NetworkMiner logo


NetworkMiner is an open source network forensics tool that extracts artifacts, such as files, images, emails and passwords, from captured network traffic in PCAP files. NetworkMiner can also be used to capture live network traffic by sniffing a network interface. Detailed information about each IP address in the analyzed network traffic is aggregated to a network host inventory, which can be used for passive asset discovery as well as to get an overview of which devices that are communicating. NetworkMiner is primarily designed to run in Windows, but can also be used in Linux.

NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.

Host inventory in NetworkMiner

Host inventory in NetworkMiner

Free Edition
Live sniffing
Parse PCAP files
Parse PcapNG files
Parse ETL files
Network Packet Carver
IPv6 support
Extract files from FTP, TFTP, HTTP, HTTP/2, SMB, SMB2, SMTP, POP3, IMAP and LPR traffic
Extract X.509 certificates from SSL encrypted traffic like HTTPS, SMTPS, IMAPS, POP3S, FTPS etc.
Decapsulation of GRE, 802.1Q, PPPoE, VXLAN, OpenFlow, SOCKS, MPLS, EoMPLS and ERSPAN
Receive Pcap-over-IP
Runs in Windows and Linux
OS Fingerprinting (*)
JA3, JA3S and JA4 extraction
Audio extraction and playback of VoIP calls
OSINT lookups of file hashes, IP addresses, domain names and URLs
Port Independent
Protocol Identification (PIPI) (**)
User Defined Port-to-Protocol Mappings (decode as)
Export to CSV / Excel / XML / CASE / JSON-LD
Configurable file output directory
Configurable time zone (UTC, local or custom)
Geo IP localization (***)
DNS Whitelisting (****)
Advanced OS fingerprinting
Web browser tracing (4:10 into this video)
Online ad and tracker detection
Host coloring support
Command line scripting support NetworkMinerCLI
Price Free $ 1200 USD
Download NetworkMiner (free edition) Buy NetworkMiner Professional
* Fingerprinting of Operating Systems (OS) is performed by using databases from Satori and p0f
** Identified protocols include: DNS, FTP, HTTP, HTTP2, IRC, Meterpreter, NetBIOS NameService, NetBios SessionService, Socks, Spotify's Server Protocol, SSH, SSL, TDS (MS-SQL) and TPKT
*** This product includes GeoLite data created by MaxMind, available from
**** Domain names in the DNS tab are checked against the Alexa top 1,000,000 sites

NetworkMiner can extract files, emails and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network.

NetworkMiner extracted files

NetworkMiner showing files extracted from sniffed network traffic to disk

NetworkMiner extracted images and pictures

NetworkMiner showing thumbnails for images extracted to disk

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. The credentials tab sometimes also shows information that can be used to identify a particular person, such as user accounts for popular online services like Gmail or Facebook.

NetworkMiner Professional USB flash drive

Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.

NetworkMiner Professional can be delivered either as an Electronic Software Download (ESD) or shipped physically on a USB flash drive. The product is exactly the same, regardless of delivery method. NetworkMiner is a portable application that doesn't require any installation, which means that the USB version can be run directly from the USB flash drive. However, we recommend that you copy NetworkMiner to the local hard drive of your computer in order to achieve maximum performance.

» How To Buy NetworkMiner Professional «

Download NetworkMiner

The latest version of NetworkMiner can be downloaded from:
» « (executable application)
   SHA256 hash: c610f6ba647ddd9c718e87018ee40595a4d72a52a6b3b7ceb53caf4fa8de6f05 (hash link)
» « (source code)

For older releases of NetworkMiner (prior to version 2.0), please visit the NetworkMiner page on SourceForge:

However, please note that we no longer release new versions of NetworkMiner on SourceForge.

Change Log

Version Release Date Major Improvements
NetworkMiner 2.9 2024-05-27 TZSP support, StealC extractor, Improved Modbus parser, JA4 support, GTP decapsulation
NetworkMiner 2.8.1 2023-10-02 Extraction of screenshots, keystrokes and file transfers from VNC, njRAT and BackConnect traffic. Support for HTTP PUT request. Improved images tab.
NetworkMiner 2.8 2023-01-02 Improved user interface, better parsing of IEC-104 traffic and decapsulation of CAPWAP traffic.
NetworkMiner 2.7.3 2022-04-04 Extraction of meterpreter payloads from reverse shells and offline lookups of JA3 hashes and TLS certificates.
NetworkMiner 2.7.2 2021-11-02 Read Windows .ETL capture files created with "netsh trace" or "pktmon".
NetworkMiner 2.7 2021-06-15 Extracts print files from LPR, parses DNS TXT and SRV records, computes JA3S hashes etc.
NetworkMiner 2.6 2020-09-23 Improved extraction and presentation of emails, password hashes, FTP transfers and artifacts from HTTP and HTTP/2 traffic.
NetworkMiner 2.5 2019-11-07 JA3 hash extraction and parsers for the HTTP/2, DoH and CIFS browser protocol.
NetworkMiner 2.4 2019-01-10 Username extraction from Kerberos traffic, ICS device fingerprinting and improved Linux support .
NetworkMiner 2.3.2 2018-08-27 Improved email and VoIP call extraction.
NetworkMiner 2.3 2018-04-03 VoIP call audio extraction and playback as well as OSINT lookups of file hashes, IP addresses, domain names and URLs .
NetworkMiner 2.2 2017-08-21 Faster parsing speed (x2) and CASE export.
NetworkMiner 2.1.1 2017-01-19 Improved HTTP parser.
NetworkMiner 2.1 2017-01-11 New protocols: POP3, IMAP, VXLAN, OpenFlow and SOCKS.
NetworkMiner 2.0 2016-02-09 New protocols: SMB2 and Modbus/TCP.
NetworkMiner 1.6 2014-06-16 Improved SMTP and DNS parsing.
NetworkMiner 1.5 2013-08-07 New protocols: PPPoE and LLMNR, fixed two vulnerabilities.
NetworkMiner 1.4 2012-08-16 New protocol: IEC 60870-5-104.
NetworkMiner 1.3 2012-04-12 Username and password from HTTP Digest Authentication (RFC 2617).
NetworkMiner 1.2 2011-11-19 New protocol: GRE, platform independent (works in Linux, Mac OSX etc).
NetworkMiner 1.1 2011-09-15 New protocol: PPP. Screen resolution, color depth, browser language and flash version extracted from Google Analytics.
NetworkMiner 0.71 2007-02-16 First public release of NetworkMiner.

NetworkMiner Videos

Analyzing Zyklon Malware in NetworkMiner
Antivirus Scanning of a PCAP File
Analyzing Kelihos SPAM in CapLoader and NetworkMiner
Examining Malware Redirects with NetworkMiner Professional

FAQ – Frequently Asked Questions

Q: How do I run NetworkMiner in Linux?

Install Mono (cross platform, open source .NET framework), download and extract NetworkMiner and then start NetworkMiner with mono NetworkMiner.exe. For more details, please see our HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux blog post.

Q: Can I run NetworkMiner on a Mac?

The support for Mono on macOS is very limited, but you can try the following solution: Install Mono with "brew install mono", download and extract NetworkMiner and then start NetworkMiner with "mono --arch=32 NetworkMiner.exe". For more details, please see our Running NetworkMiner on Mac OS X blog post.

Q: How do I sniff network traffic with NetworkMiner in Windows?

To sniff with raw sockets you'll first need to create a firewall rule to allow NetworkMiner to capture incoming TCP packets. Run the command "wf.msc" to start Windows Defender Firewall and create a new inbound rule for NetworkMiner.exe. Next, start NetworkMiner as administrator and select a network interface in the drop down list at the top of the GUI. Finally, start a live packet capture by clicking the Start button.

Q: Can NetworkMiner sniff network traffic in Linux?

NetworkMiner only supports live sniffing through PCAP-over-IP when Mono is used.

Q: Can NetworkMiner extract files from HTTPS traffic?

NetworkMiner is not designed to perform decryption, so files transferred inside TLS encrypted sessions, like HTTPS, will not be extracted. X.509 certificates from TLS handshakes will be extracted to disk by NetworkMiner though. You can use a TLS proxy, like PolarProxy, in order to decrypt TLS traffic and forward decrypted traffic to NetworkMiner. See our video PolarProxy in Windows Sandbox for more details.

Q: I'm unable to start NetworkMiner. I get an error message saying "Could not load type 'System.ValueTuple`2' from assembly 'mscorlib, Version=". How can this be fixed?

Please install .NET framework 4.7.2 or later.

More Information

There are also several blog posts about NetworkMiner on the NETRESEC Network Security Blog: