NetworkMiner
NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
NetworkMiner makes it easy to perform advanced Network Traffic Analysis (NTA) by providing extracted artifacts in an intuitive user interface. The way data is presented not only makes the analysis simpler, it also saves valuable time for the analyst or forensic investigator.
NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.
| NetworkMiner Free Edition |
NetworkMiner Professional |
|
|---|---|---|
| Live sniffing | โ | โ |
| Parse PCAP files | โ | โ |
| Parse PcapNG files | โ | |
| Parse ETL files | โ | โ |
| Network Packet Carver | โ | |
| IPv6 support | โ | โ |
| Extract files from FTP, TFTP, HTTP, HTTP/2, SMB, SMB2, SMTP, POP3, IMAP and LPR traffic | โ | โ |
| Extract X.509 certificates from SSL encrypted traffic like HTTPS, SMTPS, IMAPS, POP3S, FTPS etc. | โ | โ |
| Decapsulation of GRE, 802.1Q, PPPoE, VXLAN, OpenFlow, SOCKS, MPLS, EoMPLS and ERSPAN | โ | โ |
| Receive Pcap-over-IP | โ | โ |
| Runs in Windows and Linux | โ | โ |
| OS Fingerprinting (*) | โ | โ |
| JA3 and JA3S hash extraction | โ | โ |
| Audio extraction and playback of VoIP calls | โ | |
| OSINT lookups of file hashes, IP addresses, domain names and URLs | โ | |
| Port Independent Protocol Identification (PIPI) (**) |
โ | |
| User Defined Port-to-Protocol Mappings (decode as) | โ | |
| Export to CSV / Excel / XML / CASE / JSON-LD | โ | |
| Configurable file output directory | โ | |
| Configurable time zone (UTC, local or custom) | โ | |
| Geo IP localization (***) | โ | |
| DNS Whitelisting (****) | โ | |
| Advanced OS fingerprinting | โ | |
| Web browser tracing (4:10 into this video) | โ | |
| Online ad and tracker detection | โ | |
| Host coloring support | โ | |
| Command line scripting support | โ (through NetworkMinerCLI) | |
| Price | Free | $ 1200 USD |
|
Download NetworkMiner |
Buy NetworkMiner Professional | |
|
* Fingerprinting of Operating Systems (OS) is performed by using databases from Satori and p0f ** Identified protocols include: DNS, FTP, HTTP, HTTP2, IRC, Meterpreter, NetBIOS NameService, NetBios SessionService, Socks, Spotify's Server Protocol, SSH, SSL, TDS (MS-SQL) and TPKT *** This product includes GeoLite data created by MaxMind, available from http://maxmind.com/ **** Domain names in the DNS tab are checked against the Alexa top 1,000,000 sites |
||
NetworkMiner can extract files, emails and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network.
NetworkMiner showing files extracted from sniffed network traffic to disk
NetworkMiner showing thumbnails for images extracted to disk
User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. The credentials tab sometimes also show information that can be used to identify a particular person, such as user accounts for popular online services like Gmail or Facebook.
Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.
NetworkMiner Professional can be delivered either as an Electronic Software Download (ESD) or shipped physically on a USB flash drive. The product is exactly the same, regardless of delivery method. NetworkMiner is a portable application that doesn't require any installation, which means that the USB version can be run directly from the USB flash drive. However, we recommend that you copy NetworkMiner to the local hard drive of your computer in order to achieve maximum performance.
ยป How To Buy NetworkMiner Professional ยซ
Download NetworkMiner
The latest version of NetworkMiner can be downloaded from:
ยป https://www.netresec.com/?download=NetworkMiner ยซ (executable application)
ย ย ย SHA256 hash: cf477b651c3bcc70d6f5d50f9bdcb6d8cf2dd85b7018109ff474b9df3c7a0f7e
ยป https://www.netresec.com/?page=NetworkMinerSourceCode ยซ (source code)
ย ย ย SHA256 hash: 270fbac73c973d1af205f2e96a4e555bf0d4b51f662549000c46f9cd76ccbb8c
For older releases of NetworkMiner (prior to version 2.0), please visit the NetworkMiner page on SourceForge:
http://sourceforge.net/projects/networkminer/files/networkminer/
However, please note that we no longer release new versions of NetworkMiner on SourceForge.
Change Log
NetworkMiner Videos
FAQ โ Frequently Asked Questions
Q: How do I run NetworkMiner in Linux?
Install Mono (cross platform, open source .NET framework), download and extract NetworkMiner and then start NetworkMiner with mono NetworkMiner.exe. For more details, please see our HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux blog post.
Q: How do I run NetworkMiner on a Mac?
Install Mono with "
Q: How do I sniff network traffic with NetworkMiner in Windows?
To sniff with raw sockets you'll first need to create an inbound firewall rule to allow NetworkMiner.exe to capture incoming TCP packets. Next, start NetworkMiner as administrator and select a network interface in the drop down list at the top of the GUI. Finally, start a live packet capture by clicking the Start button.
Q: Can NetworkMiner sniff network traffic in Linux?
NetworkMiner only supports live sniffing through PCAP-over-IP when Mono is used.
Q: Can NetworkMiner extract files from HTTPS traffic?
NetworkMiner is not designed to perform decryption, so files transferred inside TLS encrypted sessions, like HTTPS, will not be extracted. X.509 certificates from TLS handshakes will be extracted to disk by NetworkMiner though. You can use a TLS proxy, like PolarProxy, in order to decrypt TLS traffic and forward decrypted traffic to NetworkMiner. See our video PolarProxy in Windows Sandbox for more details.
Q: I'm unable to start NetworkMiner. I get an error message saying "Could not load type 'System.ValueTuple`2' from assembly 'mscorlib, Version=4.0.0.0". How can this be fixed?
Please install .NET framework 4.7.2 or later.
More Information
There are also several blog posts about NetworkMiner on the NETRESEC Network Security Blog:
- NetworkMiner 2.0 Released
- Pcap-over-IP in NetworkMiner
- Network Forensic Analysis of SSL MITM Attacks
- Command-line Network Forensics with NetworkMinerCLI
- NetworkMiner Video Tutorials on the Intertubes
- Webmail Information Leakage
- Analyzing the TCP/IP Weapons School Sample Lab
โ