If you have captured a Wireshark session, or for some reason have a .pcap file, and now, what to do? of course you can analyze it using the Wireshark environment and features, but wanna try something new? one of the options is a tool called NetworkMiner, which can extract some interesting data.
Why I should use another tool to analyze the data? well, if you are tired or want some abstraction over the Wireshark environment, NetworkMiner can help. But what is NetworkMiner indeed? as stated in the official website:
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
The tool has two versions, free and paid, the video below show an example of a capture done using Wireshark being analyzed by NetworkMiner Free version, seeing some of the files captured, like .css, scripts, certificates and images, as well ass some HTTP parameters like 'refer', 'user-agent' with information about the browser, DNS queries and so on:
About the versions
- Wireshark 1.12.6
- NetworkMiner 126.96.36.199
- FireFox 38.0.1