Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - New Tool: NetWitness Investigator InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Tool: NetWitness Investigator

Published: 2008-11-17
Last Updated: 2008-11-17 13:33:11 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

A new freeware version of Netwitness' core product, NetWitness Investigator, was made available today.  I was able to get access to it several days ago for a test run.  It looks and feels much like Wireshark, but with a lot more capability.  The only two issues I found with the tool is that the registration process (required) is a bit quirky but eventually works, and you'll see a noticible drop in computer performance while its running.  But considering that this is a sniffer on steroids I suspect that a performance drop is to be expected. 

Here are notes from the NetWitness web site:

Product Features:

  • Captures raw packets live from most wired or wireless interfaces
  • Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)
  • License supports 25 simultaneous 1GB captures - far exceeding data manipulation capabilities of packet tools like Wireshark
  • Real-time, patented layer 7 analytics
         – Effectively analyze data starting from application layer entities like users, email, address, files , and actions.
         – Infinite, free-form analysis paths
         – Content starting points
         – Patented port agnostic service identification
  • Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
  • IPv6 support
  • Full content search, with Regex support
  • Exports data in .pcap format
  • Bookmarking & history tracking
  • Integrated GeoIP for resolving IP addresses to city/county, supporting Google® Earth visualization
  • NEW! SSL Decryption (with server certificate)
  • NEW! Interactive time charts, and summary view
  • NEW! Interactive packet view and decode
  • NEW! Hash PCAP on Export
  • NEW! Enhanced content views

Minimum system requirements:
NetWitness recommends the following minimum hardware requirements for NetWitness Investigator:

  • Windows® XP, 2003 Server, or Vista 32-bit
  • Single 2Ghz Intel-based processor(Dual-core recommended)
  • 1GB RAM(2GB Recommended)
  • 1 Ethernet Port
  • Internet Explorer v7+ (IE v6.x may limit some functionality)
  • Ample data storage for collected data
  • Note: Linux infrastructure available in commercial versions

The fully functional and licensed free version of NetWitness Investigator is at: http://download.netwitness.com.  We are interested in your comments if you've downloaded and tried this software.  Please let us know via our contact form.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)
Diary Archives