Recent changes to feature-requests

PFlog header parsing

Anonymous — Tue, 14 Dec 2010 15:13:02 -0000

The PF firewall offers a facility called pflog which allows users to define traffic which will be logged to a file that matches certain rules. This traffic is written to the file in tcpdump format, so it should be readable with this program, however the pflog program inserts a new header into each logged packet which states the firewall rule matched and the action (pass/block) taken on the packet. This appears to be causing problems with the parsing that Network Miner performs on the packet as it only lists the traffic under the "Frames" tab and declares the packet to be of unknown type. This format is currently parsed by Wireshark, so it should be feasible to implement here. The fact that this new header makes the entire packet fail to be analyzed might suggest that the parsing code could use a review in order to allow it to continue to parse subsequent known header types after failing to recognize one of the headers (in fact this would be an acceptable alternative to actually parsing the PFlog header, in my case).

Support for compressed PCAP files

Anonymous — Tue, 14 Dec 2010 15:06:36 -0000

It'd be nice to be able to load the compressed files (the ones that I use are compressed with GZip) directly. This is a feature currently implemented in Wireshark, so the technical limitations should be minimal.

Add support for Google's SPDY protocol

Anonymous — Mon, 08 Nov 2010 14:43:42 -0000

SPDY is "an application-layer protocol for transporting content over the web, designed specifically for minimal latency".
http://www.chromium.org/spdy

Add "decode as" feature

Erik Hjelmvik — Thu, 08 Jul 2010 18:47:22 -0000

Add the ability for the user to select which server IP-port pairs to decode as what protocol.
This could be done from the sessions tab (right-clicking and selecting "decode as") or possibly also from the hosts tab under "open ports".

Read capture data from a pipe

Anonymous — Tue, 29 Jun 2010 19:55:58 -0000

Include functionality to read capture data from a pipe instead of from a file or NIC.

Wireshark supports this functionality, which is explained here:
http://wiki.wireshark.org/CaptureSetup/Pipes

Parse Meterpreter payload reverse shell transfer protocol

Anonymous — Sun, 27 Jun 2010 20:25:37 -0000

Parse the file transfer protocol used by Metasploit to establish a Meterpreter reverse shell. It seems as if the shellcode from Metaspliot causes the victim to connect to a dropper server and download the binary for the meterpreter reverse shell.

Parse RFB protocol (VNC)

Anonymous — Mon, 14 Jun 2010 12:43:15 -0000

Parse the RFB protocol used by VNC.
http://www.realvnc.com/docs/rfbproto.pdf

Search-filter for Parameters tab

Anonymous — Thu, 06 May 2010 18:27:04 -0000

Add a search box to the parameters tab that can be used to filter what is being displayed.

Extract MAC vendor from autoconfigured IPv6 addresses

Anonymous — Fri, 09 Apr 2010 15:38:57 -0000

Extract MAC address vendor from IPv6 adresses generated through autoconfiguration.
The vendor's 3 byte MAC-vencor-code can be found at bytes 8,9 and 10 (prior to ff:fe as described in http://standards.ieee.org/regauth/oui/tutorials/EUI64.html\) in the IPv6 addresses

Show webmail on Messages tab

Erik Hjelmvik — Wed, 17 Feb 2010 17:33:18 -0000

Decode Yahoo, Hotmail, Microsoft Live, etc. in the same manner as Gmail and Google chat is decoded and displayed on the Messages tab