NetworkMiner — quietly watching what already happened
NetworkMiner isn’t built for dashboards or alerts. It doesn’t ping anything. It doesn’t trigger responses. It just listens — or more accurately, reads what was already said on the wire. It’s the kind of tool that gets pulled out after the incident. A packet capture shows up, nobody really knows what it means, and suddenly there’s a need to figure out who sent what to where — and what came back.
The design is intentionally quiet. No agents, no scanning, no traffic injection. Feed it a `.pcap`, and it starts pulling out everything it can: hosts, files, certificates, protocols, even metadata from SMB or HTTP sessions. If there’s something worth knowing in the traffic, chances are it’s in NetworkMiner’s tabs.
What it sees (without making a sound)
| What it grabs | Why it matters |
| Hosts & IP-MAC pairs | Helps reconstruct who was online and how they were connected |
| OS & hostname guesses | Even without traffic from a login, useful hints about the systems involved |
| File transfers | Pulls documents, scripts, binaries straight from the stream — no guessing needed |
| DNS, HTTP, SMB, FTP | Reconstructs the actual requests — not just port numbers |
| Certificates | Lists TLS fingerprints, issuers, expiration — for post-mortem inspection |
| Sessions | Shows the flow: source, destination, protocol — all grouped and timestamped |
| Passive only | Makes no noise on the wire — usable in sensitive or monitored environments |
Where it fits in
– Reviewing packet captures from an IDS alert, looking for lateral movement or exfiltration
– Digging through an email attachment that turned out to be malware — and checking what else got pulled
– Quietly mapping out a lab or restricted segment, without pinging or probing anything
– Walking into a strange network, plugging into a mirror port, and waiting
– Running after-the-fact analysis for audit or legal hold, where nothing can be altered
Things it needs (not many)
| Requirement | Notes |
| System | Windows (native), works on Linux/macOS with Mono (some limits apply) |
| Privileges | None for analyzing pcap; admin needed only for live sniffing |
| Inputs | Accepts .pcap and .pcapng; can also capture live if interface is set |
| Setup | No installer — unzip and run |
| License | Free edition handles most; Pro adds scripting and extended decoding |
Setup in five minutes
Download and extract
The tool is available at https://www.netresec.com/?page=NetworkMiner. No registration. Just a zip file with the binary inside.
Launch
Open NetworkMiner.exe. That’s it. No installer. Runs as-is.
Drop in a capture
Drag a pcap onto the interface. Parsing begins instantly — hosts appear on the left, details fill in as the stream is read.
Browse the results
Switch tabs: Hosts, Files, Sessions, Credentials, Certificates, Images — all populated automatically.
Optional: go live
Select an interface and start passive capture. Nothing gets sent out. Everything stays silent.
What makes it worth keeping
NetworkMiner doesn’t pretend to replace Wireshark. It doesn’t try to interpret packet logic or rebuild every protocol in full. What it does — and does well — is surface the high-value stuff fast: who talked, what moved, and what devices were involved.
It’s not noisy. It’s not fancy. But it often ends up being the tool that makes the data understandable when time is short and stakes are high.
