Collaborative RCE Tool Library - Network Monitoring Tools (including sub-categories)

Tool Updated: Wireshark

2009-07-20T22:01:23Z

Listed in categories: Network Sniffers

Most recent version:
1.2.1

Most recent release date:
July 20, 2009

Description:
Wireshark (previously Ethereal) is the world's foremost network protocol analyzer, and is the standard in many industries.

It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it is still under active development.

Wireshark has a rich feature set which includes the following:

* Hundreds of protocols are supported, with more being added all the time
* Live capture and offline analysis are supported
* Standard three-pane packet browser
* Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
* Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
* The most powerful display filters in the industry
* Rich VoIP analysis
* Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
* Capture files compressed with gzip can be decompressed on the fly
* Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
* Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
* Coloring rules can be applied to the packet list, which eases analysis
* Output can be exported to XML, PostScript®, CSV, or plain text

Tool Updated: Tcpdump

2009-07-19T05:09:42Z

Listed in categories: Network Sniffers

Most recent version:
4.0.0

Most recent release date:
July 18, 2009

Description:
From wikipedia's entry for tcpdump:

tcpdump is a common computer network debugging tool that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It was originally written by Van Jacobson, Craig Leres and Steven McCanne who were, at the time, working in the Lawrence Berkeley Laboratory Network Research Group.

Distributed under a permissive free software licence, tcpdump is free software.

Tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, Mac OS X, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets.

There is also a port of tcpdump for Windows called WinDump; this uses WinPcap, which is a port of libpcap to Windows.

In some Unix-like operating systems, a user must have superuser privileges to use tcpdump because the packet capturing mechanisms on those systems require elevated privileges. However, the -Z option may be used to drop privileges to a specific unprivileged user after capturing has been set up. In other Unix-like operating systems, the packet capturing mechanism can be configured to allow non-privileged users to use it; if that is done, superuser privileges are not required.

The user may optionally apply a BPF-based filter to limit the number of packets seen by tcpdump; this renders the output more usable on networks with a high volume of traffic.

Tool Updated: TCPView

2009-03-31T23:07:42Z

Listed in categories: Network Monitoring Tools

Most recent version:
2.54

Most recent release date:
March 17, 2009

Description:
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.

Tool Added: Fport

2008-06-17T12:20:56Z

Listed in categories: Network Monitoring Tools

Most recent version:
2.0

Most recent release date:
2002

Description:
fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.

Usage:

C:\>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
508 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
392 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
224 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
212 services -> 1026 UDP C:\WINNT\system32\services.exe

The program contains five (5) switches. The switches may be utilized using either a '/'
or a '-' preceding the switch. The switches are;

Usage:
/? usage help
/p sort by port
/a sort by application
/i sort by pid
/ap sort by application path

fport supports Windows NT4, Windows 2000 and Windows XP

Tool Updated: LSOF

2008-06-17T10:39:49Z

Listed in categories: File Monitoring Tools, Network Monitoring Tools

Most recent version:

Most recent release date:

Description:
The lsof (LiSt Open Files) diagnostic and forensics tool lists information about any files that are open by processes currently running on the system. It can also list communications sockets open by each process.

Tool Updated: SysAnalyzer

2008-01-05T13:56:31Z

Listed in categories: API Monitoring Tools, Disk Monitoring Tools, File Monitoring Tools, Install Monitoring Tools, Memory Dumpers, Network Monitoring Tools, Registry Monitoring Tools

Most recent version:

Most recent release date:
January 19, 2007

Description:
SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare:

* Running Processes
* Open Ports
* Loaded Drivers
* Injected Libraries
* Key Registry Changes
* APIs called by a target process
* File Modifications
* HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

* Create a memory dump of target process
* parse memory dump for strings
* parse strings output for exe, reg, and url references
* scan memory dump for known exploit signatures

Full GPL source for SysAnalyzer is included in the installation package.

Tool Updated: Malcode Analysis Pack

2007-12-26T17:48:34Z

Listed in categories: API Monitoring Tools, Import Editors, Malware Analysis Tools, Network Sniffers, Network Tools, Process Monitoring Tools, Reverse Engineering Frameworks, TCP Proxy Tools

Most recent version:

Most recent release date:
November 13, 2006

Description:
The Malcode Analyst Pack contains a series of utilities that were found to be necessary tools while doing rapid malcode analysis.

Included in this package are:

• ShellExt - 4 explorer shell extensions
• socketTool - manual TCP Client for probing functionality.
• MailPot - mail server capture pot
• fakeDNS - spoofs dns responses to controlled ip's
• sniff_hit - HTTP, IRC, and DNS sniffer
• sclog - Shellcode research and analysis application
• IDCDumpFix - aids in quick RE of packed applications
• Shellcode2Exe - embeds multiple shellcode formats in exe husk
• GdiProcs - detect hidden processes