NetSleuth features:
- A realtime overview of devices connected to a network.
- No requirement for hardware or reconfiguration of networks.
- “Silent portscanning” and undetectable network monitoring.
- Offline analysis of pcap files to aid in intrusion response and network forensics.
- Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more
Silent PortScanning
Many network devices broadcast various information across the network. Often this is for ‘zero configuration’ style services, for example Apple’s Bonjour protocol. This information often contains information on the machine, and services running on that device – great information for fingerprinting.
For this reason, it is possible to obtain port scanning style information completely silently. NetSleuth also does not put the network adapters into promiscuous mode, mitigating some techniques to detect sniffing network adapters.
No Configuration
NetSleuth is a 100% software solution, and will monitor traffic on switched or hubbed networks. Any Windows machine on the network can be used.
Offline Analysis
A network capture from any network with consumer devices will contain a huge amount of rich broadcast traffic for analysis. NetSleuth can analyse and extract this data from .pcap files from Snort, Wireshark or other tools. It can also analyse data intercepted by Kismet (the .pcapdump) files.
Protocols
NetSleuth can extract, analyse and fingerprint devices from the following protocols
- Apple MDNS / Bonjour
- SMB / CIFS / NetBios
- DHCP (using the www.fingerbank.org resource)
- SSDP (as used in Microsoft Zero Config)
Updates
If you have any ideas for new features or have found any bugs please let me know! I’m very happy to chat on Twitter or email.
