Network Miner

Overview

Among the highly rate free Windows tools for traffic analysis is the well known NetworkMiner. This program can examine live network traffic being sniffed off the wire by the system. Also, the contents of previously captured traffic that were saved in the pcap format can be explored using the NetworkMiner. Based on the design of this software, only details that are relevant to the network forensics are displayed. Most importantly, NetworkMiner is famous for its use in carving packet captures when there is a need to extract the files contained therein in other to proceed with further analysis of the data that may seem malicious. For instance, when analyzing a website suspected of malicious activities, in a bid to understand the method adopted by the site to track its visitors, a particular way to do this is to surf through the website with the use of a Windows laboratory system which is usually designed for this kind of task. In a case like this, one might expect to have the system get attacked as well as infected, to understand the threats mode of operation and how it reacts. Various tools can be used to capture the relevant details need for the analyzing and understanding of the malicious activities. CaptureBat, for instance, can be used in capturing not only the process-level events on the labs’ system but also, to make available a pcap file of the observed network traffic. Other sniffers such as tcpdump or Wiresharks’ dumpcap can be used if preferred or stick to the inbuilt NetworkMiner sniffer. 

Once the pcap file has been loaded into the NetworkMiner, the data gets parsed and presented in several tabs that display various perspectives of the traffic as well as its contents including the observed hosts, which include their DNS names, ports, used during the monitoring time frame and IP addresses. Parameters regarding HTTP sent to web servers as part of sessions observed and the files exchanged amongst hosts in the course of the monitoring period are among the several tabs opened when the pcap file gets loaded into NetworkMiner. 

With NetworkMiner, files found in the network stream are automatically carved and saved in a local folder. The primary reason for making use of a dedicated lab system when using the NetworkMiner is the probability of the malicious nature of the files, which may, in turn, infect the order if the user isn’t conscientious when handling them.