A new freeware version of Netwitness' core product, NetWitness Investigator, was made available today. I was able to get access to it several days ago for a test run. It looks and feels much like Wireshark, but with a lot more capability. The only two issues I found with the tool is that the registration process (required) is a bit quirky but eventually works, and you'll see a noticible drop in computer performance while its running. But considering that this is a sniffer on steroids I suspect that a performance drop is to be expected.
Here are notes from the NetWitness web site:
Product Features:
Captures raw packets live from most wired or wireless interfaces
Imports packets from any open-source, home-grown and commercial packet capture system (e.g. .pcap file import)
License supports 25 simultaneous 1GB captures - far exceeding data manipulation capabilities of packet tools like Wireshark
Real-time, patented layer 7 analytics
– Effectively analyze data starting from application layer entities like users, email, address, files , and actions.
– Infinite, free-form analysis paths
– Content starting points
– Patented port agnostic service identification
Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
IPv6 support
Full content search, with Regex support
Exports data in .pcap format
Bookmarking & history tracking
Integrated GeoIP for resolving IP addresses to city/county, supporting Google® Earth visualization
NEW! SSL Decryption (with server certificate)
NEW! Interactive time charts, and summary view
NEW! Interactive packet view and decode
NEW! Hash PCAP on Export
NEW! Enhanced content views
Minimum system requirements:
NetWitness recommends the following minimum hardware requirements for NetWitness Investigator:
Windows® XP, 2003 Server, or Vista 32-bit
Single 2Ghz Intel-based processor(Dual-core recommended)
1GB RAM(2GB Recommended)
1 Ethernet Port
Internet Explorer v7+ (IE v6.x may limit some functionality)
Ample data storage for collected data
Note: Linux infrastructure available in commercial versions
The fully functional and licensed free version of NetWitness Investigator is at:
http://download.netwitness.com. We are interested in your comments if you've downloaded and tried this software. Please let us know via our contact form.
Marcus H. Sachs
Director, SANS Internet Storm Center
New Tool: NetWitness Investigator - SANS Internet Storm Center
https://isc.sans.edu/forums/diary/New+Tool+NetWitness+Investigator/5351/