NetGrab Ltd

NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet). It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").

As a new tool, the authors are keen to receive feedback and improve the tool for the forensic community.

Network Miner

Erik Hjelmvik

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.


Michael Cohen

The tool is an acronym for "Forensic and Log Analysis GUI", written for analysis of various log file types and network traffic analysis but can also be used for forensic analysis of disk images includes support for the Volatility framework and supports file carving to recover known file types.


Sebastien Damaye

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort and Suricata. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 9 testing modules:


Amar Yousif

SMTPCAT will read a pcap file and attempt to identify all smtp conversations and print info about them in the following format:
a. [INDEX] (Sender IP) --> (SMTP Server IP)
b. [INDEX] (Sender e-mail) --> (Receiver e-mail) (Date)
d. [INDEX] (AuthSMTP Passwd) <-- this is outputted only with the –p option


Several - Collaborative

This is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
In addition to packet capture it can be used to read back a capture file. It is able to decode layer 2 through to layer 4 protocols, and some higher layer protocols as well. Decoded packets may be displayed in raw or ASCII.

Perhaps the most powerful feature is the inclusion of an extremely powerful filtering language called the "Berkley Packet Filter" BPF.


Jeremy Elson

tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis


Aaron Turner

tcpreplay is a BSD-style licensed tool to replay saved tcpdump files at arbitrary speeds. It provides a variety of features for replaying traffic for both passive sniffer devices as well as inline devices such as routers, firewalls, and the new class of inline IDS's.


Sarah Lowman

Webscavator is a visualisation suite for the analysis of internet history. It accepts CSV files from Net Analysis, Web Historian and may other browser log parsers, and produces images and graphs to display the data. Webscavator is web based, and is written in Python and Javascript.


Wireshark Team

Wireshark® is the world's most popular network protocol analyzer. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology.


Gianluca Costa

The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract from a network capture (pcap file or real-time acquisition) all application data content. For example, Xplico is able to extract all emails carried by the POP and SMTP protocols and all content carried by HTTP protocols from a pcap file.

Syndicate content