At a conference this week, we had quite a section regarding network captures.
The instructor was going on about how you can try to sort out users and what they are doing via Wireshark with the packet captures. He was really wanting to figure out who the largest users were and what they were doing to saturate the bandwidth.
I politely asked if he was familiar with NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer. He was not. So I asked if I could come up and demo the one I had stowed on my USB stick.
The rest of the lesson was filled with throwing the packet capture files he had brought at NetworkMiner and carving out the results. The instructor was amazed and grateful for the power that this tool was going to give him. I passed the download link around to the class attendees quite liberally afterward. It is an amazing tool.
It was quite fun and informative for all.
Later I saw (by chance) the Tools for extracting files from pcaps post at the ISC-SANS Handler’s Diary. It was filled with quite a number of other great suggestions for carving information out of pcap files.
I’ve also downloaded NetWitness Investigator Software (free) which I understand has quite a collection of features as well. Registration is required to get it working so that will need to wait until tomorrow.
Most of the ISC-SANS items are *nix based. I’m mostly (with the exception of Linux forensics LiveCD’s) Windows based exclusively. However, the packet analysis tool Xplico - Internet Traffic Decoder really seems outstanding and up my alley for needs. Fortunately, it is included in the DEFT Linux - Computer Forensics live cd.
In addition to Wireshark, I generally keep a few other packet capture tools on my laptops, just in case. Most are pretty tiny and light for super-fast and flexible captures.
One of those other larger tools for packet captures that I have installed is Microsoft Network Monitor 3.3.
I hadn’t realized that it has arrived fairly recently, but that link has some more feature details.
In addition, while reading the Network Monitor development blog I was pleased to find that there are some specialized plug-ins for it that might be darn useful:
- TCP Analyzer Expert: Make Your Network Run Faster – For Microsoft Network Monitor 3.3
- Top Users Expert for Network Monitor 3.3 – For Microsoft Network Monitor 3.3
The first is a post describing the tool which can analyze and suggest issues with your network based on packet capture data. The second provides a report on which users are eating up all the bandwidth.
Both are pretty cool. Check them out.
Of course, you could also try a tool like ZNetWatch 1.01 (freeware) which also specifically sniffs network traffic and rats out who the biggest users are. While this could be caused by users looking at the latest YouTube videos or streaming radio (against network policy usage perhaps) it could also be caused by virus or malware command and control communications.
As I said, it was a lot of fun tossing Network Miner at the packet capture sample files. If you don’t have any handy, but want to really test out these (or other) tools that can read and parse that data, here are two great starting places to get some pcap files of your own to play with.