PCAP over IP to NetworkMiner

Most are familiar with WireShark and how to use dumpcap to remotely create a pcap file. Below, see a remote dumpcap session streaming via NetCat to NetworkMiner packet analyzer by netresec.com. NetworkMiner is a forensics tool that decodes the real time pcap stream and displays the images, videos, files, sessions, and DNS traffic that it contains.

On NetworkMiner:
File > Receive Pcap over IP > Start

On your router:
dumpcap -i eth0 -P -w - -f "ether host 90:b6:86:24:61:86" | nc 10.0.5.2 57012
Where:
eth0 = The interface.vlan you want to capture. Leave the vlan off to capture all vlans and the vlan tags.
eth0.4 = Capture vlan 4 on the first physical ethernet interface.
90:b6:86:24:61:86 = The MAC address of the device you want
10.0.5.2 = The host running NetworkMiner (Do Not capture the traffic you are streaming. Loop)
57012 = the port NetworkMiner is listening on.

No comments: