NetworkMiner: Network Forensics and PCAP Analysis Guide 2026

Introduction

NetworkMiner is a specialized network forensics tool that excels at automatic extraction of files, images, and credentials from PCAP captures. Unlike traditional packet analyzers that require manual exploration, NetworkMiner automatically reconstructs sessions and extracts transferable content, making it invaluable for incident response, forensic analysis, and security investigations.

This comprehensive guide covers NetworkMiner’s capabilities, practical analysis workflows, and integration with other forensic tools for complete network forensics investigations.

Understanding NetworkMiner

What Is NetworkMiner?

NetworkMiner is an open-source network forensics tool developed by Netresec that focuses on extracting files and content from captured network traffic. It operates in two modes:

Passive Analysis: Reads existing PCAP files
Live Capture: Monitors network traffic in real-time

The tool automatically parses network streams and extracts:

Transferred files (any file type)
Images and screenshots
Credentials and authentication data
DNS queries and responses
HTTP cookies and parameters
VoIP calls and messages

Key Features

NetworkMiner provides several unique capabilities:

Automatic File Extraction: Automatically extracts files from network streams
Image Recovery: Reconstructs transferred images
Credential Detection: Identifies cleartext passwords and authentication
Session Reconstruction: Rebuilds TCP/UDP conversations
Timeline Analysis: Chronological view of network activity
Keyword Search: Search captured data for specific terms

Installation and Setup

Linux Installation

# Install dependencies
sudo apt-get update
sudo apt-get install mono-complete

# Download NetworkMiner
wget https://www.netresec.com/files/NetworkMiner_2-8.zip
unzip NetworkMiner_2-8.zip -d /opt/
sudo chmod +x /opt/NetworkMiner/NetworkMiner.exe

# Run with Mono
cd /opt/NetworkMiner
mono NetworkMiner.exe

Windows Installation

Download the installer from the official website:

https://www.netresec.com/?download=NetworkMiner

The Windows version includes WinPcap/Npcap for live capture capabilities.

Docker Installation

# Run NetworkMiner in Docker
docker run -v $(pwd):/data -p 8080:80 netresec/networkminer:latest

# Access via web browser
# http://localhost:8080

Professional Version

NetworkMiner Professional adds:

Real-time PCAP over IP (receive captures from remote sensors)
Support for 10Gbps+ captures
Automatic PCAP file loading from folders
Enhanced credential extraction
Commercial support

Interface Overview

Main Window Components

The NetworkMiner interface consists of several panels:

┌─────────────────────────────────────────────────────────────┐
│ [Files] [Images] [Credentials] [Messages] [DNS] [Details] │
├─────────────────────────────────────────────────────────────┤
│ Frame   │ Source        │ Destination     │ Info          │
├─────────┼───────────────┼─────────────────┼───────────────┤
│ 1       │ 192.168.1.10  │ 93.184.216.34   │ HTTP GET      │
│ 2       │ 93.184.216.34 │ 192.168.1.10    │ HTTP 200 OK   │
└─────────┴───────────────┴─────────────────┴───────────────┘

Tab Functions

Tab	Description
Files	All extracted files with metadata
Images	Extracted images in gallery view
Credentials	Detected usernames and passwords
Messages	Email, chat, VoIP content
DNS	DNS queries and responses
Details	Selected item properties

PCAP Analysis Workflows

Basic PCAP Analysis

Open and analyze a capture file:

# Command-line usage
NetworkMiner.exe capture.pcap

# With output directory
NetworkMiner.exe -o /output/folder/ capture.pcap

In the GUI:

Drag and drop PCAP file onto NetworkMiner
Wait for automatic parsing
Browse extracted content by tab

Analyzing Large Captures

For large PCAP files:

# Extract specific timeframe
editcap -r input.pcap timeframe.pcap "10:00:00-10:30:00"

# Analyze with NetworkMiner
NetworkMiner.exe timeframe.pcap

NetworkMiner handles multi-GB files efficiently by:

Streaming PCAP parsing
Memory-efficient session reconstruction
Background file extraction

Analyzing Suspicious Traffic

When investigating potential compromises:

# Focus on suspicious activity
# 1. Check Credentials tab first
# 2. Review Files tab for downloaded executables
# 3. Examine Images for screenshots
# 4. Review DNS for suspicious domains

Key indicators to look for:

Cleartext credentials transmitted
Unexpected file transfers
Connections to known malicious domains
Large outbound data transfers

File Extraction

Automatic File Recovery

NetworkMiner automatically extracts files from multiple protocols:

HTTP: Uploaded/downloaded files
FTP: Transferred files
SMTP/IMAP/POP3: Email attachments
SMB: File transfers
TFTP: Trivial file transfers

Viewing Extracted Files

The Files tab shows:

Filename    │ Size   │ Host     │ Content Type    │ Frame
────────────┼────────┼──────────┼─────────────────┼──────
malware.exe │ 2.4 MB │ Host A   │ application/x.. │ 4521
report.pdf  │ 156 KB │ Host B   │ application/pdf │ 8234
image.jpg   │ 89 KB  │ Host A   │ image/jpeg      │ 2341

Click any file to:

View hex/ASCII content
Save to disk
Calculate hash values
View metadata

File Carving

NetworkMiner performs file carving when:

Files are fragmented across packets
Partial downloads exist
Files are transmitted in chunks

# Extract all images to directory
# NetworkMiner GUI: Select all in Images tab > Right-click > Save

Handling Encrypted Traffic

NetworkMiner can extract:

Unencrypted HTTP traffic
FTP credentials (cleartext)
SMB hashes (for offline cracking)
TLS session keys (if available)

For encrypted traffic analysis, combine with:

TLS key logging (browser SSLKEYLOGFILE)
Man-in-the-middle decryption
Private key availability

Credential Extraction

Detected Credentials

NetworkMiner identifies:

Protocol	Extracted Data
HTTP	Basic auth, form credentials
FTP	Username/password
SMTP	Email credentials
POP3	Authentication
IMAP	Login credentials
SMB	NTLM hashes

Credential Analysis

Review the Credentials tab:

Username    │ Password   │ Source IP   │ Dest IP    │ Protocol
────────────┼────────────┼─────────────┼────────────┼──────────
admin       │ secret123  │ 192.168.1.5 │ 10.0.0.1   │ HTTP
jsmith      │ Pass@word1 │ 192.168.1.5 │ 10.0.0.2   │ FTP
user@corp   │ ********   │ 192.168.1.5 │ 10.0.0.3   │ SMTP

Offline Password Cracking

Extract SMB hashes for offline cracking:

# Convert to Hashcat format
NetworkMiner.exe -o hashes.txt capture.pcap

# Crack with Hashcat
hashcat -m 5600 hashes.txt wordlist.txt

Image Recovery

Extracted Images

NetworkMiner reconstructs transferred images:

JPEG, PNG, GIF, BMP
Screenshots via RDP/VNC
Webcam captures
Document images

Image Gallery View

The Images tab provides gallery view:

┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐
│ Image  │ │ Image  │ │ Image  │ │ Image  │
│   1    │ │   2    │ │   3    │ │   4    │
└────────┘ └────────┘ └────────┘ └────────┘

Click any image to:

View full resolution
See transfer details
Extract metadata (EXIF)
Save to disk

Forensic Image Analysis

When analyzing screenshots:

# Extract all images to folder
# In NetworkMiner: Images tab > Select All > Save As

# Analyze with additional tools
exiftool extracted_images/

DNS Analysis

DNS Query Analysis

The DNS tab shows all DNS queries:

Query              │ Type │ Response      │ TTL  │ Source
───────────────────┼──────┼───────────────┼───────│───────
evil.com           │ A    │ 185.1.1.1     │ 300  │ DNS
update.microsoft..│ A    │ 10.0.0.50     │ 60   │ DNS
*.evil.com         │ CNAME│ evil.com      │ 300  │ DNS

DNS Tunneling Detection

Look for suspicious DNS patterns:

Large query lengths (data exfiltration)
High query frequency
Unusual TLDs
Subdomain patterns (encoded data)

Domain Reputation

Cross-reference DNS queries with threat intelligence:

# Export DNS queries
# NetworkMiner > DNS tab > Export to CSV

# Check domains
for domain in $(cat domains.txt); do
    echo "$domain: $(dig +short $domain)"
done

Practical Analysis Scenarios

Incident Response

When investigating a security incident:

# 1. Load capture file
NetworkMiner.exe incident.pcap

# 2. Priority analysis order:
#    Credentials - compromised accounts
#    Files - malware/tranfers
#    DNS - C2 communication
#    Images - user activity

Data Exfiltration Detection

Identify data leaving the network:

# Look for:
# - Large outbound transfers
# - Unusual protocols
# - Connections to cloud storage
# - Unexpected encryption (port 443 non-web)

Malware Analysis

Analyze malware delivery:

# Check for:
# - Executable downloads
# - Second-stage payloads
# - C2 beaconing
# - Network-based indicators

Insider Threat Investigation

Monitor user activity:

# Analyze:
# - Web browsing history
# - File transfers
# - Email activity
# - Login patterns

Integration with Other Tools

Wireshark Integration

Combine NetworkMiner with Wireshark:

# Extract files from Wireshark to NetworkMiner
# File > Export Objects > HTTP > Save All
# Then open folder with NetworkMiner

# Or use command-line
tshark -r capture.pcap --export-objects "http,./http-objects"
networkminer -r capture.pcap

Command-Line Usage

NetworkMiner supports headless operation:

# Analyze with output
NetworkMiner.exe -o /output/ capture.pcap

# Specify source directory
NetworkMiner.exe -s /pcaps/ -o /output/

# Remote PCAP (Professional)
NetworkMiner.exe -r 192.168.1.100:56000

Automated Analysis

Create automated workflows:

#!/bin/bash
# Analyze PCAP files automatically

PCAP_DIR="/pcaps"
OUTPUT_DIR="/forensics"

for pcap in "$PCAP_DIR"/*.pcap; do
    echo "Analyzing: $pcap"
    filename=$(basename "$pcap")
    mkdir -p "$OUTPUT_DIR/$filename"
    NetworkMiner.exe -o "$OUTPUT_DIR/$filename" "$pcap"
done

Best Practices

Capture Preservation

Maintain evidence integrity:

# Create evidence hash
sha256sum capture.pcap > capture.sha256

# Write-protect during analysis
mount -o remount,ro /evidence

# Document chain of custody
echo "$(date): Analyzed by forensic analyst" >> case_notes.txt

Analysis Methodology

Follow systematic analysis:

Initial Survey: Quick overview of capture
Asset Identification: Identify hosts and services
Traffic Analysis: Understand communication patterns
Content Extraction: Extract files, credentials
Timeline Construction: Build chronological events
Indicator Development: Create IOCs for threat hunting

Reporting

Document findings:

# Export analysis results
# NetworkMiner > File > Export Report

# Manual report generation
echo "=== Network Forensics Report ===" > report.txt
echo "File: $PCAP" >> report.txt
echo "Hash: $(sha256sum $PCAP)" >> report.txt
echo "" >> report.txt
echo "=== Extracted Credentials ===" >> report.txt
cat credentials.csv >> report.txt

Troubleshooting

Missing Content

If NetworkMiner doesn’t extract expected content:

# Check:
# 1. Is the traffic in the capture?
# 2. Is the protocol supported?
# 3. Is the PCAP full content (not truncated)?

# Verify with tshark
tshark -r capture.pcap -Y "http.request" | head -10

Memory Issues

For very large captures:

# Split large captures
editcap -i 3600 large.pcap hour_%04d.pcap

# Analyze in chunks
for pcap in hour_*.pcap; do
    NetworkMiner.exe "$pcap"
done

Parsing Errors

Handle corrupted PCAP files:

# Check PCAP validity
tcpdump -r capture.pcap > /dev/null 2>&1

# Try fixing with editcap
editcap -F libpcap capture_bad.pcap capture_fixed.pcap

External Resources

NetworkMiner Official Site - Downloads and documentation
Netresec Blog - Analysis tutorials
SANS Network Forensics - Investigation workflow
DFIR Training - Digital forensics courses

Conclusion

NetworkMiner provides powerful automated extraction capabilities that complement traditional packet analysis tools. Its ability to automatically recover files, credentials, and images from captured network traffic makes it essential for forensic investigators and incident responders. Master these techniques to efficiently extract evidence from network captures and accelerate your forensic investigations.