Friday, October 24, 2008

Easy Packet Capture Using Network Miner

Network Miner is a great simple packet capture and search utility. The interface is simple, easy to understand, and provides many of the frequently desirable searches in one place.

Network Miner's Sourceforge site says:

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic.
You'll need WinPcap to run it, but once you have it installed, you're ready to start capturing packets.

What can you do?

Network Miner's main interface is an easy to navigate tabbed menu. By default, you'll see hosts.

From there, it is simple to select files, which will show files transferred while sniffing - in this case, I opened Google in Firefox.

You can also see images, which display in the window. Note the Google logo from the packet capture.

While both of these capabilities are fun, other automatic filters are likely far more useful. You can select Credentials or Cleartext and you'll see userids and passwords that are sent, and the plaintext sent over the wire, respectively. Both can be extremely useful in troubleshooting. An easy example is checking to see if credentials for a website are being sent in plaintext when they shouldn't be, or if a cookie contains a string you don't want to be sent.

Network Miner also includes the ability to view DNS queries, frames, parameters, keywords, and protocol anomalies. You can sort entries based on IP address, MAC, hostname, packet count, byte count, and ports open.

While Network Miner isn't as flexible as WireShark, it provides an extremely approachable interface, and makes packet capture much easier for those who need the basic functionality without the complexity of a full featured solution.

No comments: