NetworkMiner is a comprehensive Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD), which has become increasingly popular among incident response teams and law enforcement. Without placing any traffic on the network, this tool can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports and much more.
In contrast to other sniffers available such as WireShark, NetworkMiner’s user-friendly interface focuses on clearly presenting hosts and their attributes, rather than raw packets. This means you are able to understand events taking place without a comprehensive knowledge in networking.
By parsing a PCAP file it can easily extract files and certificates which have been transferred over the network, or by sniffing traffic directly. This can be used to extract and save a variety of different media content (such as audio, video or file transfers) which has been streamed across the network. The supported protocols for this functionality are FTP, TFTP, HTTP and SMB.
User credentials (such as username and passwords) which are included in the following protocols are extracted by Network Miner and made easily accessible under the “Credentials” tab. This tab can also present information that can be used to identify a particular person, such as user accounts for popular on services like Gmail or Facebook.
Another useful feature is that the user is able to search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.