NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet). It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").
As a new tool, the authors are keen to receive feedback and improve the tool for the forensic community.
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
The tool is an acronym for "Forensic and Log Analysis GUI", written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images includes support for the Volatility framework http://www2.opensourceforensics.org/node/15 and supports file carving to recover known file types.
pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.
The framework is shipped with about 300 tests grouped in 9 testing modules:
SMTPCAT will read a pcap file and attempt to identify all smtp conversations and print info about them in the following format:
a. [INDEX] (Sender IP) --> (SMTP Server IP)
b. [INDEX] (Sender e-mail) --> (Receiver e-mail) (Date)
c. [INDEX] (SUBJECT)
d. [INDEX] (AuthSMTP Passwd) <-- this is outputted only with the –p option
This is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
In addition to packet capture it can be used to read back a capture file. It is able to decode layer 2 through to layer 4 protocols, and some higher layer protocols as well. Decoded packets may be displayed in raw or ASCII.
Perhaps the most powerful feature is the inclusion of an extremely powerful filtering language called the "Berkley Packet Filter" BPF.
tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis
tcpreplay is a BSD-style licensed tool to replay saved tcpdump files at arbitrary speeds. It provides a variety of features for replaying traffic for both passive sniffer devices as well as inline devices such as routers, firewalls, and the new class of inline IDS's.
Wireshark® is the world's most popular network protocol analyzer. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.
The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract from a network capture (pcap file or real-time acquisition) all application data content. For example, Xplico is able to extract all emails carried by the POP and SMTP protocols and all content carried by HTTP protocols from a pcap file.