NetworkMiner in a nutshell

Capability Description
Traffic sniffing It can intercept the traffic, sniff it, and collect and log packets that pass
through the network.
Parsing PCAP files It can parse pcap files and show the content of the packets in detail.
Protocol analysis It can identify the used protocols from the parsed pcap file.
OS fingerprinting It can identify the used OS by reading the pcap file. This feature strongly
relies on Satori and p0f.
File Extraction It can extract images, HTML files and emails from the parsed pcap file.
Credential grabbing It can extract credentials from the parsed pcap file.
Clear text keyword parsing It can extract clear-text keywords and strings from the parsed pcap file.

A Professional edition has much more features. You can see the differences between free and professional versions here.

Operating modes

  • Sniffer Mode: Although it has a sniffing feature, it is not intended to use as a sniffer. The sniffier feature is available only on Windows. However, the rest of the features are available in Windows and Linux OS. Based on experience, the sniffing feature is not as reliable as other features. Therefor we suggest not using this tool as a primary sniffer. Even the official description of the tool mentions that this tool is a “Network forensics Analysis Tool”, but it can be used as a “sniffer”. In other words, it is a Network Forensic Analysis Tool with but has a sniffer feature, but it is not a dedicated sniffer like Wireshark and tcpdump.

  • Packet Parsing/Processing: NetworkMiner can parse traffic captures to have a quick overview and information on the investigated capture. This operation mode is mainly suggested to grab the “low-hanging fruit” before diving into a deeper investigation.

Pros and cons


  • OS fingerprinting

  • Easy file extraction

  • Credential grabbing

  • Clear text keyword parsing

  • Overall overview


  • Not useful in active sniffing

  • Not useful for large pcap investigation

  • Limited filtering

  • Not built for manual traffic investigation

Differences between Wireshark and NetworkMiner

NetworkMiner and Wireshark have similar base features, but are different in purpose.

Best practice is to record the traffic for offline analysis, quickly overview the pcap with NetworkMiner and then use Wireshark for further investigation.

Feature NetworkMiner Wireshark
Purpose Quick overview, traffic mapping,
and data extraction
In-Depth analysis
Handling PCAPS
OS Fingerprinting
Parameter/Keyword Discovery Manual
Credential Discovery
File Extraction
Filtering Options Limited
Packet Decoding Limited
Protocol Analysis
Payload Analysis
Statistical Analysis
Cross-Platform Support
Host Categorisation
Ease of Management

NetworkMiner version differences

Unsurprisingly version upgrades provide stability, security fixes and features. For NetworkMiner the feature part is quite tricky. Feature upgrades can represent implementing new features and updating the existing feature (optimisation, alteration or operation mode modification). You can always check the changelog.

Of course, as the program version increases, it is expected to increase feature increase and scope. The significant differences between versions 1.6 and 2.7:

Mac address processing

NetworkMiner versions after version 2 can process MAC address specific correlation. This option can help identify if there is a MAC Address conflict. This feature is not available before version 2.

Sent/received packet processing

NetworkMiner versions up to version 1.6. can handle packets in much detail. These options can help investigate the sent/received packets in a more detailed format. This feature is not available after version 1.6.

Frame processing

NetworkMiner versions up to version 1.6. can handle frames. This option provides the number of frames and essential details about the frames. This feature is not available after version 1.6.

Parameter processing

NetworkMiner versions after version 2 can handle parameters in a much more extensive form. Therefor version 1.6.xx catches fewer parameters than version 2.

Clear-text processing

NetworkMiner versions up to version 1.6. can handle clear-text data. This option provides all extracted clear-text data in a single tab; it is beneficial to investigate clear-text data about the traffic data. However, it is impossible to match the clear-text data and packets. This feature is not available after version 1.6.

Since there are some significant differences between the versions, the given VM has both of the major versions (v1.6 and v2.7).