NetworkMiner logo


NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

NetworkMiner makes it easy to perform advanced Network Traffic Analysis (NTA) by providing extracted artifacts in an intuitive user interface. The way data is presented not only makes the analysis simpler, it also saves valuable time for the analyst or forensic investigator.

NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.

NetworkMiner (free edition) NetworkMiner Professional
Live sniffing Yes Yes
Parse PCAP files Yes Yes
Parse PcapNG files Yes
Parse ETL files Yes Yes
Network Packet Carver Yes
IPv6 support Yes Yes
Extract files from FTP, TFTP, HTTP, HTTP/2, SMB, SMB2, SMTP, POP3, IMAP and LPR traffic Yes Yes
Extract X.509 certificates from SSL encrypted traffic like HTTPS, SMTPS, IMAPS, POP3S, FTPS etc. Yes Yes
Decapsulation of GRE, 802.1Q, PPPoE, VXLAN, OpenFlow, SOCKS, MPLS, EoMPLS and ERSPAN Yes Yes
Receive Pcap-over-IP Yes Yes
Runs in Windows and Linux Yes Yes
OS Fingerprinting (*) Yes Yes
JA3 and JA3S hash extraction Yes Yes
Audio extraction and playback of VoIP calls Yes
OSINT lookups of file hashes, IP addresses, domain names and URLs Yes
Port Independent
Protocol Identification (PIPI)
User Defined Port-to-Protocol Mappings (decode as) Yes
Export to CSV / Excel / XML / CASE / JSON-LD Yes
Configurable file output directory Yes
Configurable time zone (UTC, local or custom) Yes
Geo IP localization (**) Yes
DNS Whitelisting (***) Yes
Advanced OS fingerprinting Yes
Web browser tracing (4:10 into this video) Yes
Online ad and tracker detection Yes
Host coloring support Yes
Command line scripting support Yes (through NetworkMinerCLI)
Price Free $ 1200 USD
Download NetworkMiner (free edition) How To Buy NetworkMiner Professional
* Fingerprinting of Operating Systems (OS) is performed by using databases from Satori and p0f
** This product includes GeoLite data created by MaxMind, available from
*** Domain names in the DNS tab are checked against the Alexa top 1,000,000 sites

NetworkMiner can extract files, emails and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network.

NetworkMiner extracted files

NetworkMiner showing files extracted from sniffed network traffic to disk

NetworkMiner extracted images and pictures

NetworkMiner showing thumbnails for images extracted to disk

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. The credentials tab sometimes also show information that can be used to identify a particular person, such as user accounts for popular online services like Gmail or Facebook.

NetworkMiner Professional USB flash drive

Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.

NetworkMiner Professional can be delivered either as an Electronic Software Download (ESD) or shipped physically on a USB flash drive. The product is exactly the same, regardless of delivery method. NetworkMiner is a portable application that doesn't require any installation, which means that the USB version can be run directly from the USB flash drive. However, we recommend that you copy NetworkMiner to the local hard drive of your computer in order to achieve maximum performance.

ยป How To Buy NetworkMiner Professional ยซ

Download NetworkMiner

The latest version of NetworkMiner can be downloaded from:
ยป ยซ (executable application)
ย ย ย SHA256 hash: cf477b651c3bcc70d6f5d50f9bdcb6d8cf2dd85b7018109ff474b9df3c7a0f7e
ยป ยซ (source code)
ย ย ย SHA256 hash: 270fbac73c973d1af205f2e96a4e555bf0d4b51f662549000c46f9cd76ccbb8c

For older releases of NetworkMiner (prior to version 2.0), please visit the NetworkMiner page on SourceForge:

However, please note that we no longer release new versions of NetworkMiner on SourceForge.

Change Log

Version Release Date Major Improvements
NetworkMiner 2.7.3 2022-04-04 Extraction of meterpreter payloads from reverse shells and offline lookups of JA3 hashes and TLS certificates.
NetworkMiner 2.7.2 2021-11-02 Read Windows .ETL capture files created with "netsh trace" or "pktmon".
NetworkMiner 2.7 2021-06-15 Extracts print files from LPR, parses DNS TXT and SRV records, computes JA3S hashes etc.
NetworkMiner 2.6 2020-09-23 Improved extraction and presentation of emails, password hashes, FTP transfers and artifacts from HTTP and HTTP/2 traffic.
NetworkMiner 2.5 2019-11-07 JA3 hash extraction and parsers for the HTTP/2, DoH and CIFS browser protocol.
NetworkMiner 2.4 2019-01-10 Username extraction from Kerberos traffic, ICS device fingerprinting and improved Linux support.
NetworkMiner 2.3.2 2018-08-27 Improved email and VoIP call extraction.
NetworkMiner 2.3 2018-04-03 VoIP call audio extraction and playback as well as OSINT lookups of file hashes, IP addresses, domain names and URLs.
NetworkMiner 2.2 2017-08-21 Faster parsing speed (x2) and CASE export.
NetworkMiner 2.1.1 2017-01-19 Improved HTTP parser.
NetworkMiner 2.1 2017-01-11 New protocols: POP3, IMAP, VXLAN, OpenFlow and SOCKS.
NetworkMiner 2.0 2016-02-09 New protocols: SMB2 and Modbus/TCP.
NetworkMiner 1.6 2014-06-16 Improved SMTP and DNS parsing.
NetworkMiner 1.5 2013-08-07 New protocols: PPPoE and LLMNR, fixed two vulnerabilities.
NetworkMiner 1.4 2012-08-16 New protocol: IEC 60870-5-104.
NetworkMiner 1.3 2012-04-12 Username and password from HTTP Digest Authentication (RFC 2617).
NetworkMiner 1.2 2011-11-19 New protocol: GRE, platform independent (works in Linux, Mac OSX etc).
NetworkMiner 1.1 2011-09-15 New protocol: PPP. Screen resolution, color depth, browser language and flash version extracted from Google Analytics.
NetworkMiner 0.71 2007-02-16 First public release of NetworkMiner.

NetworkMiner Videos

Analyzing Zyklon Malware in NetworkMiner
Antivirus Scanning of a PCAP File
Analyzing Kelihos SPAM in CapLoader and NetworkMiner
Examining Malware Redirects with NetworkMiner Professional

More Information

There are also several blog posts about NetworkMiner on the NETRESEC Network Security Blog: