How can I acquire data for analysis with NetSleuth?
If you can connect to a network, you can perform live monitoring on networks; wireless or wired, corporate or public Wi-Fi. NetSleuth also accepts data in pcap format; making it compatible with tcpdump, Wireshark, snort and a wide array of network security products.
How does NetSleuth obtain data?
Many network applications broadcast their data across the entire local network. NetSleuth uses Wireshark (www.wireshark.org) to perform packet processing, then analyses this raw data to provide useful information about the detected machines on the network (or from the pcap file).
NetSleuth also uses DHCP fingerprinting research from the excellent resource at www.fingerbank.org, fingerprinting machines from various options send in a DHCP request.
What other applications does this work well with?
When I am doing Network Analysis, I use NetSleuth in combination with Wireshark and also Network Miner. Typically I use NetSleuth for a quick scan to identify the machine I am interested in, then use Wireshark or Network Miner for a detailed drill down. I have also used it to analyse Kismet PCAP dump files, to then focus on specific network clients of interest. I also use NetSleuth for demonstrations to non technical clients!
Do I need to install monitoring software on other machines?
No. If you want to perform Live Monitoring, you will just need to install the software on one machine connected to the network. This machine will not require any special configuration, it will just need to be a Windows machine. NetSleuth will identify active clients on your network, passively, without having to interact with these machines.
Are there legal issues with use of this tool?
Unlike many tools, NetSleuth does not intercept data. Neither does it look for traffic that could carry personal data such as web or email traffic.
As a specific technical reassurance, NetSleuth does not put the network adapters in promiscuous mode. NetSleuth will not see network packets that have not been publicly broadcast on the network; it only processes data that the host computer is meant to see.
NetSleuth calls programs from the excellent Wireshark suite (available at www.wireshark.org) to perform low-level packet processing.
Can NetSleuth obtain data without any active ‘hacking’ interference with other devices on the network?
Yes. By default, NetSleuth performs it’s network analysis in a completely silent mode, you gain the functionality of a port/network scanner but without the need to send any packets onto the network.
The user has the choice to ‘provoke’ network activity. This is not portscanning. These messages are the same messages sent out by Windows and Mac machines on boot, to elicit other machines and devices on the network.
What do I need to run NetSleuth?
No special hardware is required. Any Windows operating system from XP onwards is capable of running NetSleuth.
Specifically it requires v3.5 or later of the .NET framework (which is included by default in Windows Vista and Windows 7). It also requires a full install of the Wireshark tools available at www.wireshark.org.
What protocols does NetSleuth analyse?
Data is currently analysed from MDNS (Apple Bonjour), SMB (Windows Networking), DHCP and ARP.
Could I run NetSleuth natively on Linux or Backtrack?
Not at the moment, but it is a possibility if there is interest.
Can I run NetSleuth inside a Virtual Machine?
Yes, it will work great. You will need to ensure that the Virtual Machine is set to “bridged mode’ in the networking settings; this allows NetSleuth to pick up network broadcast messages.
Can I combine NetSleuth with other tools during a pentest?
Yes. For example, NetSleuth will very happily detect and process network data returned from portscanning tools such as nmap.
Will NetSleuth work in small networks such as Café’s or personal networks?
Absolutely. It works well at detecting late night Xbox activity!
What is the footprint of NetSleuth? How easy it is to detect?
When NetSleuth is running in silent mode, it is completely undetectable. It sends no packets, and does not put the adapters into promiscuous mode. Unless the machine you are running it on has been compromised, it cannot be detected.
If the ‘provoke activity’ button is clicked, it will generate network update messages onto the local network. All though this is transmission onto the network, these are exactly the same messages that Windows and MAC devices send out on a regular basis. It would be extremely difficult for even a skilled analyst to identify this from these normal messages.
If portscanning is enabled, than skilled technical analysts or advanced software (such as NetSleuth!) could potentially detect the activity.
