Sabtu, 26 November 2011

Trying NetworkMiner Professional 1.2

Erik Hjelmvik was kind enough to send an evaluation copy of the latest version of his NetworkMiner traffic analysis software. You can download the free edition from SourceForge as well. I first mentioned NetworkMiner on this blog in September 2008.

NetworkMiner is not a protocol analyzer like Wireshark. It does not take a packet-by-packet approach to representing traffic. Instead, NetworkMiner displays traffic in any one of the following ways: as hosts, frames, files, images, messages, credentials, sessions, DNS records, parameters, keywords, or cleartext. To demonstrate a few of these renderings, I asked NetworkMiner to parse the sample pcap from a sample lab from TCP/IP Weapons School 2.0. I did not need to install it; the software starts from a single executable and loads several DLLs in the associated directory.

The following screen capture shows information from the Hosts tab, showing what NetworkMiner knows about 192.168.230.4.



Notice that in addition to summarizing information about traffic to and from the host, in terms of packets or sessions, we also see what NetworkMiner knows about the host, like Queried NetBIOS names, Web Browser User Agents, and so on.

The following screen capture shows the Files tab. This displays all the content that NetworkMiner extracted from the traffic to the analysis workstation hard drive (or in my case, the NetworkMiner USB thumb drive).



I think NetworkMiner is pretty cool, especially given what you can do with the free version. My primary recommendation for improvement would be an interface that allows the user to easily pivot from one piece of information to the next. With the current environment, the analyst seems confined to the tab at hand. I would like to see a way to right click on an element of the displayed information and then execute a query based on my selection. It would also be helpful to be able to right click and open associated data in another traffic analysis program like Wireshark.

Thank you to Erik Hjelmvik for the opportunity to take another look at NetworkMiner!

0 komentar:

Posting Komentar