Wireshark, formerly known as Ethereal, is a popular network protocol analyzer (packet sniffer) program that runs on most computing platforms including Windows, OS X, and Linux. Wireshark functionality is very similar to tcpdump. However, it has a graphic interface and more data sorting and filtering settings.
In addition, it allows the IT user to view all traffic being passed over the network; a key requirement is it can only capture on networks supported by pcap (Wireshark and Ethereal use pcap to capture packets). Data can be captured from a live network connection or read from a file.
While Wireshark provides IT and technical professionals with a tool to capture packets and perform analysis, it should be noted that there are several key limitations when using it for digital investigations and cyber forensics. These challenges are:
For digital investigations, these challenges create significant limitations in regards to arriving at a clear understanding of what has occurred on the network and, further, if any "wrongful acts" have been committed. Simply stated, the purpose of capturing and analyzing the data is to quickly and effectively determine what has happened.
Chronicle Solutions has created a network forensics solution that is able to easily and intelligently capture, replay and analyze Wireshark full packet capture sessions content in its native format. While this is an extremely easy-to-use and easy-to-learn solution, it is a powerful tool that helps investigators efficiently research, find and deliver credible evidence.
Whether the investigation calls for the mobility provided by Chronicle’s netReplay® 2500 PORTABLE or the permanent, proactive, longer term benefits found in netReplay® rack-mounted recorders, investigative professionals will be armed with the most effective digital forensic tool available.
While netReplay® has the ability to reassemble data that has already been collected in full packet capture sessions such as Wireshark (Ethereal) or tcpdump, using netReplay® up front (on live network connections) allows IT security and investigative staff to quickly move from a reactive "capture everything" mode to a much more effective, proactive "collect, monitor, research and analyze" approach.
netReplay® will increase credibility of results by replaying original content exactly how it was seen and handled by the user, thereby demonstrating both proof of the user’s content and associated actions. In addition, Chronicle’s Forensic Information Fingerprinting Engine (FIFE™) provides evidence of user activity that is both forensically accurate and credible.
netReplay® has been described as a "one of a kind, network content DVR (Digital Video Recorder) that eliminates the digital equivalent of television commercials." netReplay’s intelligent deep-packet inspection and content capture effectively cuts out the recording of duplicate data and network content "noise", thereby delivering a better investigative effort.
Because of netReplay’s out-of-the-box capabilities, just connect it and begin to quickly and efficiently capture all data necessary for investigative research, formal records retention and digital evidence collection. Equally important, netReplay® helps speed investigators to the "document decision-ing" phase of their investigation.
netReplay® will increase the effectiveness of a digital forensics effort by providing a high-level of precision on the data it is collecting and analyzing as well as the correlation of all events that lead to any suspected misdeeds. This is accomplished while also complying with any legal requirements, such as privacy and employee rights and statutory limitations.
netReplay® will greatly improve productivity by reducing the time and complexity of data and event log analysis. Essentially, investigators now have the means to find the proverbial "needle in a haystack" in hours versus weeks or even months.
netReplay® will increase the efficiency of a network forensics team, allowing more investigators to be educated to use the tool. netReplay® is an easy-to-learn and easy-to-use digital forensic tool that provides immediate benefits.