BLOG     |     FORUM

Unsniff Network Analyzer Network Protocol and Forensics Tool

Unsniff main window

Download Unsniff

Secure order Unsniff
Unsniff Network Analyzer is a powerful analysis tool that allows you to work not just at the packet layer, but with PDUs and Flows too. It has comprehensive forensics and file carving abilities you can use to extract almost anything that can be found in network traffic.  It is also scriptable so you can automate almost all tasks that require you to grapple with Packet Captures.  Features in Detail

Why Unsniff ?

Unsniff Network Analyzer offers multi layer monitoring with deep content awareness right out of the box.   The unique advantages of Unsniff are :

  1. Multi layer monitoring - flows, PDUs as top level objects
  2. Advanced NFAT (Network Forensics) abilities
  3. Scriptable for automation
  4. Fast native Windows UI w/ new visualization
  5. USNF format instantly opens huge capture files
  6. Advanced TLS decryption and analysis (incl TLS1.2 AEAD)
Unsniff can be a great complement to Wireshark known for its legendary bit level dissection abilities.

Scriptable : Automate your analysis

Unsniff exposes all entities as scriptable objects. They include Packets, Flows, PDUs, User Objects too. Write tiny but powerful scripts to automate the most tedious proceses. Some use cases

  • Automatically extract all images greater than 200K into a directory ?
  • Save each VOIP call as a separate .WAV file
  • Save the first 100K of each TCP flow
  • Reassemble and save in and out directions of each flow with a custom naming scheme ?
  • Import from Wireshark, apply custom filters, then export back into Wireshark
  • Pretty much anything you can do manually can be automated
Languages supported : VBScript and Ruby (via Win32OLE) / Documentation is available at "Unsniff Scripting Guide Home" / VBScript and Ruby sample scripts are at "Script Samples"

Not just packets : PDUs , flows , and content too

Network flows are TCP streams. Each flow is treated as a top level object in Unsniff. You are presented with a list of flows in addition to packets and you can choose to work on flows as a unit instead of per packet.

Protocol Data Units (PDUs) are reassembled messages that are extracted from raw packets. Unsniff lets you see these messages instead of just packet. For example you can view and monitor SSL/TLS Records instead of fragments of packets. Unsniff supports SNMP, LDAP, TLS, and other PDUs.

User Objects are extracted content ; such as images, emails, files, video, audio. The Unsniff User Objects Sheet allows you to work with them for forensics and investigative purposes. Most use cases are covered.

User Objects : Advanced Forensics and reconstruction

Unsniff has top notch and deep network forensics analysis (NFAT) capabilities. All objects are extracted and shown in the User Objects sheet. A subset of support.

  • HTTP : Full page reconstruction, images, POST messages, all CSS/JS, video, flash, and every kind of content can be extracted
  • Deep Keyword Search : Search in content
  • Email SMTP, POP3, IMAP, FTP files, SMB files,
  • Yahoo! Chat, MSN Chat, AOL Chat
  • Yahoo! / MSN Voice chat.
  • Google video chat - incl support for VP8 video/SPEEX audio codec
  • SIP/RTP/H.323/IAX2 - VOIP calls - incl all major codecs
  • Youtube reconstruction
All of the above can be automated. Unsniff's internal format USNF stores these objects natively for maximum performance.