Skip to main content
HashnodeConnor Harte Cybersecurity

Command Palette

Search for a command to run...

Network Forensics

Updated
3 min read
C
Connor Harte

Last week while working on the TryHackMe SOC Level 1 course a big focus of the content was Network Forensics. This is a pivotal part of cybersecurity as understanding how to engage in network forensics is crucial for the safety of any company. The primary focus of my studies was on a tool called NetworkMiner

NetworkMiner

NetworkMiner is an open source network forensic analysis tool for Windows, but it is also available for Linux and MacOS. It has the ability to be used as a sniffer/packet capture tool to detect OS, sessions, hostnames, open ports and more. The two versions of NetworkMiner that I engaged with were the v1.6 and v2.7.

Comparing NetworkMiner v1.6 and v2.7

NetworkMiner v2.7

Version 2.7 introduces enhanced features, including:

  • MAC Address Processing – Useful for identifying what MAC addresses are in use and detecting potential MAC address conflicts.

  • Parameter Processing – Provides more in-depth data related to user activity, fingerprinting, and data leakage detection.

  • Improved usability and parsing accuracy, making it easier to navigate active sessions and DNS queries.

NetworkMiner v1.6

Despite being older, version 1.6 retains certain analytical strengths:

  • Detailed Packet Handling – Offers a more granular breakdown of sent and received packets, which isn’t as deeply exposed in later versions.

  • Frame Analysis – Allows investigators to inspect individual frames (data link layer units), including source/destination MAC and IP addresses, packet lengths, and protocols.

Because of these differences, I found myself switching between versions during the labs to locate specific answers.

Practical Use

My learning on NetworkMiner concluded with a hands-on lab asking me various questions where I had to put my knowledge from the readings to practical use.

What is the OS name of the host?

Using the provided IP of the host given I was able to select the host from the Hosts tab, select the OS drop down, and find the OS of this host.

How many data bytes were received between two hosts through port 1065?

By clicking on the host IP address, I was able to select the Incoming Sessions drop down. I saw two incoming sessions and selected the one with port 1065 listed. After selecting this and seeing the information, I found the IP address needed. After the protocol and ports used there is a number in parenthesis, this is the value of the data bytes sent and the answer needed.

What is the sequence number of frame 9?

For this question I had to switch back to version 1.6 to view the Frames. Once in 1.6 I switched over to the Frames tab and found frame 9. After clicking the frame, I clicked on the TCP dropdown where the Sequence Number is given on the fourth result down.

What is the DNS Query of Frame 62001?

This one took me back version 2.7, most of the questions were focused on 2.7. To start off, I navigated to the DNS tab. Once there I searched in the filter keyboard for 62001, next I selected the second dropdown menu to the right of the search bar and filtered it to Frame nr. Once searched I scrolled to the right and found the DNS Query column and found the answered needed.

Conclusion

These are just some of the questions asked during this conclusion. I did not list them all because there was some overlapping questions, asking me to do the same thing with a slight variation. The questions selected offer a variety of topics and navigation through NetworkMiner to showcase the skills learned and the hands-on practice implemented.

#cybersecurity#cybersecurityawareness#cybersecurity-1#tryhackme#tryhackme-walkthrough#networksecurity

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Connor Harte Cybersecurity

3 posts