Monday, 26 December 2011 20:30:00 (UTC/GMT)
See our blog post HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux for a more up to date installation guide.
NetworkMiner is a network forensics tool
that is primarily designed to run under Windows.
But it is now (as of
version 1.2 of NetworkMiner)
also possible to run NetworkMiner on non-Windows OS's like Linux, Mac, FreeBSD etc. with help of Mono.
This means that there is no longer any need to run
NetworkMiner under Wine,
since Mono is a much better alternative.
So what is Mono?
Here is a description from the mono-project's website:
“Mono is a software platform designed to allow developers to easily create cross platform
applications. Sponsored by Xamarin, Mono is an open source implementation of
Microsoft's .NET Framework based on the ECMA standards for C# and the Common Language Runtime.
A growing family of solutions and an active and enthusiastic contributing community
is helping position Mono to become the leading choice for development of Linux applications.”
Here are some of the features in NetworkMiner that work better under Mono compared to Wine:
- Drag-and-drop pcap files onto NetworkMiner works under Mono
- Extracted/reassembled files are put in OS-native folders (under the NetworkMiner/AssembledFiles folder)
- Right-clicking an extracted file or image and selecting “Open file” or “Open containing folder” works under Mono
- No big Wine install required, the Mono framework only requires 32 MB to install
Here are the commands required to install Mono and NetworkMiner on Ubuntu Linux:
sudo apt-get install libmono-winforms2.0-cil
The reason for setting write permission to the AssembledFiles folder is because this is the
directory to where extracted files are written.
If you prefer to instead have the files extracted to /tmp or the user's home directory,
then simply move the AssembledFiles directory to your desired location and create a
symlink to it in the NetworkMiner directory
(hat tip to Lenny Zeltser for this idea).
wget www.netresec.com/?download=NetworkMiner -O /tmp/networkminer.zip
sudo unzip /tmp/networkminer.zip -d /opt/
sudo chmod +x NetworkMiner.exe
sudo chmod -R go+w AssembledFiles/
sudo chmod -R go+w Captures/
NetworkMiner 1.2 running under Ubuntu Linux with Mono, with “day12-1.dmp” from the M57-Patents Scenario loaded.
See our blog post HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux for an installation guide for other linux flavors.
Posted by Erik Hjelmvik on Monday, 26 December 2011 20:30:00 (UTC/GMT)
Friday, 16 December 2011 21:46:00 (UTC/GMT)
Lenny Zeltser recently
released version 3
of his Reverse-Engineering Malware Linux distro REMnux.
Here are a few of the improvements in REMnux 3 compared to the previous version:
- The REMnux distro is now based on Ubuntu
- Updated versions of Volatility and
- NetworkMiner is included for
forensic analysis of network traffic
As of version 1.2 of NetworkMiner
it is possible to use mono to run it on
non-Windows OS's like Linux, Mac and FreeBSD.
Lenny used this functionality in order to run NetworkMiner under mono instead of using Wine,
which I think is a great decision since NetworkMiner integrates much better with the OS when
it is run with mono.
NetworkMiner running on REMnux
There is, however, one caveat to be aware of when running NetworkMiner under REMnux;
you either have to run it as root (as in the screenshot above)
or add write permissions to the AssembledFiles directory with:
sudo chmod -R go+w /usr/local/NetworkMiner/AssembledFiles
NetworkMiner will otherwise not be able to extract any files from the analyzed pcap files to disk since it won't have right to write them to the AssembledFiles folder.
Luckily, Lenny has already confirmed to me that he will have this fixed in the next release of REMnux.
Posted by Erik Hjelmvik on Friday, 16 December 2011 21:46:00 (UTC/GMT)
Thursday, 13 October 2011 16:51:00 (UTC/GMT)
We no longer recommend running NetworkMiner under Wine, please see our blog post on HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux instead.
Joshua Smith has written a great blog post on toastresearch.com
about how to get NetworkMiner running on BackTrack Linux.
C. S. Lee (a.k.a. geek00l) has also written a blog post a couple of years ago explaining
how to install NetworkMiner on Ubuntu Linux.
Unfortunately both these blog posts point to URLs with old versions of NetworkMiner
(now that version 1.1 is released).
I'm therefore posting a simple walkthrough of the required commands in order to install the latest version of NetworkMiner on an Ubuntu machine:
sudo apt-get install winetricks
winetricks corefonts dotnet20 gdiplus
I hope this will help you get NetworkMiner running on your Ubuntu analyst station!
We will also be looking into having NetworkMiner fully compatible with mono in a future release.
This would allow you to run NetworkMiner “natively” on Linux, Mac OS X as well as BSD (OpenBSD, FreeBSD, NetBSD).
Posted by Erik Hjelmvik on Thursday, 13 October 2011 16:51:00 (UTC/GMT)