Table of Contents
December 12, 2023
|11m
How to Analyse a PCAP File Using Network Miner- A Network Forensic Analysis Tool (NFAT)?
Are you looking for a good tool for passive network sniffing or packet capturing? Network miner is the solution to that. This is a free and open-sourced tool that anyone can use. Let’s explore what is network forensics and why it is important, what is a miner, how to install Network Miner in Windows, and how to analyze a PCAP file using a network miner in this post.
What is Network Forensics? And Why is Network Forensics Important to Learn?
Network forensics is a specialized field within the broader discipline of digital forensics, focusing on the monitoring, analysis, and investigation of network traffic to detect and prevent security incidents, as well as to gather evidence in response to cybercrimes. It involves the capture, storage, and analysis of network traffic and data packets to identify potential security breaches, malicious activities, and unauthorized access to systems and data.
Network forensics is important to learn for several reasons:
Cybersecurity: With the increasing number of cyber threats and attacks, organizations, and individuals need to take adequate measures to protect their digital assets. Network forensics is a critical component of cybersecurity as it helps identify, understand, and mitigate security risks in real time.
Incident response: Network forensics enables security professionals to investigate and respond to security incidents effectively. By analyzing network traffic, they can identify the source of the problem, the scope of the breach, and the extent of the damage, helping to resolve issues more quickly and minimize their impact.
Proactive threat hunting: Network forensics allows security professionals to proactively search for potential threats and vulnerabilities within their networks rather than waiting for a security incident to occur. This proactive approach helps organizations stay ahead of emerging threats and better protect their systems and data.
Network optimization and performance: Analyzing network traffic can also help identify performance issues, bottlenecks, or misconfigurations in a network. Network forensics can contribute to optimizing the performance and efficiency of an organization’s IT infrastructure.
Network forensics is an essential skill for cybersecurity professionals, as it helps them protect systems and data from cyber threats, respond to security incidents, and optimize network performance. As the digital world continues to grow, the importance of network forensics will only increase, making it a valuable skill to learn for anyone in the field of IT and cybersecurity.
What is Network Miner?
Network miner is a network forensic analysis tool (NFAT) that is available in professional and free versions. It is an open-source tool that helps extract artifacts from a PCAP file that is already captured. Network Miner can extract files, images, credentials, emails etc., from a pcap file which is easier for visualization and analysis. It also contains a host inventory where each IP’s present in the pcap along with OS and what communication is happening between which device, open sessions etc. It is released by Netresec an independent software vendor specializing in network products, in 2007 and is widely used all around the world by incident responders and law enforcement teams.
NetworkMiner is a versatile and powerful network forensics tool that provides essential features for capturing, analyzing, and investigating network traffic. Its passive operation, support for various protocols, and user-friendly interface make it an attractive option for cybersecurity professionals and network administrators alike. Key features of NetworkMiner include:
Passive network sniffing: NetworkMiner operates in a passive mode, meaning it does not interfere with network traffic or send any data packets onto the network. This makes it an unobtrusive and stealthy tool for network analysis.
Protocol parsing: NetworkMiner can parse a variety of network protocols, including HTTP, FTP, SMB, SMTP, DNS, and SSL/TLS. This allows it to extract valuable information from network traffic and provide insight into the types of data being transmitted.
File and data extraction: NetworkMiner can automatically reassemble and extract files and data transmitted over the network. This includes images, documents, and even user credentials, which can be useful for analyzing network activity and identifying potential security risks.
Host and service identification: NetworkMiner can identify hosts (devices) and services running on a network by analyzing the captured network traffic. It can also display information about the operating systems, hostnames, and open ports for each device.
GeoIP location: NetworkMiner can determine the geographical location of IP addresses based on GeoIP databases, providing a visual representation of the locations of network hosts.
Offline analysis: NetworkMiner can analyze pre-captured network traffic stored in PCAP files, which enables investigators to perform offline analysis and review historical network data.
User-friendly interface: NetworkMiner features a user-friendly graphical interface that organizes captured data into easily navigable tabs, making it straightforward to use for both beginners and experienced professionals.
What is a PCAP File?
A PCAP file (short for Packet Capture file) is a binary file format used to store network traffic data, primarily for the purpose of analyzing and troubleshooting network activities. PCAP files contain raw data captured from network interfaces, including the headers and payloads of data packets transmitted over the network.
PCAP files are valuable resources for network administrators, cybersecurity professionals, and digital forensics investigators, as they provide a detailed and accurate record of network activities. By analyzing PCAP files, experts can identify and troubleshoot network issues, detect security breaches, and gather evidence in response to cyber incidents.
Most of the network analyzing tools can create a pcap file. One of the widely used and familiar tools for everyone is Wireshark which can capture the live network and create a pcap file for passive analysis. The PCAP file format can be used in other network analysis and forensics tools, such as tcpdump and NetworkMiner, among others. These tools can read and parse PCAP files, allowing users to analyze the stored network traffic and gain insights into various aspects of network communications, such as network performance, security threats, and potential vulnerabilities. PCAP comes in different formats like WinPcap, Libpcap, pcapng, etc.
How to Install Network Miner?
Network Miner is primarily designed for Windows, but it is also available for Linux users. We have covered the installation of Network Miner on both Windows and Linux platforms. Let’s see how to install Network Miner on Linux, followed by Windows.
How to Install Network Miner on Linux?
The Network Miner installation process is simple and straight. You need to run this command on your Linux distributions. Make sure you run the command on the correct distribution.
Ubuntu (also other Debian-based distros like Xubuntu and Kali Linux)
sudo apt install mono-develCentOS/RHEL
sudo yum install mono-develFedora
sudo dnf install mono-develArchLinux
sudo pacman -S mono
Verify the installation of Network Miner on Linux.
Please visit the official website to see manual installation options.
How to Install Network Miner on Microsoft Windows?
Installing Network Miner is quite simple
Visit the official website of Netresec and proceed to the Network Miner website.
When you scroll down, you can see the features available in Network Miner free version and the professional one.
Under the Network Miner free edition section, we can download the latest version of Network Miner.
4. A zip file will be downloaded.
On opening the zip file we will find multiple files within it, double click and extract all the files from the ‘NetworkMiner’ application folder.
After extracting the files to the desired location we can directly open network miner from the folder.
7. Upon successfully installing the home page of the network miner will look like this. At the time of writing this article, the latest version was NetworkMiner 2.8.
How to Analyse a PCAP File Using Network Miner- A Network Forensic Analysis Tool (NFAT)?
Once you are ready with Network Miner, it’s time to start analyzing a pcap file using Network Miner.
Depending on the scenario, we will get the pcap file, it can be a file created by you by doing live network capture using any network capturing tool, or it can be a file sent to you for analysis from any other team to analyze.
How to Analyse a PCAP File Using Network Miner?
Step 1. Import the pcap file into the Network Miner
Once we get the pcap file we have to upload it to the network miner, to upload the pcap file:
Click the files tab > Open
Select the pcap file from the desired location
The pcap file will be loaded to the network miner
Step 2. Cascade multiple pcap files if required
We can also upload multiple pcap files and work on it at the same time.
After successfully uploading multiple pcap files there will be a ‘case panel’ located at the right side of the tab. We can choose the pcap file that needs to be viewed and click on ‘reload case files’ to switch between.
Step 3. Explore Hosts Tab
This is the first tab that opens while we open the network miner, and this gives a quick overview of the pcap file. The information in this tab can be sorted in a variety of ways, such as IP address, MAC address, Hostname, etc.
On uploading the sample pcap file, we can see there are 275 hosts in that pcap file. The hosts’ tab will categorize the hosts based on IP, and it also has small icons of Windows, Linux, or other OS to recognize at first glance.
On expanding the IP address, we can see the hostname, Mac address, open sessions, any communication to or from these devices, any open ports etc.
Step 4. Explore File Tab
Any files or HTML files will be displayed on this page. We can filter through the data using the keyword potion in the search to narrow our results, and we can specify the case using the ‘exact phrase’ tab.
Step 5. Explore Image Tab
It is to display the image file captured in the pcap.
Step 6. Explore Message Tab
Message files will be displayed, such as emails, and the search option is also available same as the files tab.
In the bottom right corner, we can also see if any attachments are available in the emails.
We didn’t have any mail communication observed in the sample pcap analyzed.
Step 7. Explore Credentials Tab
If any credential can be obtained from the network traffic file, it will be displayed in this tab. It will also indicate whether the log was successful and show the username, password, login timestamp, and protocol used. We can also see options to show cookies and NTLM challenge responses. There is also an option to mask passwords.
In our sample pcap all the captured credentials were cookies, and no valid login was captured, but here is where you can see the username and password in clear text.
Step 8. Explore Sessions, DNS, and Parameters Tab
Sessions tab: Any established sessions within the nodes will be displayed within this tab. It also has a filtering option.
DNS: This tab also shows the DNS logs and shows its frame number, timestamp, etc.
Parameters tab: We will see a lot of content, especially with the HTTP-based traffic. In our sample, we had around 12k+ logs captured, we can also filter based on keywords.
Explore Keyword Tab
It will help you to search the entire pcap file using any keyword. We can simply add any word and click ‘add’. We can even import words from any text file. Once the words are added, they will be shown in the text box below. Any keyword match will be displayed within the main window within this tab.
From the sample file, I tried to search for the keyword ‘twimg.com‘ to see the traffic, and all packets matching that keyword popped up. We can also see the frame number to analyze with Wireshark or other tools.
Bottom Line
Network Miner is a very advanced and easy tool that helps researchers easily navigate through the packets and identify any anomalies. This tool is not just limited to the above-discussed parameters. It also has live sniffing capabilities, IPV6 support, and many more.
I hope this article gives an overall idea of what is network forensics and why is important, what is network miner, how to install network miner in Windows and Linux, how to analyze a pcap file using network miner, and What are the features available on Network miner.
Thanks for reading this post. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram and subscribe to receive updates like this.
Aroma Rose Reji
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
