NETRESEC NetworkMiner Professional Reference Manual

rev. D

NetworkMiner Professional
The NetworkMiner USB flash drive
NetworkMiner Professional is delivered on a customized USB flash drive. NetworkMiner
Professional is a portable application, which means that it doesn't require any installation
and can be run directly from the USB flash drive. Our recommendation is, however, that you
copy the NetworkMinerProfessional directory to your local hard drive and run it from there
for improved performance. It is up to you to decide if you will copy NetworkMiner to your
computer's desktop, put it in your Program Files directory or place it in the root of your
favorite HDD partition.

Illustration 1: NetworkMiner Professional USB flash drive

Sniffing Network Traffic

You can use NetworkMiner in order to perform live sniffing, i.e. to capture network traffic
from a network interface to a pcap file on disk. Simply select the desired network interface in
the drop-down list at the top of the GUI and click the green play button or hit he F5 key to
start sniffing.

Illustration 2: NetworkMiner GUI - Press "Start" button to sniff

If you need to perform high performance sniffing with minimal packet loss we recommend
that you instead use the command line application dumpcap, which is included in the
Wireshark and tshark packages.

-1-

NETRESEC NetworkMiner Professional Reference Manual

rev. D

Parsing PCAP files

NetworkMiner is primarily designed to parse pcap files, i.e. network traffic captured to a file.
You can open a pcap file in NetworkMiner by clicking File Open or simply by drag-anddropping a pcap file onto NetworkMiner.
You can even open multiple files, in which case NetworkMiner will aggregate the extracted
information from the pcap files in the GUI. The pcap aggregation functionality is important
when the captured network traffic is fragmented into multiple pcap files. Just make sure to
load the pcap files into NetworkMiner in chronological order.
Pcap files and live network traffic can also be retrieved from remote machines by using the
Pcap-over-IP feature found under the Files menu. More on how to use Pcap-over-IP can be
found on our website: www.netresec.com.

Hosts Tab
The hosts tab contains a list of all IP address in the analyzed traffic. Each host in the list is
displayed as an icon specifying the fingerprinted operating system (OS), the IP address and
any potentially identified host name of the machine.
Host Icon Meaning
OS is FreeBSD
OS is Linux
OS is Mac
OS is NetBSD
OS is Solaris
OS is Unix
OS is Windows
Unknown OS
IP is multicast (RFC 3171)
IP is broadcast (RFC 919)
IP is reserved by IANA

Each host node can be expanded in order to reveal properties about the host, such as the
geographical location of the IP address and detected open ports.
Right-clicking a host brings up a context menu that enables host coloring. The host coloring
feature can be used to associate a color with a certain host (or IP address). Rows containing a
color coded host in other tabs in NetworkMiner are automatically colored according to the
users color selection. The color coding can be a very useful and time saving feature that
makes it easier to for example follow the actions of a particular user or identify files retrieved
from a particular server.
-2-

NETRESEC NetworkMiner Professional Reference Manual

rev. D

Files Tab
The files tab contains a list of all files that have been reassembled and extracted by
NetworkMiner. Protocols from which files are extracted include common file transfer
protocols like HTTP, SMB, FTP and TFTP, but also extracted certificates from SSL and TLS
encrypted traffic (including the TOR protocol). An extracted file can be opened by right
clicking a row in the files tab, but we always recommend selecting open folder in the
context menu unless you are sure the extracted file does not contain malicious code. The list
of files can be sorted based on the contents of a particular column simply by clicking the
column's header.

Illustration 3: Files tab

Images Tab
The images tab shows thumbnail pictures of all images that have been extracted to a file by
NetworkMiner. Right-click an image to open it in an external viewer.

-3-

NETRESEC NetworkMiner Professional Reference Manual

rev. D

Messages Tab
All messages extracted from e-mails1, IRC chats, IM chats and social media (Facebook,
Twitter etc.) are accessible from the messages tab. The leftmost pane contains a list of all
extracted messages. Contents and details of a particular message can be displayed by
selecting a message in the left pane.

Credentials Tab
The credentials tab contains user credentials, such as usernames and passwords, as well as
other details that might be useful in order to identify a particular user on the network. HTTP
Cookies are also displayed in the credentials tab.

Parameters Tab
The parameters tab displays all sorts of information extracted from network traffic where
there is a notion of a name-and-value combination. NetworkMiner extracts parameters such
as HTTP query string names and values, HTTP POST variables, HTTP cookie parameters and
FTP commands.

Keywords Tab
Any keywords that are of relevance for a particular case can be searched for by adding them
to the keywords tab. Every keyword match is displayed in together with the frame number
and source and destination of the packet. The keywords are case sensitive, so make sure to
enter them as both upper- and lowercase if needed. Arbitrary byte sequences can also be
queried for by entering them in hex format, i.e. for example 0x010203.
Remember that already loaded network traffic is not re-inspected when a new keyword is
added, so make sure to hit the Reload Case Files button after you have updated the
keyword list in order to re-crawl the traffic.

Acknowledgments
NetworkMiner Professional includes databases for operating system fingerprinting created by Micha
Zalewski and Eric Kollmann. Micha has developed the LGPL licensed software p0f2, from where the
TCP based fingerprinting databses p0f.fp and p0fa.fp originate. Eric has created databases for OS
fingerprinting though TCP handshakes as well as DHCP requests as part of his Satori3 program. Eric is
also continuously keeping his databases up to date with new OS fingerprints. NetworkMiner also
includes a Geo IP database from GeoLite data created by MaxMind4.

NetworkMiner can extract e-mails from numerous webmail solutions as well as from traditional SMTP traffic

P0f is available from http://lcamtuf.coredump.cx/p0f.shtml

Satori is available from http://myweb.cableone.net/xnih/

GeoLite is available from http://www.maxmind.com/

-4-