CapLoader 1.9.7

CapLoader 1.9.7 Released

A new release of CapLoader has been published! Some of the changes can be seen directly in the user interface, such as Community ID values for flows and a few other new columns in the Flows and Services tabs. Other improvements are more subtle, like improved detection of remote management ... Read More
Wireshark SSLKEYLOGFILE

How to Inspect TLS Encrypted Traffic

Do you want to analyze decrypted TLS traffic in Wireshark or let an IDS, like Suricata, Snort or Zeek, inspect the application layer data of potentially malicious TLS encrypted traffic? There are many different TLS inspection solutions to choose from, but not all of them might be suitable for the ... Read More
PCAP - Network Forensics Training - October 21-24, November 18-21

Online Network Forensics Class

I will teach two live online classes this autumn, one in October and one in November. The subject for both classes is network forensics for incident response. The training is split into four interactive morning sessions, so that you have the afternoon free to either practice what you learned in ... Read More
Sniff Packets with Mikrotik TZSP to NetworkMiner

Remote Sniffing from Mikrotik Routers

One of the new features in NetworkMiner 2.9 is a TZSP streaming server. It is designed to read a real-time stream of sniffed packets from Mikrotik routers. This method for remote sniffing can be used to capture packets regardless if NetworkMiner is running in Windows or Linux. How to Sniff ... Read More
NetworkMiner 2.9

NetworkMiner 2.9 Released

NetworkMiner 2.9 brings several new and improved features to help analysts make sense of network traffic from malware, criminals and industrial control systems. Highlights from this new version include: TZSP supportStealC extractorImproved Modbus parserJA4 supportGTP decapsulationMalware Traffic Art[...] ... Read More
PolarProxy TLS Firewall - block malicious, inspect suspicious, bypass legitimate

PolarProxy 1.0 Released

I am thrilled to announce the release of PolarProxy version 1.0 today! Several bugs that affected performance, stability and memory usage have now been resolved in our TLS inspection proxy. PolarProxy has also been updated with better logic for importing external root CA certificates and the HAProxy[...] ... Read More
PCAP in the Morning - March 4-7 and 25-28

Network Forensics Training – Spring 2024

I will teach two live online network forensics classes in March, one on European morning time, and the other on US morning time. The subject for both classes is network forensics in an incident response context. The training is split into four interactive morning sessions, so that you have the ... Read More
CapLoader 1.9.6

CapLoader 1.9.6 Released

CapLoader now detects even more malicious protocols and includes several new features such as JA4 fingerprints, API support for sharing IOCs to ThreatFox and OSINT lookups of malware families on Malpedia. The new CapLoader 1.9.6 release also comes with several improvements of the user interface, for[...] ... Read More
Cookie parameters from GzipLoader request in NetworkMiner 2.8.1

Forensic Timeline of an IcedID Infection

The BackConnect and VNC parsers that were added to NetworkMiner 2.8.1 provide a unique possibility to trace the steps of an attacker with help of captured network traffic from a hacked computer. In this blog post I use the free and open source version of NetworkMiner to see how GzipLoader ... Read More
NetworkMiner 2.8.1

NetworkMiner 2.8.1 Released

I am happy to announce the release of NetworkMiner 2.8.1 today! This new release brings a VNC parser to NetworkMiner, so that screenshots, keystrokes and clipboard data can be extracted from unencrypted VNC traffic. NetworkMiner 2.8.1 additionally includes parsers for command-and-control (C2) protoc[...] ... Read More