Clik here to view.
Extracting DNS queries
There was recently a question on the Wireshark users mailing list about“how to get the query name from a dns request packet with tshark”. This is a problem that many network analysts run into, so I...
View ArticleClik here to view.
WPAD Man in the Middle
Metasploit was recently updated with a module to generate a wpad.dat file for WPAD man-in-the-middle (MITM) attacks. This blog post explains how this attack works and how to investigate such an attack...
View ArticleClik here to view.
NetworkMiner 1.4 Released
Version 1.4 of NetworkMiner has been released! The new features in NetworkMiner 1.4 include: Better handling of fragmented IPv4 packets.Verification of ".pcap" file extension is completely removed....
View ArticleClik here to view.
SCADA Network Forensics with IEC-104
A great way to enable digital forensics of control system networks is to implement network security monitoring. Captured network traffic is a great source for evidence when analyzing an attackers...
View ArticleClik here to view.
Install NetworkMiner with apt-get
Doug Burks has done a great work integratingNetworkMiner intoSecurity Onion. One really cool thing he has done is to build a Debian repository that includes NetworkMiner. This means that NetworkMiner...
View ArticleClik here to view.
Convert Endace ERF capture files to PCAP
A customer recently contacted us because he wanted to loadERF capture files from their Endace probes intoNetworkMiner Professional. In order to do so they would first need to convert the ERF file into...
View ArticleClik here to view.
HowTo handle PcapNG files
Users of Wireshark 1.8.0 (or later) have most likely noticed that the default output file format has changed fromlibpcap (.pcap) toPcap-NG (.pcapng). So what does this mean other than a longer file...
View ArticleClik here to view.
CapLoader 1.1 Released
Version 1.1 of the super-fast PCAP parsing toolCapLoader is being released today. CapLoader is the ideal tool for digging through large volumes of PCAP files. Datasets in the GB and even TB order can...
View ArticleClik here to view.
Analyzing 85 GB of PCAP in 2 hours
Lets say you've collected around 100 GB of PCAP files in a network monitoring installation. How would you approach the task of looking at the application layer data of a few of the captured sessions...
View ArticleClik here to view.
Forensics of Chinese MITM on GitHub
On January 26 several users in Chinareported SSL problems while connecting to the software development site GitHub.com. The reports indicated that the Great Firewall of China (GFW) was used to...
View ArticleClik here to view.
Extracting Metadata from PcapNG files
In our blog post about theChinese MITM of GitHub we revealed the identity of the anonymous capture file uploader by analyzing metadata available in the PCAP-NG file format. In this blog post we...
View ArticleClik here to view.
Detecting TOR Communication in Network Traffic
The anonymity network Tor is often misused by hackers and criminals in order to remotely control hacked computers. In this blog post we explain why Tor is so well suited for such malicious purposes,...
View ArticleClik here to view.
Security Advisory: Two Vulnerabilities in NetworkMiner
Security Advisory ID: NETRESEC-1386968NetworkMiner version 1.4.1 and older is vulnerable to DLL hijacking and contains a directory traversal vulnerability.DescriptionNetworkMiner is a tool designed for...
View ArticleClik here to view.
New features in NetworkMiner 1.5
NetworkMiner 1.5 was released on August 7th, but we haven't yet provided any details regarding the new functionality that has been added.NetworkMiner (free edition) New features in the free and open...
View ArticleClik here to view.
DNS whitelisting in NetworkMiner
One of the new features in NetworkMiner Professional 1.5 is the ability to check if domain names in DNS requests/responses are “normal” or malicious ones. This lookup is performed offline using a...
View ArticleClik here to view.
Command-line Forensics of hacked PHP.net
Update: October 29@StopMalvertisin recently publisheda great blog post that covered the five binaries that were served with help of the PHP.net compromise. We've therefore updated this blog post with a...
View ArticleClik here to view.
HowTo install NetworkMiner in Ubuntu Fedora and Arch Linux
NetworkMiner is a network forensics tool primarily developed for Windows OS's, but it actually runs just fine also in other operating systems with help of the Mono Framework. This guide shows how to...
View ArticleClik here to view.
Search and Carve Packets with CapLoader 1.2
CapLoader version 1.2 was released today, with lots of new powerful features. The most significant additions in CapLaoder 1.2 are:Network packet carving, i.e. the ability to carve full content network...
View ArticleClik here to view.
Carving Network Packets from Memory Dump Files
A new feature in the recently released CapLoader 1.2 is the ability to carve network packets from any file and save them in the PCAP-NG format. This fusion between memory forensics and network...
View ArticleClik here to view.
Keyword Search in PCAP files
A new function in the free version of CapLoader 1.2 is the "Find Keyword" feature. This keyword search functionality makes it possible to seek large capture files for a string or byte pattern super...
View Article