Erik Hjelmvik

NETRESEC Network Security Blog

This guide shows how to install the latest version of NetworkMiner in Linux. To install an older NetworkMiner release, prior to version 3.0, please see our legacy NetworkMiner in Linux guide. STEP 1: Install Mono and GTK2Mono is an open source cross-platform implementation of the .NET framework, it[...] ... Read More

I will teach a live online class next month. The subject for the class is Network Forensics for Incident Response. The training is split into four interactive 4-hour sessions, so that you have the rest of the work-day free to either practice what you learned in class or catch up ... Read More

I am very proud to announce the release of NetworkMiner 3.0 today! This version brings several new protocols as well as user interface improvements to NetworkMiner. We have also made significant changes under the hood, such as altering the default location to where NetworkMiner extracts files from n[...] ... Read More

Did you know that there is a setting in Wireshark for changing the default save file format from pcapng to pcap? In Wireshark, click Edit, Preferences. Then select Advanced and look for the capture.pcap_ng setting. Change the value to FALSE if you want Wireshark to save packets in the pcap ... Read More

The new release of PolarProxy generates JA4 fingerprints and enables ruleset to match on specific decryption errors, for example to enable fail-open in case the TLS traffic cannot be decrypted and inspected. JA4 FingerprintsJA4 fingerprints provide several improvements over its JA3 predecessor. One[...] ... Read More

Over 90 percent of all web traffic is encrypted nowadays, which is great of course. However, as HTTP and DNS traffic gets encrypted, defenders have a more difficult time blocking malicious network traffic. One solution to this problem is to use a TLS firewall, which effectively blocks encrypted conn[...] ... Read More

A new release of CapLoader has been published! Some of the changes can be seen directly in the user interface, such as Community ID values for flows and a few other new columns in the Flows and Services tabs. Other improvements are more subtle, like improved detection of remote management ... Read More

Do you want to analyze decrypted TLS traffic in Wireshark or let an IDS, like Suricata, Snort or Zeek, inspect the application layer data of potentially malicious TLS encrypted traffic? There are many different TLS inspection solutions to choose from, but not all of them might be suitable for the ... Read More

I will teach two live online classes this autumn, one in October and one in November. The subject for both classes is network forensics for incident response. The training is split into four interactive morning sessions, so that you have the afternoon free to either practice what you learned in ... Read More

One of the new features in NetworkMiner 2.9 is a TZSP streaming server. It is designed to read a real-time stream of sniffed packets from Mikrotik routers. This method for remote sniffing can be used to capture packets regardless if NetworkMiner is running in Windows or Linux. How to Sniff ... Read More