NetworkMiner 2.8 * NetworkHostTreeNode.cs: Nodes on the Hosts tab can now be filtered using string or regex matching! * TlsRecordPacket.cs: Fixed two bugs in JA3S signature, one when Server Hello has a Session ID length larger than zero and another when the server lists only one supported TLS version using the Supported Versions extension (#43). * IEC_104_PacketHandler.cs: Added support for file transfers over IEC-104. Added support for several additional IEC-104 commands. Better representation of IEC-104 commands on Parameters tab. Fixed bug when AsduInformationObjectCount is actually an element count. * FileStreamAssembly.cs: Added ability to differentiate between .EXE and .DLL * SocketSniffer.cs: Added exception handling of SocketException ErrorCode 10040 (WSAEMSGSIZE) Thanks to René Perraux for reporting the issue with VMware's Large Send Offload! * HttpPacketHandler.cs: Added CobaltStrike and Meterpreter URI chemsum8 verifier to indicate possible CobaltStrike/Meterpreter URIs like "/aaa9" in Host Details. * PacketHandler.cs: Improved meterpreter DLL extraction from TCP where final payload is delivered in the same TCP segment as follow-on C2 comms * NetworkMinerForm.cs: Added code to flush all TCP sessions to Sessions tab when all capture files have been loaded in order to also show sessions whose L7 protocol is still unknown. Thanks to Matt Smith for highliting this issue. * NetworkMinerForm.cs: More accurate error message shown when user fails to capture packets using raw sockets on a disconnected network interface. Thanks to Anand Kumar Singh for notifying about this issue! * NetworkMinerForm.cs: All SocketAdapters now get refreshed when the interface drop-down list is expanded in order to show if they are currently connected or not. * TcpPacket.cs: Allow TCP sessions to the same server to switch application layer protocol between HTTP 1.x and HTTP/2. * NamedPipeReader.cs: Replaced "Read from PacketCache" with generic "Read from Named Pipe". * NetworkMinerForm.cs: Added support for copying text from selected rows by pressing Ctrl+C or right-click "Copy selected rows" in Files, Messages, Credentials, Sessions, DNS, Parameters and Keywords tabs. A maximum of 10 rows can be copied at a time using the free version of NetworkMiner. * CapwapPacket.cs: Added decapsulation support for the CAPWAP protocol. * DnsPacket.cs: Better handling of DNS packet containing multiple query records * SocksPacket.cs: Improved parsing of traffic inside SOCKS tunnels * FtpPacket.cs: Improved parsing speed of FTP traffic * MacCollection.cs: Added support for oui36.csv database to identify NIC vendors from MAC. * PacketReceivedEventArgs.cs: Ensured captured timestamps are always in UTC. NetworkMiner 2.7.3 * TcpPortProtocolFinder.cs: Port 3000 and 8000 configured as be parsed as HTTP in order to support WEBrick traffic. Feature added thanks to RangeForce and @mttaggart. * NetworkHost.cs: Added lock to all code using ExtraDetailsList to avoid "collection modified" exceptions. * MeterpreterPacket.cs: Meterpreter payloads from common LPORT values for reverse_tcp like 4444 are now extracted to disk as DLL files. * LinuxCookedCapture2.cs: Added support for SLL2 / Linux cooked capture v2 frames. * TlsRecordPacket.cs: Fixed bug in JA3 Signature when client supports more than one EC point format. * TlsRecordPacketHandler.cs: Added botnet JA3 hashes from Abuse.ch * TlsRecordPacketHandler.cs: Added botnet SSL x509 cert hashes from Abuse.ch * DnsPacketHandler.cs: Extraction of DNSBL lookup info to Parameters tab and Host details * SmtpPacketHandler.cs: Improved extraction of SMTP credentials * TlsRecordPacket.cs: Faster parsing of TLS encrypted traffic * HttpPacketHandler.cs: Added support for HTTP CONNECT request method to parse proxied traffic. * NetworkMinerForm.cs: NetworkMiner's GUI no longer reloads between each PCAP file when multiple files are loaded at once. NetworkMiner 2.7.2 * FtpPacket.cs: Added support for additional FTP commands, such as AUTH. * EtlParser.cs: NetworkMiner now supports reading of ETL files created with "netsh trace start" and "pktmon start --capture"! This feature is only available in Windows though, since we're relying on Windows specific API calls for parsing ETL files. * Erspan.cs: Added support for ERSPAN. Thanks to Markus Schewe for the feature request! * NetworkMinerForm.cs: Parameters tab now has a context menu entry for "Submit value to CyberChef", which sends the parameter value to https://gchq.github.io/CyberChef/ NetworkMiner 2.7.1 * PacketHandler.cs: Fixed bug related to live sniffing. Thanks to Jeff Rivett for reporting the issue! NetworkMiner 2.7 * WinPCapWrapper.cs: Changed int pointers to 64 bit values in order to handle WinPcap and npcap drivers correctly. Thanks to Jeff Rivett for reporting the issue! * Smb2PacketHandler.cs: Added requested SMB2 filename info from SMB2 Create Requests and error messages from negative SMB2 responses to Parameters tab. * Smb2Packet.cs: Better extraction of SMB2 file transfers by extracting End-of-File values from Smb2CreateResponse. * LpdPacket.cs: Added support for Line Printer Daemon Protocol (RFC1179). Thanks to Hayo Brouwer (of Ricoh) for helping out with capture files! * NetworkTcpSession.cs: Modified TCP Keepalive handling to support protocols that transmit 1 byte TCP payloads containing a 0x00 byte (like LPD). * TcpPacket.cs: Changed GetSubPackets function to allow application layer packets with only one byte of L7 data to be returned. * SatoriTcpOsFingerprinter.cs: Improved performance by indexing fingerprints based on TCP flags. * HttpPacketHandler.cs: Generic extraction of files sent with HTTP POST, including WAP.MMS messages. More files are now extracted from HTTP POST uploads. * DnsPacket.cs: Added extraction of TXT records to DNS tab * DnsPacket.cs: Added extraction of SRV records to DNS tab * NetworkMinerForm.cs: Double-clicking on a file now opens up the file details window * ExtractedFileDetailsForm.cs: Added hex viewer to file details window * FileStreamAssembler.cs: The file extension is now identified based on the contents of the file's header (fewer "octet-stream" files, more ".exe" and ".zip" etc.) * NetworkMinerForm.cs: Added warning message when trying to open/run an executable file with right-click -> "Open file" * TlsRecordPacket.cs: Extraction of JA3S hashes from TLS Server Hello packets to Parameters tab and Host Details * PcapParser.cs: Added support for nanosecond PCAP files NetworkMiner 2.6 * KerberosPacketHandler.cs: Better extraction of Salt from Kerberos ERROR packets. * NtlmSspPacketHandler.cs: Added John-the-Ripper formated extraction of LanMan, NTLMv1 and NTLMv2 challenge/response hashes LanMan example: $LM$A9C604D244C4E99D NTLMv1 example: $NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233 NTLMv2 example: $NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000 - LM (hashcat "-m 3000") - NETNTLM (hashcat "-m 5500") - NETNTLMv2 (hashcat "-m 5600") * HttpPakcetHandler.cs: Improved extraction of json data sent in HTTP(2) POST requests. Now with support for Content-Encoding: gzip * Ethernet2Packet.cs: added support for Transparent Ethernet decapsulation for GRE tunnels * PcapParser.cs: Added support for Fritzbox captures (PCAP_MODIFIED_MAGIC = 0xa1b2cd34). Thanks to Jan Hesse for the feature request: https://twitter.com/clientjs/status/1255112064210743296 * MultiPart.cs: Improved parsing of quotes in email headers. Thanks to Mandy van Oosterhout for reporting the bug! * ImapPacketHandler.cs: Ignoring FETCH results for partial emails (from BODY.PEEK) except when email headers are sent. * MessageEventArgs.cs: Increased max Subject length from 50 to 100 characters * FtpPacket.cs: Support for Extended Passive Mode (EPSV) in FTP * SystemHelper.cs: Added workaround for bug introduced with Mono 6 that would otherwise prevent opening files, folders and websites in external tools under Linux/OSX. https://github.com/mono/mono/issues/17204 https://github.com/dotnet/runtime/issues/28005 https://github.com/dotnet/runtime/issues/23877 * PacketHandler.cs: ExtractMultipartFormData() was modified to save MIME multipart chunks to disk when the data is truncated in Parameters tab due to being too large (>250 bytes). * HttpPacketHandler.cs: The hostname is extracted from the HTTP header "Onion-Location" to show onion domains of hosts in the Hosts tab. * NetworkMinerForm.cs: The Messages tab filter now also performs keyword matching against attachment filenames. * SipPacketHandler.cs: SIP chat messages [RFC3428] are extracted to the "Messages" tab. Audio extraction of VoIP calls is still a feature that is exclusively available only in NetworkMiner Professional though. * HttpPacketHandler.cs and Http2PacketHandler.cs: The HTTP header "Accept-Language" and HTTP/2 header "accept-language" are extracted to the "Hosts" tab, under "Host Details". This supports forensic analysis of user language settings, as shown by Fox-IT here: https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf * HttpPacketHandler.cs: Improved extraction of Certificate Revocation List (CRL) files. * NetworkMinerForm.cs: Messages tab now uses the local environment's default newline characters to improve readability of reassembled emails. * ByteConverter.cs: Newline characters are now preserved when reading Quoted Printable encoded text with non-escaped newline characters. * MultipartPart.cs: Added RFC 822 "unfolding" to support multi-line header fields in emails, HTTP POSTs and other protocols using MIME encoded data. NetworkMiner 2.5 * NetworkCredential.cs: Improved extraction of username/password credentials from HTTP POST requests. * Added regex filtering to keyword search function in most tabs as a more powerful alternative to plain string matching. * Upgraded from .NET 4.6.1 to .NET 4.7.2 Requires Mono 5.4 (or later) in order to run in Linux or MacOS. You will otherwise get a System.TypeLoadException * Parsing of AAAA DNS records (IPv6 addresses) * Parsing of HTTP/2 when SSL/TLS isn't used (use PolarProxy to generate unencrypted HTTP/2) * Parsing of DNS-over-HTTPS (DoH) when SSL/TLS isn't used * DnsPacketHandler.cs: Support for DNS packets over TCP * Improved NetBIOS Name Service (nbns) parsing. Details are extracted to the "Parameters" tab. Thanks to @CRaiterCBus for the idea: https://twitter.com/CRaiterCBus/status/1143963147491037186 * Name-value parameters from JSON formatted HTTP POST requests (Content-Type: application/json) are extracted to the "Parameters" tab and potential credentials are shown on the "Credentials" tab. * TlsRecordPacket.cs: Added JA3 support. Client JAR3 hashes are shown in the parameters tab an in Hosts Details. * SmbPacket.cs: Improved parsing of non-unicode "Native OS" strings from SetupAndXResponse messages. * KerberosPacketHandler.cs: Extraction of Kerberos hashes from network traffic. The hashes are shown on the "Credentials" tab in John/hashcat format. John-the-ripper users must use the "jumbo" version to avoid getting this error message: "No password hashes loaded (see FAQ)" Supported Kerberos message types include: - krb5pa (hashcat "-m 7500") - krb5tgs (hashcat "-m 13100") - krb5asrep (hashcat "-m 18200") * KeywordFilterControl.cs: Email body and header search is restored again after having been broken in version 2.4. * CifsBrowserPacket.cs: Added parser for CIFS Browser Protocol (aka MS-BRWS) in order to extract hostnames, windows versions and uptime. Thanks to @dan_gunter for the idea! * Email.cs: Fixed bug/crash due to invalid filename being specified in Content-Type MIME header. Thanks to @chrissistrunk for reporting the issue! * TcpPortProtocolFinder.cs: Added support for changes in application layer protocol within a TCP session. This enables STARTTLS commands in FTP, IMAP and SMTP to activate the SSL/TLS parser. * ImapPacketHandler.cs: Improved extraction of emails from "FETCH" commands for multiple emails and email header downloads with "UID FLAGS BODY[HEADER]". * MessageEventArgs.cs: Added size column to "Messages" tab NetworkMiner 2.4 * Smb2PacketHandler.cs: Mixed up Source and Destination hosts for SMB reads and writes are corrected. * MacAges.cs: Added support to lookup the age of a MAC address thanks to HD Moore! https://twitter.com/hdmoore/status/1046563911972130819 * NetBiosSessionService.cs: Added detection for EternalBlue exploit attempts where srvnet.sys is triggered to allocate a "large" nonpaged pool. Example PCAP files can be found here: https://www.malware-traffic-analysis.net/2018/10/04/index.html https://www.malware-traffic-analysis.net/2018/08/17/index.html https://packettotal.com/app/analysis?id=c8850b1fe07572c82c6fac5db5aae0c9&name=community_tags https://packettotal.com/app/analysis?id=8d2fdb7698c27e32e88bde809c89216f * SatoriTcpOsFingerprinter.cs: Added OS fingerprint signatures for Industrial control System (ICS) devices, like Siemens S7, ABB 800xA and Moxa. Some ICS vendors even got a logo as icon in the Hosts tab, others got a yellow hard hat. * KerberosPacket.cs: Implemented support for Kerberos v5 in order to extract usernames, hostnames and realms (domains) from unencrypted Kerberos requests/responses on port 88 as well as inside HTTP auth headers and SMB security blobs. * TcpPortProtocolFinder.cs: Added TCP 11371 as a port for HTTP in order to extract GPG keys sent over the HKP protocol. Thanks to Jonas Lejon for the idea. * DnsRecordEventArgs.cs: Added support for parsing DNS queries/responses sent over IPv6 * Email.cs: Added support for "Format=Flowed" attributes in emails (RFC 2646) and better handling of non-standard line feeds to make plaintext emails more readable. * MultipartPart.cs and Email.cs: Unicode MIME data is converted to ASCII, when running NetworkMiner using Mono (typically in Linux), in order to avoid a crash caused by Mono's GDIPlus implementation. Thanks to Phil Hagen for notifying us about the crash. * NetworkMinerForm.cs: Improved Drag-and-Drop operations to work more reliably also in Linux, when running NeworkMiner with Mono. Previous versions would throw a NullReferenceException in System.Windows.Forms.X11Dnd+TextConverter.SetData. * NetworkMinerForm.cs: Added links between hosts with the same MAC address in the network host tree view. This feature is useful to link a host's IPv6 and IPv4 IPs with eachother. Expand the MAC address node to see the links. Thanks to Chris Sistrunk for the initial idea! NetworkMiner 2.3.2 * Email.cs: Emails without a body (but maybe an attachment) are now also extracted to the Messages tab. * NetworkMinerForm.cs: More debug output written when starting NetworkMiner with the --debug, --eventlog or --filelog argument. NetworkMiner 2.3.1 * NetworkTcpSession.cs: Fixed ToString() NullReferenceException bug when expanding Incoming or Outgoing sessions in the Hosts tab. Thanks to tokyoneon for reporting this bug! * TlsRecordPacketHandler.cs: Added support for reading handshakes (typically X.509 certificates) that are fragmented into multiple TLS records. Thanks to Peter Wu for reporting this bug! * NetworkMinerForm.cs: Setting a text size larger than 100% in Windows 7 previously yielded a bad layout of the GUI. This bug has been resolved in this version. Thanks to Chris Sistrunk for reporting it! NetworkMiner 2.3 * NetworkMinerForm.cs: Added detected keywords count to the Keywords tab. Thanks to Mats Karlsson for the feature suggestion! * NetworkMinerForm.cS: NetworkMiner now prevents reloading of files in the current case while it is busy parsing a PCAP file. Thanks to Mats Karlsson for the feature suggestion! * NetworkMinerForm.cs: The keyword list has been resized to always fit the window and the [Del] key can be used to remove marked keywords. Thanks to Michael Nilsson for reporting this bug and suggesting the new feature. * NetworkMinerForm.cs: Added drag-and-drop ability to case files section, so that a PCAP file opened with NetworkMiner can be opened with another application or copied to a folder simply by dragging and dropping from the case panel. * FileSegmentAssembler.cs: Added ability to reassemble files when all data has been received, but the file handle isn't being closed. This applies in particular to SMB and SMB2 read and writes, such as these ones: https://401trg.pw/an-introduction-to-smb-for-network-security-analysts/ * TlsPacketHandler.cs: Supported SSL/TLS versions and ALPN's are now extracted from the SSL handshake records and presented on the Parameters tab. * TlsRecordPacket.cs: Fixed bug regarding Session ID's in Client Hello messages. Thanks to Ahmad Nawawi for discovering this bug! * HttpPacket.cs: Added support for multiple Set-Cookie headers in HTTP a response. * SmtpPacketHandler.cs: Improved extraction of emails to Messages tab. * IEC_60870_5_104Packet.cs: Fixed year parsing bug in IEC-104 protocol. Years that can be represented now ranges from 2000 to 2099. Wireshark uses 1970 to 2069. Thanks to Sigurd Mytting for finding and reporting this bug! * ByteConverter.cs: Strings are no longer automatically terminated on null bytes unless they are explicitly defined as null terminated strings. * ModbusTcpPacket.cs: Added parser for Diagnostic option codes. * SipPacket.cs: Added extraction of call details (From, To and Call-ID) to the Parameters tab. The Pro version of NetworkMiner additionally extracts the audio. * SnmpPacket.cs: SNMP packets are parsed in order to extract the community string from SNMPv1 and SNMPv2c packets. The community strings are show on the Parameters and Credentials tabs. Thanks to Chris Sistrunk for suggesting this feature! * IPv4Packet: IPv4 packets with broken IP headers are now ignored by NetworkMiner. Thanks to Doug Green for discovering and reporting this bug! * GuiProperties.cs: Default timezone is now set to UTC rather than the local zone. NetworkMiner 2.2 * Upgraded to .NET framework 4.0! Requires the newer .NET framework in Windows or Mono runtime 4.* in Linux/macOS. * GuiProperties.cs: All timestamps are shown in the "yyyy-MM-dd HH:mm:ss" format with time zone explicitly stated. * NetworkMinerForm.cs: Added Pokemon Exception Handling to all DoDragDrop calls. * NetworkMinerForm.cs: Fixed the count in the credential tab when checkboxes like "Mask password" are used. Thanks to Sebastian Gebhard for reporting thus bug at Troopers '17. * NetworkMinerForm.cs: Removed Invoke calls to GUI thread in order to speed up parsing when there are many GUI updates. * NetworkMinerForm.cs: Changed to using AddRange when updating GUI to display more items faster, especially in Linux. * SatoriTcpOsFingerprinter.cs: Improved TCP handshake OS fingerprint speed. * OpenFlowPacket.cs: Fixed alignment for frames encapsulated in OpenFlow 1.2/1.3 PacketIn commands. Thanks to Jeff Carrell for providing a pcapng file that could be used to debug this issue. * SmbPacket.cs: Improved parsing of chained SimpleAndProtectedGssapiNegotiation (SPNEGO) tokens in SMB1 and SMB2, such as NTLM SSP usernames. * NtlmSspPacketHandler.cs: Domain name is now displayed in Credetials tab for SMB authentication attempts. * Logger.cs: Added optional debug logging with command line arguments: --debug Logs to standard out --eventlog Logs to Application EventLog --filelog Logs to text file in IsolatedStorage * TftpPacket.cs: Added frame length check to ReadNullTerminatedString. Thanks to Clint Page for reporting this bug and suggesting a fix! * KeywordFilterControl.cs: The search function in Messages tab now searches all email header fields as well as the email body for the keyword provided in the filter field. Thanks to Marc Lindke for suggesting this feature at Troopers '17! * KeywordFilterControl.cs: Drop-down list added so user can select a specific column to match on unless all columns should be searched (default). * ReceivePcapOverTcpForm.cs: Added functionality to receive PCAP-over-IP by connecting to a remote netcat listener. Thanks to Niclas Hirschfeld for suggsting this feature at Troopers '17! * UpdateCheck.cs: Added update check to see if there is a new version of NetworkMiner available for download. The update check can be disabled by adding a --noupdatecheck switch to the command line when starting NetworkMiner. NetworkMiner 2.1.2 * PacketHandler.cs: Made OnCredentialDetected private to ensure that all credential detected calls are made to the AddCredential so that they can be filtered in the GUI. * FileStreamAssembler.cs: Partial downloads are saved in case they are downloaded using a range request, so that multiple individual parts can be put back together later on. * ExtractedFileDetailsForm.cs: Adjusted column width in file details window. NetworkMiner 2.1.1 2017-01-19 * networkminericon.ico: Higher resolution icon (256x256). * HttpPacket.cs: Added UTF-8 decoding of filenames in Content-Disposition header in accordance with RFC 6266 and RFC 5987. * HttpPacket.cs: Added support for multiple whitespace characters separating HTTP header names from values. * FileStreamAssemblerList.cs: Added queueing of HTTP 1.1 requests when there are multiple requests sent before a reply is received. * PacketHandler.cs: Support for assembling of HTTP GET file streams not ending at a TCP packet boundary. * NetworkMinerForm.cs: Changed order of columns in Files tab. NetworkMiner 2.1 2017-01-02 * Smb2Packet.cs: Added support for SMB2 Find searches with "NameInfo" format. Thanks to Dietrich Hasselhorn for finding this bug. * FileStreamAssembler.cs: Added fix to avoid long filenames (Windows only supports paths up to 248 characters) when the filename is derived from the Content-Disposition header sent by the web server. Thanks for Christian Reusch and Jasper Bongertz for finding and reporting this bug! * PacketHandler.cs: Extracted files are now timestomped so that the last write time of the file will be the timestamp in the PCAP when it was transfered. Thanks to Dietrich Hasselhorn for recommending this feature. * NetworkMinerForm.cs: No longer crashes if a non-existing PCAP file is provided as a command line argument. * PacketHandler.cs: Pop-up window is shown with warning if user does not have write permissions to the AssembledFiles directory (common problem if NetworkMiner is placed in the "C:\Program Files" directory). * NetworkMinerForm.cs: Support for reading packets from a local PacketCache service. For more information about PacketCache, please visit http://packetcache.com * NetworkMinerForm.cs: Files and images are no longer moved as a result of a drag- and-drop operation. Default action is always to copy the file to the target location. * NetworkMinerForm.cs: Images can be opened through double-clicking and the zoom level of images in the Images tab can be changed. * NetworkMinerForm.cs: Images can now be opened in their default viewer by double- clicking them. * VxlanPacket.cs: Added support for VXLAN decapsulation. * OpenFlowPacket.cs : Added support for OpenFlow decapsulation. * NetworkMinerForm.cs: HostDetails in Hosts tab now shows VLAN ID. * IcmpPacket.cs: Added simple ICMP parser * PartialFileAssembler.cs: Added support for HTTP "206 Partial Content" a.k.a "Range Requests" or "Byte Serving", so that partial downloads can be reassebled. * FileDetailsForm.cs: MD5 / SHA1 / SHA256 hashes can be calculated via the context menu in the "Files" tab (right-click an extracted file to get the menu). * SmbPacket.cs: A remake of the SMB handling in order to parse pipelined/chained AndX requests/responses. Thanks to Eddi Blenkers for highlighting their existance! * TlsRecordPacket.cs: Extraction of TLS host name extension, formally known as Server Name Indication (SNI) in RFC 6066. * TlsRecordPacketHandler.cs: Details from X.509 certificates are extracted to the Parameters tab, including certificate subject, issuer, hash and validity period. * SocksPacket.cs: Support for decapsulation of the SOCKS protocol. Can even be used to analyze Tor SOCKS proxy traffic to/from localhost TCP 9150. * Pop3Packet.cs: Added extraction of emails and attachments from unencrypted POP3 traffic. * SmtpPacket.cs: Improved SMTP email extraction engine. Also added support for extraction of X.509 certificate when STARTTLS is used. * ImapPacket.cs: Implemented IMAP parser to extract credentials, emails and attachments from IMAP traffic. Also support for X.509 certificate extraction when STARTTLS is used. * FtpPacketHandler.cs: Support for X.509 certificate extraction when doing AUTH TLS, i.e. Explicit TLS or Explicit SSL. NetworkMiner 2.0 2016-02-09 * HttpPacketHandler.cs: The ".octet-stream" or "x-msdos-program" extensions are no longer appended to ".exe" files downloaded over HTTP (warning for those doing live malware analysis on Windows machines). * NetworkMinerForm.cs: GUI flickering is heavily reduced when loading PCAP files or doing live sniffing. This also improves the performance slightly. * NetworkMinerForm.cs: SMTP attachments are now showed in the Messages tab. * NetworkTcpSession.cs: Improved ability to handle truncated TCP sessions where the initial part is missing and there are TCP Keep-Alive packets. Thanks to Shchemelev Dmitry for reporting this bug. * SmtpPacketHandler.cs: Added support for extracting multiple SMTP sessions from a single TCP session. This feature is important in order to extract emails sent through a SPAM-run. Thanks to Andrew Brant (@threatresearch) for reporting this bug. * SmtpPacketHandler.cs: Improved extraction of SMTP user names sent directly with AUTH command like: "AUTH LOGIN aGVqaG9wcEBpbnRlcm5ldC5zZQ==". * SmtpPacketHandler.cs: All emails are extracted in raw format (with SMTP headers intact) to an .eml file. * NetworkMinerForm.cs: Removed tabControl1_MouseDown handler to avoid unwanted drag-and-drop operations. * IEC-104_PacketHandler.cs: Added ASDU Type ID 36 to IEC 60870-5-104 handler. * NetworkMinerAboutBox.cs: Added EULA text to about box. * PacketHandler.cs: Added OS fingerprinting of Android * PacketHandler.cs: Separated "Apple iOS" fingerprints from "Mac OS" * FtpPacket.cs: Added "OPTS" as a supported FTP command and proper parsing of multi-line replies. * NetworkMinerForm.cs: Added all-words.txt as default wordlist for Cleartext tab. * NetworkMinerForm.cs: Added extraction of favicon images from HTTP. * NetworkMinerForm.cs: Added alternative encodings for displaying messages in NetworkMiner's "Messages" tab. * KeywordFilterControl.cs: Added "Keyword filter" to the following tabs: - Files - Parameters - DNS - Messages - Sessions The keyword filter allows rows to be filtered based on a keyword. The entered keyword is matched against all text in all columns of the tab. This new feature has been requested by many users in the past, so it's great to finally have it implemented! * HttpPacketHandler.cs: Previously assembled data sent in an HTTP session is now flushed out to disk when a new file assembler is created for Multipart MIME HTTP POSTs. Thanks to Shchemelev Dmitry for finding this bug. * PacketParser.Mime.UnbufferedReader.cs: Default encoding is now assumed to be UTF8 when parsing binary data as strings. This is useful for example when files sent with HTTP POST have unicode file names and the browser encodes the filename parameter value with UTF8. Thanks to @xredumb for finding and reporting this bug! * NetworkTcpSession.cs: Increased allowed level of "out-of-order" for packets. Every uni-directional stream now allows packets to be 256 frames "late" within a TcpDataStream. * ModbusTcpPakcet.cs: Added support for Modbus/TCP protocol, as requested by attendees at the 4SICS 2014 conference (4sics.se). * FileStreamAssembler.cs: Changed path of reassembled files from: "AssembledFiles/HTTP - TCP 80//" into: "AssembledFiles/TCP-80//" * HttpPacketHandler.cs: Added HTTP request methods and URI's to Parameters tab as well ass HTTP response status codes and headers * NetBiosSessionService.cs: Defaulting to RAW transport type for NetBIOS when source or destination port is 445. Allows for larger NetBIOS messages. * Smb2Packet.cs: Added parser for SMB2 protocol. * FtpPacketHandler.cs: Uploaded files are now reassembled under the FTP server host's folder. * DnsPacket.cs: Bug in parsing of DNS answer records when the record contains the queried domain name instead of am relative offset to the query-record. Thanks to Ulf Skoglund of FM CERT fame for reporting this bug! * NetBiosSessionService: Even more command types are now supported, thanks to feedback from Eric Kollmann. NetworkMiner 1.6.1 2014-06-24 * ReceivePcapOverTcpForm.cs: Removed call to Application.DoEvents() to make PCAP-over-IP feature more reliable. * NetworkMinerForm.cs: Removed calls to Application.DoEvents(). NetworkMiner 1.6 2014-06-16 * DnsPacket.cs: Added error handling of recursive DNS Name Labels that contains a forever-loop pointer. Thanks to Dan Eriksson (of FM CERT fame) for notifying us about this bug! * NetworkMinerForm.cs: Removed sniffing capability from GUI when running NetworkMiner under Mono (in Linux for example). Users should instead use the PCAP-over-IP feature to perform live sniffing in Linux, OSX etc. * NetworkMienrForm.cs: Files and images can now be drag-and-dropped to any desired application or location directly from the "Files" and "Images" tabs in the GUI. * SmtpPacketHandler.cs: Improved extraction of SMTP e-mails and attachments * Rfc2047Parser.cs: Added simple parser for RFC 2047 encoding in order to properly parse strings in SMTP headers, such as subject lines and attachment filenames. * PcapFileWriter.cs: Increased file buffer size to 8MB for improved performance * PacketHandler.cs: Increase packet queue size to 16000 packets for live sniffing * NetworkHost.cs: Fixed OS fingerprinting mixup where Apple iOS was confused with Cisco IOS. * DnsPacket.cs: Added DNS response error messages like NXDOMAIN and SERVFAIL to DNS tab. Thanks to Lenny Hansson for the idea! * PcapOverIP: Moved PCAP-over-IP implementation from the Professional edition of NetworkMiner into the Free Open Source version. * PcapStreamReader.cs: Improved performance of backgroundStreamReader by making sleep durations adaptive. This has significant impact on computers and VM's with limited CPU resources. NetworkMiner 1.5 2013-09-10 Erik Hjelmvik * ErfFrame.cs: Added support to parse pcap files containing Extensible Record Format (ERF) frames. * PointToPointOverEthernetPacket.cs: Added PPPoE protocol parser. * PointToPointPacket.cs: Improved PPP parser to support non-HDLC type PPP packets. Example: "AOLTraffic_00000_20071029163901.pcap" from pcapr.net * NetworkMinerForm.cs: Added feature to load keywords from text file. * FileStreamAssembler.cs: Fixed directory traversal vulnerability. Thanks to Alyssa Milburn for discovering and notifying us regarding this vulnerability! * FileStreamAssembler.cs: Improved exception handling, especially for SMTP Thanks to Jonas Lejon for supplying captured packets that triggered the exception! * NetworkWrapper.Utils.Security.cs: Added detection of DLL Injection. Thanks to Ucha Gobejishvili for reporting this vulnerability! * NetworkMinerForm.cs: Fixed NullReferenceException when masking credentials with null values. Thanks to Claus Valca for finding this bug. * UdpPortProtocolFinder.cs: Added parsing of LLMNR DNS queries over UDP 5355 NetworkMiner 1.4.1 2012-08-29 Erik Hjelmvik * PacketHandler.cs: Now allowing large "virtual" frames for reassembled TCP streams. * IEC-104_PacketHandler.cs: Fixed confusion about what TCP endpoint a command is sent from when server and client have the same IP. NetworkMiner 1.4 2012-08-12 Erik Hjelmvik * DhcpPacketHandler.cs: DHCP option data is now extracted to the parameters tab. Thanks to Paul Cockayne for the idea. * IPv4Packet.cs: Fragmented IPv4 packets are now properly reassembled to full IP packets with payload. * IEC_60870-5-104Packet.cs: Implemented the SCADA protocol IEC 60870-5-104. Thanks to Aivar Liimets from Martem for his great support on this one! * PacketHandler.cs: Added proper timestamps to detected anomaly events and improved ARP poisoning reporting to anomalies tab. * NetworkMinerForm.cs: Verification of file extention is completely removed. Files with any extention can now be loaded, as long as they are valid libpcap files. * NetworkMinerForm.cs: Added "Clear GUI" button to Tools menu. * NetworkMinerForm.cs: Added option to show/hide cookies, NTLM challenge- responses as well as the ability to mask passwords in credentials tab. NetworkMiner 1.3 2012-04-12 Erik Hjelmvik * NullLoopbackPacket.cs: Added support for the Null / Loopback link layer packets used when sniffing localhost on BSD operating systems. * NetworkTcpSession.cs: Modified getter for FinPacketReceived to solve the bug found by TCB13. * HttpPacket.cs: Added extraction of usernames from Digest Authorization such as those found in web_recon.pcap in: http://uscc.cyberquests.org/february2012.php * HttpPacketHandler.cs: Added HTTP headers to Parameters tab. * HttpPacketHandler.cs: Added HTTP X headers, such as x-up-calling-line-id and HTTP_X_UP_CALLING_LINE_ID, to host details under ExtraDetails. * NetworkMinerForm.cs: Added support to load .raw files as pcap files, such as those generated from Sguil. Thanks to Doug Burks for the idea! * NetworkMinerForm.cs: Disabled nag-dialogue-box about WinPcap not being installed on startup since NetworkMiner is primarily designed to be a pcap parser rather than a sniffer. * StringManglerUtil.cs: Added support to handle null strings in GetExtension function. * MultiPart.cs: Added exception handler to ReadHeaderAttributes function to avoid exceptions from negative length Substring calls. * NetworkMinerForm.cs: Added the option of selecting a different cleartext database file in the "Cleartext" tab. This feature can be used in order to for example look for text in a specific language. * IPv4Packet.cs: Error handling of IP packets with fragment offset > 0. Thanks to Aivar Liimets for finding this bug. NetworkMiner 1.2 2011-11-19 Erik Hjelmvik * Updated directory separators to be platform independent. This means that NetworkMiner can now be run on Linux, Mac etc. with Mono: http://www.mono-project.com/ * PcapStreamReader.cs: Updated exception handling to cope more nicely with end-of-stream issues, such as PCAP files cut in the middle of a frame. Thanks to James Lay for identifying this bug. * SmtpPacketHandler.cs: Added exception handler to fileData.AddRange() call * PartBuilder.cs: Added support for extracting data from non-multipart data * HttpPacketHandler.cs: Added support for extracting emails from AOL webmail as in here: http://forensicscontest.com/2011/10/11/puzzle-10-the-l33t-pill * GrePacket.cs: Added GRE protocol implementation. * PacketHandler.cs: Added code to extract messages from unencrypted SquirrelMail webmail, comments on Wordpress and comments on Blogspot. * NetworkCredential.cs: Unencrypted login credentials to SquirrelMail webmail are now extracted to the credentials tab. * HttpPacketHandler.cs: Updated "Details" column in "Files" tab to display [http.host][http.request.uri] insted of just [http.request.uri]. NetworkMiner 1.1 2011-09-15 Erik Hjelmvik * NetworkMinerForm.cs: Fixed so that one or multiple pcap files can be loaded on startup by drag-n-droping them onto NetworkMiner.exe. Same thing goes for when providing pcap files as command line arguments. * PacketHandler.cs: - Fixed concurrency issues by locking the correct queue object. Thanks to psteier for being first to find and solve this bug! - Added new PacketHandler for NetBiosSessionService * PointToPointPacket.cs: Added support for PPP frames in pcap files, such as this one: http://www.pcapr.net/view/tyson.key/2009/8/2/13/Social_Networks_and_RSS_00005_20090929212859.html * SmbCommandPacketHander.cs: Added FileID to assembler's ExtendedFileId in order to support multiple simultaneous SMB file transfers over the same TCP session. Thanks to I S for reporting this bug! * NetBiosSessionService.cs: Implemented interface ISessionPacket and added support for the NetBios Session Service session keep-alive message * WinPCapNative.cs: Changed CallingConvention to Cdecl * PcapFileReader.cs: Added a more generic base class "PcapStreamReader" that PcapFileReader extends to parse a FileStream rather than an IO-stream. * HttpPacketHandler.cs: Added support to extract data submitted to Google Analytics into "Host Details". This includes attributes like: - Screen resolution - Color depth - Browser language - Flash version NetworkMiner 1.0 2011-02-05 Erik Hjelmvik * FileStreamAssembler.cs: Implemented support to avoid reserved file and folder names such as COM2, LPT1 and CON for files extracted to disk. * SmtpPacket.cs: Extended the protocol parser to handle multiple requests and responses in a single SMTP packet. * TlsRecordPacketHandler.cs: Improved parsing of SSL/TLS traffic to use the underlying TCP stream properly in order to handle TLS record breakes on non-even TCP packet boundaries. * TcpPortProtocolFinder.cs: Added more default TCP service ports: 8021=FTP, 5223+8170+8443+9001+9030=SSL * Converted Visual Studio project to Visual C# 2010 format, .NET framework is still let back in 2.0 so that NetworkMiner will be able to run on as many machines as possible. * Improved TCP reassembly to support out-of-order TCP segments that are paritally overlapping. * NetworkTcpSession.cs: Modiefied FinPacketReceived to require a FIN in each direction in order for the session to be closed. * FtpPacketHandler.cs: File sizes are extracted from the FTP control session and stored to the file stream assembler object for better file size precision. * PacketFactory.cs: Added support for Per-Packet Information header (WTAP_ENCAP_PPI) as used by Kismet and sometimes Wireshark WiFi sniffing. * PacketHandler.cs: Added extraction of Facebook as well as Twitter messages into the message tab. Added support to extract emails sent with Microsoft Hotmail (I.e. Windows Live) into Messages tab. * NetworkCredential.cs: - Added extraction of twitter passwords from when settings are changed. Facebook user account names are also extracted (but not Facebook passwords). - Added extraction of gmailchat parameter from cookies in order to identify users through their Google account logins. * MacCollection.cs: Fixed bug with incorrect NIC vendor extraction. Also added support for the original IEEE OUI file format as used in: http://standards.ieee.org/regauth/oui/oui.txt * SyslogPacket.cs: Added protocol parser for Syslog. Syslog messages are displayed on the Parameter tab. NetworkMiner 0.92 2010-05-27 Erik Hjelmvik * ChangeLog: Added this ChangeLog file to the project. I also added some info about the previous two releases. * NetworkMinerForm.cs: Added Extension column to files list * NetworkCredential.cs: Added support to extract login credentials from the AfterLogic AJAX based webmail service. * NetworkTcpSession.cs: Improved server detection when the TCP 3-way handshake is missing in a TCP session by looking at TCP port numbers for known protocols. NetworkMiner 0.91 2009-11-22 Erik Hjelmvik * SmtpPacketHandler.cs: Fixed bug where full TCP content length was returned instead of 0 when other protocols than SMTP were parsed. This caused NetworkMiner to fail when reassembling layer 7 protocol headers that were segmented in multiple TCP packets. * PacketHandler.cs: Added ability to extract messages from web-based e-mail and chat services, such as Gmail, Gmail chat, Yahoo e-mail, MS Exchange webmail NetworkMiner 0.90 2009-11-09 Erik Hjelmvik * SmtpPacket.cs: Added SMTP parser. The main reason was to compete in the Network Forensics Puzzle Contest at http://forensicscontest.com/ * NetworkMinerForm.cs: Added the "Messages" tab in the GUI. Emails and chat messages are displayed on this tab.