NETRESEC Network Security Blog

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the C2 protocol used by the PureLogs Stealer malware. The PureLogs pro[...]

I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to define their own protocol detections based on example network traffic. User Defined Protocols CapLoader's[...]

One of the premier features in NetworkMiner is the ability to extract files from captured network traffic in PCAP files. NetworkMiner reassembles the file contents by parsing protocols that are used to transfer files across a network. But there are other tools that also can extract files from PCAP f[...]

I investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using NetworkMiner in Linux (REMnux to be specific). About njRAT / Bladabindi njRAT is a Remote Access Trojan (RAT) that can be used to remotely control a hacked computer. It has been arou[...]

This guide shows how to install the latest version of NetworkMiner in Linux. To install an older NetworkMiner release, prior to version 3.0, please see our legacy NetworkMiner in Linux guide. STEP 1: Install Mono and GTK2Mono is an open source cross-platform implementation of the .NET framework, it[...]

UPDATE - Training Canceled The training event in May has been canceled. We are sorry for the inconvenience.

I am very proud to announce the release of NetworkMiner 3.0 today! This version brings several new protocols as well as user interface improvements to NetworkMiner. We have also made significant changes under the hood, such as altering the default location to where NetworkMiner extracts files from n[...]

Did you know that there is a setting in Wireshark for changing the default save file format from pcapng to pcap? In Wireshark, click Edit, Preferences. Then select Advanced and look for the capture.pcap_ng setting. Change the value to FALSE if you want Wireshark to save packets in the pcap file form[...]

The new release of PolarProxy generates JA4 fingerprints and enables ruleset to match on specific decryption errors, for example to enable fail-open in case the TLS traffic cannot be decrypted and inspected. JA4 FingerprintsJA4 fingerprints provide several improvements over its JA3 predecessor. One[...]

Over 90 percent of all web traffic is encrypted nowadays, which is great of course. However, as HTTP and DNS traffic gets encrypted, defenders have a more difficult time blocking malicious network traffic. One solution to this problem is to use a TLS firewall, which effectively blocks encrypted conn[...]

The VoIP tab is a unique feature only available in NetworkMiner Professional. The analyzed PcapNG file comes from a blog post by Johannes Weber titled VoIP Captures. See our NetworkMiner Professional tutorial videos for more tips and hints.

The Browsers tab is a unique feature only available in NetworkMiner Professional. The PCAP files analyzed in this video are pwned-se_150312_outgoing.pcap and pwned-se_150312_incoming.pcap, which are snippets of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides). More information[...]

The PCAP file analyzed in this video is pwned-se_150312_outgoing.pcap, which is a snippet of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides). See our NetworkMiner Professional tutorial videos for more tips and hints.

The PCAP file analyzed in this video is MD_2015-07-22_112601.pcap, which is a snippet of the training data used in our network forensics classes from 2015 to 2019. Techniques, tools and databases mentioned in the tutorial: CIDR notationSatorip0fmac-ages Check out our Passive OS Fingerprinting blog p[...]

This video tutorial demonstrates how to open capture files with NetworkMiner Professional The analyzed pcap-ng file is github.pcapng from CloudShark. More info about this capture file can be found in our blog post Forensics of Chinese MITM on GitHub. See our NetworkMiner Professional tutorial videos[...]

This video tutorial covers how to install NetworkMiner Professional. Use the official 7-zip tool to extract the password protected 7zip archive. Recommended locations for NetworkMiner: DesktopMy DocumentsC:\Users\{user}\AppData\Local\Programs\USB flash drive See our NetworkMiner Professional tutoria[...]

This video tutorial covers how to install NetworkMiner Professional. Use the official 7-zip tool to extract the password protected 7zip archive. Recommended locations for NetworkMiner: DesktopMy DocumentsC:\Users\{user}\AppData\Local\Programs\USB flash drive See our NetworkMiner Professional tutoria[...]

A new release of CapLoader has been published! Some of the changes can be seen directly in the user interface, such as Community ID values for flows and a few other new columns in the Flows and Services tabs. Other improvements are more subtle, like improved detection of remote management protocols[...]

Do you want to analyze decrypted TLS traffic in Wireshark or let an IDS, like Suricata, Snort or Zeek, inspect the application layer data of potentially malicious TLS encrypted traffic? There are many different TLS inspection solutions to choose from, but not all of them might be suitable for the sp[...]

Update: The class in October has been canceled. If you'd like to take the online class then November 18 is your chance! I will teach two live online classes this autumn, one in October and one in November. The subject for both classes is network forensics for incident response. The training is split[...]