Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: New Tool: NetWitness Investigator SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Tool: NetWitness Investigator

A new freeware version of Netwitness' core product, NetWitness Investigator, was made available today.  I was able to get access to it several days ago for a test run.  It looks and feels much like Wireshark, but with a lot more capability.  The only two issues I found with the tool is that the registration process (required) is a bit quirky but eventually works, and you'll see a noticible drop in computer performance while its running.  But considering that this is a sniffer on steroids I suspect that a performance drop is to be expected. 

Here are notes from the NetWitness web site:

Product Features:

  • Captures raw packets live from most wired or wireless interfaces
  • Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)
  • License supports 25 simultaneous 1GB captures - far exceeding data manipulation capabilities of packet tools like Wireshark
  • Real-time, patented layer 7 analytics
         – Effectively analyze data starting from application layer entities like users, email, address, files , and actions.
         – Infinite, free-form analysis paths
         – Content starting points
         – Patented port agnostic service identification
  • Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
  • IPv6 support
  • Full content search, with Regex support
  • Exports data in .pcap format
  • Bookmarking & history tracking
  • Integrated GeoIP for resolving IP addresses to city/county, supporting Google® Earth visualization
  • NEW! SSL Decryption (with server certificate)
  • NEW! Interactive time charts, and summary view
  • NEW! Interactive packet view and decode
  • NEW! Hash PCAP on Export
  • NEW! Enhanced content views

Minimum system requirements:
NetWitness recommends the following minimum hardware requirements for NetWitness Investigator:

  • Windows® XP, 2003 Server, or Vista 32-bit
  • Single 2Ghz Intel-based processor(Dual-core recommended)
  • 1GB RAM(2GB Recommended)
  • 1 Ethernet Port
  • Internet Explorer v7+ (IE v6.x may limit some functionality)
  • Ample data storage for collected data
  • Note: Linux infrastructure available in commercial versions

The fully functional and licensed free version of NetWitness Investigator is at: http://download.netwitness.com.  We are interested in your comments if you've downloaded and tried this software.  Please let us know via our contact form.

Marcus H. Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!