Network forensics tool NetworkMiner 2.2 released

NetworkMiner is a popular network forensics tool that can parse pcap files as well as perform live sniffing of network traffic. It collects data about hosts on the network rather than to collect data regarding the traffic on the network.

In NetworkMiner 2.2, the PCAP parsing speed has more than doubled and even more details are now extracted from analyzed packet capture files.

User interface improvements

The keyword filter available in the Files, Messages, Sessions, DNS and Parameters tabs has been improved so that the rows now can be filtered on a single column of choice by selecting the desired column in a drop-down list. There is also an “Any column” option, which can be used to search for the keyword in all columns.

The Messages tab now allows the filter keyword to be matched against the text in the message body as well as email headers when the “Any column” option is selected.

Time stamps are now instead shown using the yyyy-MM-dd HH:mm:ss format with time zone explicitly stated.

Protocol parsers

The latest version comes with an RDP parser, which is primarily used in order to extract usernames from RDP cookies and show them on the Credentials tab. Version 2.2 also comes with better extraction of SMB1 and SMB2 details, such as NTLM SSP usernames.

NetworkMiner moved to .NET Framework 4.0. This move doesn’t require any special measures to be taken for most Microsoft Windows users since the 4.0 Framework is typically already installed on these machines. If you’re running NetworkMiner in Linux, you might wanna check out an updated blog post on how to install NetworkMiner in Linux.

The developers have also added an automatic check for new versions of NetworkMiner, which runs every time the tool is started.