ICS Network Captures” section).

And remember: PCAP or it didn’t happen!

Posted by Erik Hjelmvik on Friday, 21 September 2018 14:20:00 (UTC/GMT)

Tags: #ICS #PCAP #SCADA #SEC-T #protocol #Wireshark

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL:

NetworkMiner 2.3.2 Released!

NetworkMiner 2.3.2 was released this morning, and there was much rejoicing!

Image: U.S. Navy photo by Stuart Phillips (source)

This new release primarily fixes bugs related to extraction of emails and VoIP calls. We have also corrected a bug affecting the json/CASE export function in NetworkMiner Professional.

The OSINT domain name lookup in NetworkMiner Professional has also been extended with the Certificate Search and DNSTrails has been replaced with SecurityTrails.

NetworkMiner Professional 2.3.2 Image: NetworkMiner Professional 2.3.2 with “vm_win7.pcap” from University of Twente’s Data Exfiltration Malware dataset loaded.


NetworkMiner 2.3.2

We’d like to thank Carlos Kasprzykowski for notifying us about the VoIP bug, which caused lots of files to be written to the %TEMP% directory when there were more than 50 simultaneous SIP+RTP calls. We also wanna thank Josh Wilczek for reporting a bug in the “User Defined Port-to-Protocol Mappings” in NetworkMiner Professional’s Settings window, which also has been fixed in the 2.3.2 release.

Upgrading to Version 2.3.2

Users who have purchased a license for NetworkMiner Professional 2.x can download a free update to version 2.3.2 from our customer portal. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.


Posted by Erik Hjelmvik on Monday, 27 August 2018 09:23:00 (UTC/GMT)

Tags: #Netresec #NetworkMiner #RTP #VoIP #SIP #email #CASE

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL:

Detecting the Pony Trojan with RegEx using CapLoader

This short video demonstrates how you can search through PCAP files with regular expressions (regex) using CapLoader and how this can be leveraged in order to improve IDS signatures.

The EmergingThreats snort/suricata rule mentioned in the video is SID 2014411 “ET TROJAN Fareit/Pony Downloader Checkin 2”.

The header accept-encoding header with quality factor 0 used by the Pony malware is:
Accept-Encoding: identity, *;q=0

And here is the regular expression used to search for that exact header: \r\nAccept-Encoding: identity, \*;q=0\r\n

After recording the video I noticed that the leaked source code for Pony 2.0 actually contains this accept-encoding header as a hard-coded string. Have a look in the redirect.php file, where they set curl’s CURLOPT_HTTPHEADER to this specific string.

Pony using curl to set: Accept-Encoding: identity, *;q=0

Wanna learn more about the intended use of quality factors in HTTP accept headers? Then have a look at section 14.1 of RFC 2616section 5.3.4 of RFC 7231, which defines how to use qvalues (i.e. quality factors) in the Accept-Encoding header.

Finally, I'd like to thank Brad Duncan for running the website, your PCAP files often come in handy!

Update 2018-07-05

I submitted a snort/suricata signature to the Emerging-Sigs mailinglist after publishing this blog post, which resulted in the Emerging Threats signature 2014411 being updated on that same day to include:

content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http_header;

Thank you @EmergingThreats for the fast turnaround!

Posted by Erik Hjelmvik on Wednesday, 04 July 2018 07:39:00 (UTC/GMT)

Tags: #video #regex #malware #IDS #videotutorial

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL:

CapLoader 1.7 Released

We are happy to announce the release of CapLoader 1.7! CapLoader 1.7 logo

Here’s an overview of what’s new in this release:

  • Regular expression searching
  • Lookup of IP addresses using online services
  • Lookup of domain names using online services
  • Improved protocol fingerprinting speed and precision
  • Support for GRE, IGMP and ICMPv6 flows
  • More precise period estimation of “periodic services

Regular Expressions Search

CapLoader’s “Find Keyword” window has been extended with an option to search flows using regular expressions (regex) as an alternative to searching for strings or byte sequences. With help of the powerful regex syntax built into .NET this new search option enables very flexible searching.

Searching for Alfa Ransomware flows in CapLoader using regex
Image: Searching for Alfa Ransomware flows using regex

The Find Keyword window can be opened by clicking Edit > Find Keyword, or by pressing Ctrl+F after having loaded a PCAP file.

You can learn more about regex searching with CapLoader in our short video called "Detecting the Pony Trojan with RegEx using CapLoader".

OSINT Lookups of IP Addresses and Domains

We added support for querying online services for IPs and domain names to the latest release of NetworkMiner, now it’s time to add this very handy feature to CapLoader as well.

Right-clicking a Flow, Service or Host in CapLoader brings up a context menu with links to various online resources that might have more details regarding the clicked IP address or domain name.

CapLoader OSINT lookups

The services available for IP address OSINT lookup include:
APNIC Whois, Censys, Cymon, ExoneraTor, Google Public DNS,, Hurricane Electric, IBM X-Force, Internet Storm Center, mnemonic Passive DNS, PacketTotal, SecurityTrails, Shodan, ThreatCrowd, ThreatMiner, UrlQuery and VirusTotal.

The domain name lookup menu contains a similar set of providers:
Cymon, Google Public DNS, Google Safe Browsing, Hybrid Analysis, IBM X-Force Exchange, mnemonic Passive DNS, MXToolBox, MyWOT, Norton Safe Web, PacketTotal, SecurityTrails, ThreatCrowd, ThreatMiner, URL Void, UrlQuery, VirusTotal, Website Informer, Webutation and Whoisology.

Protocol Identification

The dynamic protocol detection (or Port Independent Protocol Detection, aka “PIPI”) in CapLoader has been improved to support even more protocols than before. We have also fine-tuned the protocol identification algorithm to be both faster and more accurate.

CapLoader 1.7 identifying SSL on non-standard port
Image: Traffic to TCP 8777 identified as SSL (PCAP file from Stratosphere IPS)

Updating to the Latest Release

Users who have previously purchased a license for CapLoader can download a free update to version 1.7 from our customer portal. All others can download a free 30 day trial from the CapLoader product page (no registration required).


We’d like to thank Michael Nilsson for suggesting the IP and domain name lookup feature and Tohar Braun for suggesting RegEx search support. We’d also like to thank Ralf Alvarsson and Jarmo Lahtiranta for reporting bugs that have been resolved in this release.

Posted by Erik Hjelmvik on Tuesday, 03 July 2018 11:37:00 (UTC/GMT)

Tags: #CapLoader #regex #keyword #pcap #OSINT #IP

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL:


NETRESEC on Twitter

Follow @netresec on twitter:


Recommended Books

» The Practice of Network Security Monitoring, Richard Bejtlich (2013)

» Applied Network Security Monitoring, Chris Sanders and Jason Smith (2013)

» Network Forensics, Sherri Davidoff and Jonathan Ham (2012)

» The Tao of Network Security Monitoring, Richard Bejtlich (2004)

» Practical Packet Analysis, Chris Sanders (2017)

» Windows Forensic Analysis, Harlan Carvey (2009)

» TCP/IP Illustrated, Volume 1, Kevin Fall and Richard Stevens (2011)

» Industrial Network Security, Eric D. Knapp and Joel Langill (2014)