i have recently been working through some network forensic challenges from a few locations (http://forensicscontest.com and http://ismellpackets.com/category/pcap/) and wanted to do some network carving (parsing a pcap and getting the files like .exe’s, .jpg’s, etc). to answer some of the questions i wanted to load networkminer on my backtrack 5 r1 box.

fortunately there was a tutorial on how to get networkminer up on linux, but it didn’t fix everything for the newest version of backtrack (specifically, the fonts were off and the menu didn’t show up correctly).

to get networkminer 1.0 up and running on my backtrack 5 r1 VM here is what i did (summary of commands at bottom):

  1. downloaded winetricks and installed the .NET framework, some core fonts, and the GDI+ package

    cd /bin
    wget http://kegel.com/wine/winetricks
    chmod +x winetricks
    ./winetricks corefonts dotnet20 gdiplus

    • download networkminer 1.0

      cd /opt
      wget http://sourceforge.net/projects/networkminer/files/networkminer/NetworkMiner-1.0/NetworkMiner_1-0.zip/download

      • extract the zip file and run network miner (you will get an pop-up saying there are no pcap adapters available, which is expected). i am using networkminer for viewing and extracting data only, not capturing (that is what tcpdump is for 😉

        unzip download
        cd NetworkMiner_1-0/
        wine NetworkMiner.exe

        • you should have a working (non-capturing) copy of networkminer 1.0 ready to go

        • for ease of use, i added a link to networkminer in the applications menu


  1. the files that networkminer carves out will be located at:

    ~/.wine/drive_c/Program Files/NetworkMiner_1-0/AssembledFiles

    on windows, you can just right click and open the folder, but this didn’t work on my backtrack VM.

original networkminer/linux post: http://geek00l.blogspot.com/2008/12/drunken-monkey-running-network-miner.html
post that told me about the gdiplus package:  http://forum.winehq.org/viewtopic.php?t=8516