NetworkMiner allows you to collect data (such as forensic evidence) about hosts on the network without putting any traffic on the network.
NetworkMiner aims to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host-centric (information grouped per host) rather than packet-centric (information showed as a list of packets/frames).
NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams and law enforcement. NetworkMiner is today used by companies and organizations all over the world.
NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This functionality can be used to extract and save media files (such as audio or video files) streamed across a network from websites such as YouTube. Supported protocols for file extraction are FTP, TFTP, HTTP, and SMB.
User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. The credentials tab sometimes also shows information that can be used to identify a particular person, such as user accounts for popular online services like Gmail or Facebook.
Another handy feature is that the user can search, sniffed, or stored data for keywords. NetworkMiner allows the user to insert arbitrary strings or byte-patterns that shall be searched for with the keyword search functionality.
NetworkMiner Professional comes installed on a specially designed USB flash drive. You can run NetworkMiner directly from the USB flash drive since NetworkMiner is a portable application that doesn't require any installation. We at Netresec do, however, recommend that you copy NetworkMiner to the local hard drive of your computer to achieve maximum performance.
Parse PCAP files
Parse PcapNG files
Extract files from FTP, TFTP, HTTP, HTTP/2, SMB, SMB2, SMTP, POP3, and IMAP traffic
Extract X.509 certificates from SSL encrypted traffic like HTTPS, SMTPS, IMAPS, POP3S, FTPS etc.
Decapsulation of GRE, 802.1Q, PPPoE, VXLAN, OpenFlow, SOCKS, MPLS and EoMPLS