- A realtime overview of devices connected to a network.
- No requirement for hardware or reconfiguration of networks.
- “Silent portscanning” and undetectable network monitoring.
- Offline analysis of pcap files to aid in intrusion response and network forensics.
- Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more
Many network devices broadcast various information across the network. Often this is for ‘zero configuration’ style services, for example Apple’s Bonjour protocol. This information often contains information on the machine, and services running on that device – great information for fingerprinting.
For this reason, it is possible to obtain port scanning style information completely silently. NetSleuth also does not put the network adapters into promiscuous mode, mitigating some techniques to detect sniffing network adapters.
NetSleuth is a 100% software solution, and will monitor traffic on switched or hubbed networks. Any Windows machine on the network can be used.
A network capture from any network with consumer devices will contain a huge amount of rich broadcast traffic for analysis. NetSleuth can analyse and extract this data from .pcap files from Snort, Wireshark or other tools. It can also analyse data intercepted by Kismet (the .pcapdump) files.
NetSleuth can extract, analyse and fingerprint devices from the following protocols
- Apple MDNS / Bonjour
- SMB / CIFS / NetBios
- DHCP (using the www.fingerbank.org resource)
- SSDP (as used in Microsoft Zero Config)
If you have any ideas for new features or have found any bugs please let me know! I’m very happy to chat on Twitter or email.