Network Forensics Tools

Yes, much as I dislike this abuse of the word “Forensics” (see Rant), I’ll recognize that it is a very popular abuse.

Chaosreader, jpcap, Microsoft Log Parser, and tcpxtract can break up a packet capture (pcap) file (created by tcpdump, Wireshark or Microsoft Net Monitor) into manageable components (including downloaded files). See the Network Forensics Puzzle site for more tools.

Sample PCAPs: EvilFingers (malware oriented), Threatglass by Barracuda Labs (pcap files with exploit kit activity)

Decrypting TLS Browser Traffic With Wireshark – The Easy Way!

CapTipper – Malicious HTTP traffic explorer tool is a python tool to analyze, explore and revive HTTP malicious traffic. CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found. The tool provides the security researcher with easy access to the files and the understanding of the network flow, and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes.

xtractr does both flow/packet analysis with full-text search

tshark for command-line processing of pcap files

Ipdecap reads packets from a pcap file, removes the encapsulation protocol, and writes them in another pcap file. Supported encapsulation protocols are GRE, IPIP, 6in4, and ESP (IPSEC).  Ipdecap can also remove IEEE 802.1Q (virtual LAN) headers.

Palo Alto Networks enterprise firewall, in Tap Mode, can interpret http traffic, parse documents in the traffic, identify P2P applications tunneled over http (such as Skype), and correlate the traffic with a user (not just an IP address).

Net Witness (derived from the retired FBI Carnivore program), monitors network traffic for email and Internet traffic. A free version parses pcap files up to 1 GB.

Spector monitors Internet activity.

Solera Networks offers products and their “What is Network Forensics?” whitepaper.

NetworkMiner for file carving

AIEngine (Artificial Intelligent Engine) is an interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others.


One Response to Network Forensics Tools

  1. […] This post was mentioned on Twitter by komeilipour and ucsci, opexxx. opexxx said: RT @komeilipour: Network #Forensics Tools […]