ChangeLog

NetworkMiner 2.7.3
	* TcpPortProtocolFinder.cs: Port 3000 and 8000 configured as be parsed as HTTP
	  in order to support WEBrick traffic. Feature added thanks to RangeForce and
	  @mttaggart.
	* NetworkHost.cs: Added lock to all code using ExtraDetailsList to avoid
	  "collection modified" exceptions.
	* MeterpreterPacket.cs: Meterpreter payloads from common LPORT values for
	  reverse_tcp like 4444 are now extracted to disk as DLL files.
	* LinuxCookedCapture2.cs: Added support for SLL2 / Linux cooked capture v2 frames.
	* TlsRecordPacket.cs: Fixed bug in JA3 Signature when client supports more than one
	  EC point format.
	* TlsRecordPacketHandler.cs: Added botnet JA3 hashes from Abuse.ch
	* TlsRecordPacketHandler.cs: Added botnet SSL x509 cert hashes from Abuse.ch
	* DnsPacketHandler.cs: Extraction of DNSBL lookup info to Parameters tab and Host details
	* SmtpPacketHandler.cs: Improved extraction of SMTP credentials
	* TlsRecordPacket.cs: Faster parsing of TLS encrypted traffic
	* HttpPacketHandler.cs: Added support for HTTP CONNECT request method to parse proxied
	  traffic.
	* NetworkMinerForm.cs: NetworkMiner's GUI no longer reloads between each PCAP file when
	  multiple files are loaded at once.

NetworkMiner 2.7.2
    * FtpPacket.cs: Added support for additional FTP commands, such as AUTH.
	* EtlParser.cs: NetworkMiner now supports reading of ETL files created with
	  "netsh trace start" and "pktmon start --capture"! This feature is only
	  available in Windows though, since we're relying on Windows specific API calls for
	  parsing ETL files.
	* Erspan.cs: Added support for ERSPAN. Thanks to Markus Schewe for the feature request!
	* NetworkMinerForm.cs: Parameters tab now has a context menu entry for
	  "Submit value to CyberChef", which sends the parameter value to
	  https://gchq.github.io/CyberChef/

NetworkMiner 2.7.1
	* PacketHandler.cs: Fixed bug related to live sniffing. Thanks to Jeff Rivett for
	  reporting the issue!

NetworkMiner 2.7
    * WinPCapWrapper.cs: Changed int pointers to 64 bit values in order to handle WinPcap
	  and npcap drivers correctly.
	  Thanks to Jeff Rivett for reporting the issue!

	* Smb2PacketHandler.cs: Added requested SMB2 filename info from SMB2 Create Requests
	  and error messages from negative SMB2 responses to Parameters tab.

	* Smb2Packet.cs: Better extraction of SMB2 file transfers by extracting End-of-File
	  values from Smb2CreateResponse.

	* LpdPacket.cs: Added support for Line Printer Daemon Protocol (RFC1179).
	  Thanks to Hayo Brouwer (of Ricoh) for helping out with capture files!

	* NetworkTcpSession.cs: Modified TCP Keepalive handling to support protocols
	  that transmit 1 byte TCP payloads containing a 0x00 byte (like LPD).

	* TcpPacket.cs: Changed GetSubPackets function to allow application layer packets
	  with only one byte of L7 data to be returned.

	* SatoriTcpOsFingerprinter.cs: Improved performance by indexing fingerprints based
	  on TCP flags.

	* HttpPacketHandler.cs: Generic extraction of files sent with HTTP POST, including
	  WAP.MMS messages. More files are now extracted from HTTP POST uploads.

	* DnsPacket.cs: Added extraction of TXT records to DNS tab

	* DnsPacket.cs: Added extraction of SRV records to DNS tab

	* NetworkMinerForm.cs: Double-clicking on a file now opens up the file details window

	* ExtractedFileDetailsForm.cs: Added hex viewer to file details window

	* FileStreamAssembler.cs: The file extension is now identified based on the contents
	  of the file's header (fewer "octet-stream" files, more ".exe" and ".zip" etc.)

	* NetworkMinerForm.cs: Added warning message when trying to open/run an executable
	  file with right-click -> "Open file"

	* TlsRecordPacket.cs: Extraction of JA3S hashes from TLS Server Hello packets to
	  Parameters tab and Host Details

	* PcapParser.cs: Added support for nanosecond PCAP files


NetworkMiner 2.6

   * KerberosPacketHandler.cs: Better extraction of Salt from Kerberos ERROR packets.

   * NtlmSspPacketHandler.cs: Added John-the-Ripper formated extraction of LanMan, NTLMv1
     and NTLMv2 challenge/response hashes
     LanMan example: $LM$A9C604D244C4E99D
     NTLMv1 example: $NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233
     NTLMv2 example: $NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000
     - LM (hashcat "-m 3000")
     - NETNTLM (hashcat "-m 5500")
     - NETNTLMv2 (hashcat "-m 5600")

   * HttpPakcetHandler.cs: Improved extraction of json data sent in HTTP(2) POST requests.
     Now with support for Content-Encoding: gzip

   * Ethernet2Packet.cs: added support for Transparent Ethernet decapsulation for GRE tunnels

   * PcapParser.cs: Added support for Fritzbox captures (PCAP_MODIFIED_MAGIC = 0xa1b2cd34).
     Thanks to Jan Hesse for the feature request:
	 https://twitter.com/clientjs/status/1255112064210743296

   * MultiPart.cs: Improved parsing of quotes in email headers.
     Thanks to Mandy van Oosterhout for reporting the bug!

   * ImapPacketHandler.cs: Ignoring FETCH results for partial emails (from BODY.PEEK) except
     when email headers are sent.

   * MessageEventArgs.cs: Increased max Subject length from 50 to 100 characters

   * FtpPacket.cs: Support for Extended Passive Mode (EPSV) in FTP

   * SystemHelper.cs: Added workaround for bug introduced with Mono 6 that would otherwise
     prevent opening files, folders and websites in external tools under Linux/OSX.
	 https://github.com/mono/mono/issues/17204
	 https://github.com/dotnet/runtime/issues/28005
     https://github.com/dotnet/runtime/issues/23877

   * PacketHandler.cs: ExtractMultipartFormData() was modified to save MIME multipart chunks
     to disk when the data is truncated in Parameters tab due to being too large (>250 bytes).

   * HttpPacketHandler.cs: The hostname is extracted from the HTTP header "Onion-Location"
     to show onion domains of hosts in the Hosts tab.

   * NetworkMinerForm.cs: The Messages tab filter now also performs keyword matching against
     attachment filenames.

   * SipPacketHandler.cs: SIP chat messages [RFC3428] are extracted to the "Messages" tab.
     Audio extraction of VoIP calls is still a feature that is exclusively available only
	 in NetworkMiner Professional though.

   * HttpPacketHandler.cs and Http2PacketHandler.cs: The HTTP header "Accept-Language" and
     HTTP/2 header "accept-language" are extracted to the "Hosts" tab, under "Host Details".
	 This supports forensic analysis of user language settings, as shown by Fox-IT here:
	 https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf

   * HttpPacketHandler.cs: Improved extraction of Certificate Revocation List (CRL) files.

   * NetworkMinerForm.cs: Messages tab now uses the local environment's default newline
     characters to improve readability of reassembled emails.

   * ByteConverter.cs: Newline characters are now preserved when reading Quoted Printable
	 encoded text with non-escaped newline characters.

   * MultipartPart.cs: Added RFC 822 "unfolding" to support multi-line header fields in
     emails, HTTP POSTs and other protocols using MIME encoded data.

NetworkMiner 2.5

	* NetworkCredential.cs: Improved extraction of username/password credentials from
	HTTP POST requests.

	* Added regex filtering to keyword search function in most tabs as a more powerful
	alternative to plain string matching.

	* Upgraded from .NET 4.6.1 to .NET 4.7.2
	Requires Mono 5.4 (or later) in order to run in Linux or MacOS.
	You will otherwise get a System.TypeLoadException

	* Parsing of AAAA DNS records (IPv6 addresses)

	* Parsing of HTTP/2 when SSL/TLS isn't used (use PolarProxy to generate unencrypted HTTP/2)

	* Parsing of DNS-over-HTTPS (DoH) when SSL/TLS isn't used

	* DnsPacketHandler.cs: Support for DNS packets over TCP

	* Improved NetBIOS Name Service (nbns) parsing. Details are extracted to the
	"Parameters" tab. Thanks to @CRaiterCBus for the idea:
	https://twitter.com/CRaiterCBus/status/1143963147491037186

	* Name-value parameters from JSON formatted HTTP POST requests
	(Content-Type: application/json) are extracted to the "Parameters" tab and potential
	credentials are shown on the "Credentials" tab.

	* TlsRecordPacket.cs: Added JA3 support. Client JAR3 hashes are shown in the
	parameters tab an in Hosts Details.

	* SmbPacket.cs: Improved parsing of non-unicode "Native OS" strings from
	SetupAndXResponse messages.

	* KerberosPacketHandler.cs: Extraction of Kerberos hashes from network traffic.
	The hashes are shown on the "Credentials" tab in John/hashcat format. John-the-ripper
	users must use the "jumbo" version to avoid getting this error message:
	"No password hashes loaded (see FAQ)"
	Supported Kerberos message types include:
	 - krb5pa (hashcat "-m 7500")
	 - krb5tgs (hashcat "-m 13100")
	 - krb5asrep (hashcat "-m 18200")

	 * KeywordFilterControl.cs: Email body and header search is restored again after
	 having been broken in version 2.4.

	 * CifsBrowserPacket.cs: Added parser for CIFS Browser Protocol (aka MS-BRWS)
	 in order to extract hostnames, windows versions and uptime. Thanks to @dan_gunter
	 for the idea!

	 * Email.cs: Fixed bug/crash due to invalid filename being specified in Content-Type
	 MIME header. Thanks to @chrissistrunk for reporting the issue!

	 * TcpPortProtocolFinder.cs: Added support for changes in application layer protocol
	 within a TCP session. This enables STARTTLS commands in FTP, IMAP and SMTP to activate
	 the SSL/TLS parser.

	 * ImapPacketHandler.cs: Improved extraction of emails from "FETCH" commands for
	 multiple emails and email header downloads with "UID FLAGS BODY[HEADER]".

	 * MessageEventArgs.cs: Added size column to "Messages" tab

NetworkMiner 2.4

	* Smb2PacketHandler.cs: Mixed up Source and Destination hosts for SMB reads and
	writes are corrected.

	* MacAges.cs: Added support to lookup the age of a MAC address thanks to HD Moore!
	https://twitter.com/hdmoore/status/1046563911972130819

	* NetBiosSessionService.cs: Added detection for EternalBlue exploit attempts where
	srvnet.sys is triggered to allocate a "large" nonpaged pool.
	Example PCAP files can be found here:
	https://www.malware-traffic-analysis.net/2018/10/04/index.html
	https://www.malware-traffic-analysis.net/2018/08/17/index.html
	https://packettotal.com/app/analysis?id=c8850b1fe07572c82c6fac5db5aae0c9&name=community_tags
	https://packettotal.com/app/analysis?id=8d2fdb7698c27e32e88bde809c89216f

	* SatoriTcpOsFingerprinter.cs: Added OS fingerprint signatures for Industrial control
	System (ICS) devices, like Siemens S7, ABB 800xA and Moxa. Some ICS vendors even got
	a logo as icon in the Hosts tab, others got a yellow hard hat.

	* KerberosPacket.cs: Implemented support for Kerberos v5 in order to extract usernames,
	hostnames and realms (domains) from unencrypted Kerberos requests/responses on port 88
	as well as inside HTTP auth headers and SMB security blobs.

	* TcpPortProtocolFinder.cs: Added TCP 11371 as a port for HTTP in order to extract
	GPG keys sent over the HKP protocol. Thanks to Jonas Lejon for the idea.

	* DnsRecordEventArgs.cs: Added support for parsing DNS queries/responses sent over IPv6

	* Email.cs: Added support for "Format=Flowed" attributes in emails (RFC 2646) and
	better handling of non-standard line feeds to make plaintext emails more readable.

	* MultipartPart.cs and Email.cs: Unicode MIME data is converted to ASCII, when running
	NetworkMiner using Mono (typically in Linux), in order to avoid a crash caused by
	Mono's GDIPlus implementation. Thanks to Phil Hagen for notifying us about the crash.

	* NetworkMinerForm.cs: Improved Drag-and-Drop operations to work more reliably
	also in Linux, when running NeworkMiner with Mono. Previous versions would throw
	a NullReferenceException in System.Windows.Forms.X11Dnd+TextConverter.SetData.

	* NetworkMinerForm.cs: Added links between hosts with the same MAC address in the
	network host tree view. This feature is useful to link a host's IPv6 and IPv4 IPs
	with eachother. Expand the MAC address node to see the links. Thanks to Chris Sistrunk
	for the initial idea!

NetworkMiner 2.3.2

	* Email.cs: Emails without a body (but maybe an attachment) are now also extracted
	to the Messages tab.

	* NetworkMinerForm.cs: More debug output written when starting NetworkMiner with the
	--debug, --eventlog or --filelog argument.

NetworkMiner 2.3.1

	* NetworkTcpSession.cs: Fixed ToString() NullReferenceException bug when expanding
	Incoming or Outgoing sessions in the Hosts tab. Thanks to tokyoneon for reporting
	this bug!

	* TlsRecordPacketHandler.cs: Added support for reading handshakes (typically X.509
	certificates) that are fragmented into multiple TLS records. Thanks to Peter Wu
	for reporting this bug!

	* NetworkMinerForm.cs: Setting a text size larger than 100% in Windows 7 previously
	yielded a bad layout of the GUI. This bug has been resolved in this version. Thanks
	to Chris Sistrunk for reporting it!

NetworkMiner 2.3

	* NetworkMinerForm.cs: Added detected keywords count to the Keywords tab. Thanks
	to Mats Karlsson for the feature suggestion!

	* NetworkMinerForm.cS: NetworkMiner now prevents reloading of files in the current
	case while it is busy parsing a PCAP file. Thanks to Mats Karlsson for the feature
	suggestion!

	* NetworkMinerForm.cs: The keyword list has been resized to always fit the window
	and the [Del] key can be used to remove marked keywords. Thanks to Michael Nilsson
	for reporting this bug and suggesting the new feature.

	* NetworkMinerForm.cs: Added drag-and-drop ability to case files section, so that
	a PCAP file opened with NetworkMiner can be opened with another application	or
	copied to a folder simply by dragging and dropping from the case panel.

	* FileSegmentAssembler.cs: Added ability to reassemble files when all data has been
	received, but the file handle isn't being closed. This applies in particular to SMB
	and SMB2 read and writes, such as these ones:
	https://401trg.pw/an-introduction-to-smb-for-network-security-analysts/

	* TlsPacketHandler.cs: Supported SSL/TLS versions and ALPN's are now extracted from
	the SSL handshake records and presented on the Parameters tab.

	* TlsRecordPacket.cs: Fixed bug regarding Session ID's in Client Hello messages.
	Thanks to Ahmad Nawawi for discovering this bug!

	* HttpPacket.cs: Added support for multiple Set-Cookie headers in HTTP a response.

	* SmtpPacketHandler.cs: Improved extraction of emails to Messages tab.

	* IEC_60870_5_104Packet.cs: Fixed year parsing bug in IEC-104 protocol. Years that
	can be represented now ranges from 2000 to 2099. Wireshark uses 1970 to 2069.
	Thanks to Sigurd Mytting for finding and reporting this bug!

	* ByteConverter.cs: Strings are no longer automatically terminated on null bytes
	unless they are explicitly defined as null terminated strings.

	* ModbusTcpPacket.cs: Added parser for Diagnostic option codes.

	* SipPacket.cs: Added extraction of call details (From, To and Call-ID) to the
	Parameters tab. The Pro version of NetworkMiner additionally extracts the audio.

	* SnmpPacket.cs: SNMP packets are parsed in order to extract the community string
	from SNMPv1 and SNMPv2c packets. The community strings are show on the Parameters
	and Credentials tabs. Thanks to Chris Sistrunk for suggesting this feature!

	* IPv4Packet: IPv4 packets with broken IP headers are now ignored by NetworkMiner.
	Thanks to Doug Green for discovering and reporting this bug!

	* GuiProperties.cs: Default timezone is now set to UTC rather than the local zone.

NetworkMiner 2.2

	* Upgraded to .NET framework 4.0! Requires the newer .NET framework in Windows
	  or Mono runtime 4.* in Linux/macOS.

	* GuiProperties.cs: All timestamps are shown in the "yyyy-MM-dd HH:mm:ss" format
	with time zone explicitly stated.

	* NetworkMinerForm.cs: Added Pokemon Exception Handling to all DoDragDrop calls.

	* NetworkMinerForm.cs: Fixed the count in the credential tab when checkboxes like
	  "Mask password" are used. Thanks to Sebastian Gebhard for reporting thus bug at
	  Troopers '17.

	* NetworkMinerForm.cs: Removed Invoke calls to GUI thread in order to speed up
	  parsing when there are many GUI updates.

	* NetworkMinerForm.cs: Changed to using AddRange when updating GUI to display more
	items faster, especially in Linux.

	* SatoriTcpOsFingerprinter.cs: Improved TCP handshake OS fingerprint speed.

	* OpenFlowPacket.cs: Fixed alignment for frames encapsulated in OpenFlow 1.2/1.3
	PacketIn commands. Thanks to Jeff Carrell for providing a pcapng file that could be
	used to debug this issue.

	* SmbPacket.cs: Improved parsing of chained SimpleAndProtectedGssapiNegotiation
	(SPNEGO) tokens in SMB1 and SMB2, such as NTLM SSP usernames.

	* NtlmSspPacketHandler.cs: Domain name is now displayed in Credetials tab for SMB
	authentication attempts.

	* Logger.cs: Added optional debug logging with command line arguments:
		  --debug		Logs to standard out
		  --eventlog	Logs to Application EventLog
		  --filelog		Logs to text file in IsolatedStorage
	
	* TftpPacket.cs: Added frame length check to ReadNullTerminatedString.
	Thanks to Clint Page for reporting this bug and suggesting a fix!

	* KeywordFilterControl.cs: The search function in Messages tab now searches all
	email header fields as well as the email body for the keyword provided in the filter
	field. Thanks to Marc Lindke for suggesting this feature at Troopers '17!
	
	* KeywordFilterControl.cs: Drop-down list added so user can select a specific column
	to match on unless all columns should be searched (default).

	* ReceivePcapOverTcpForm.cs: Added functionality to receive PCAP-over-IP by connecting
	to a remote netcat listener. Thanks to Niclas Hirschfeld for suggsting this feature
	at Troopers '17!

	* UpdateCheck.cs: Added update check to see if there is a new version of NetworkMiner
	available for download. The update check can be disabled by adding a --noupdatecheck
	switch to the command line when starting NetworkMiner.

NetworkMiner 2.1.2

	* PacketHandler.cs: Made OnCredentialDetected private to ensure that all credential
	detected calls are made to the AddCredential so that they can be filtered in the GUI.

	* FileStreamAssembler.cs: Partial downloads are saved in case they are downloaded
	using a range request, so that multiple individual parts can be put back together
	later on.

	* ExtractedFileDetailsForm.cs: Adjusted column width in file details window.

NetworkMiner 2.1.1	2017-01-19
	* networkminericon.ico: Higher resolution icon (256x256).

    * HttpPacket.cs: Added UTF-8 decoding of filenames in Content-Disposition header in
	accordance with RFC 6266 and RFC 5987.

	* HttpPacket.cs: Added support for multiple whitespace characters separating HTTP
	header names from values.

	* FileStreamAssemblerList.cs: Added queueing of HTTP 1.1 requests when there are
	multiple requests sent before a reply is received.

	* PacketHandler.cs: Support for assembling of HTTP GET file streams not ending at
	a TCP packet boundary.

	* NetworkMinerForm.cs: Changed order of columns in Files tab.


NetworkMiner 2.1	2017-01-02
	* Smb2Packet.cs: Added support for SMB2 Find searches with "NameInfo" format.
	Thanks to Dietrich Hasselhorn for finding this bug.

	* FileStreamAssembler.cs: Added fix to avoid long filenames (Windows only supports
	paths up to 248 characters) when the filename is derived from the Content-Disposition
	header sent by the web server. Thanks for Christian Reusch and Jasper Bongertz for
	finding and reporting this bug!

	* PacketHandler.cs: Extracted files are now timestomped so that the last write
	time of the file will be the timestamp in the PCAP when it was transfered. Thanks to
	Dietrich Hasselhorn for recommending this feature.

	* NetworkMinerForm.cs: No longer crashes if a non-existing PCAP file is provided as
	a command line argument.

	* PacketHandler.cs: Pop-up window is shown with warning if user does not have write
	permissions to the AssembledFiles directory (common problem if NetworkMiner is placed
	in the "C:\Program Files" directory).

	* NetworkMinerForm.cs: Support for reading packets from a local PacketCache service.
	For more information about PacketCache, please visit http://packetcache.com

	* NetworkMinerForm.cs: Files and images are no longer moved as a result of a drag-
	and-drop operation. Default action is always to copy the file to the target location.

	* NetworkMinerForm.cs: Images can be opened through double-clicking and the zoom
	level of images in the Images tab can be changed.

	* NetworkMinerForm.cs: Images can now be opened in their default viewer by double-
	clicking them.

	* VxlanPacket.cs: Added support for VXLAN decapsulation.

	* OpenFlowPacket.cs : Added support for OpenFlow decapsulation.

	* NetworkMinerForm.cs: HostDetails in Hosts tab now shows VLAN ID.

	* IcmpPacket.cs: Added simple ICMP parser

	* PartialFileAssembler.cs: Added support for HTTP "206 Partial Content" a.k.a
	"Range Requests" or "Byte Serving", so that partial downloads can be reassebled.

	* FileDetailsForm.cs: MD5 / SHA1 / SHA256 hashes can be calculated via the context
	menu in the "Files" tab (right-click an extracted file to get the menu).

	* SmbPacket.cs: A remake of the SMB handling in order to parse pipelined/chained
	AndX requests/responses. Thanks to Eddi Blenkers for highlighting their existance!

	* TlsRecordPacket.cs: Extraction of TLS host name extension, formally known as
	Server Name Indication (SNI) in RFC 6066.

	* TlsRecordPacketHandler.cs: Details from X.509 certificates are extracted to the
	Parameters tab, including certificate subject, issuer, hash and validity period.

	* SocksPacket.cs: Support for decapsulation of the SOCKS protocol. Can even be used
	to analyze Tor SOCKS proxy traffic to/from localhost TCP 9150.

	* Pop3Packet.cs: Added extraction of emails and attachments from unencrypted POP3
	traffic.

	* SmtpPacket.cs: Improved SMTP email extraction engine. Also added support for
	extraction of X.509 certificate when STARTTLS is used.

	* ImapPacket.cs: Implemented IMAP parser to extract credentials, emails and
	attachments from IMAP traffic. Also support for X.509 certificate extraction
	when STARTTLS is used.

	* FtpPacketHandler.cs: Support for X.509 certificate extraction when doing AUTH TLS,
	i.e. Explicit TLS or Explicit SSL.

NetworkMiner 2.0	2016-02-09
	* HttpPacketHandler.cs: The ".octet-stream" or "x-msdos-program" extensions are no
	longer appended to ".exe" files downloaded over HTTP (warning for those doing live
	malware analysis on Windows machines).

	* NetworkMinerForm.cs: GUI flickering is heavily reduced when loading PCAP files
	or doing live sniffing. This also improves the performance slightly.

	* NetworkMinerForm.cs: SMTP attachments are now showed in the Messages tab.

	* NetworkTcpSession.cs: Improved ability to handle truncated TCP sessions where
	the initial part is missing and there are TCP Keep-Alive packets. Thanks to
	Shchemelev Dmitry for reporting this bug.

	* SmtpPacketHandler.cs: Added support for extracting multiple SMTP sessions from
	a single TCP session. This feature is important in order to extract emails sent
	through a SPAM-run. Thanks to Andrew Brant (@threatresearch) for reporting this
	bug.

	* SmtpPacketHandler.cs: Improved extraction of SMTP user names sent directly with
	AUTH command like: "AUTH LOGIN aGVqaG9wcEBpbnRlcm5ldC5zZQ==".

	* SmtpPacketHandler.cs: All emails are extracted in raw format (with SMTP headers
	intact) to an .eml file.

	* NetworkMinerForm.cs: Removed tabControl1_MouseDown handler to avoid unwanted
	drag-and-drop operations.

	* IEC-104_PacketHandler.cs: Added ASDU Type ID 36 to IEC 60870-5-104 handler.

	* NetworkMinerAboutBox.cs: Added EULA text to about box.

	* PacketHandler.cs: Added OS fingerprinting of Android

	* PacketHandler.cs: Separated "Apple iOS" fingerprints from "Mac OS"

	* FtpPacket.cs: Added "OPTS" as a supported FTP command and proper parsing of
	multi-line replies.

	* NetworkMinerForm.cs: Added all-words.txt as default wordlist for Cleartext
	tab.

	* NetworkMinerForm.cs: Added extraction of favicon images from HTTP.

	* NetworkMinerForm.cs: Added alternative encodings for displaying messages in
	NetworkMiner's "Messages" tab.

	* KeywordFilterControl.cs: Added "Keyword filter" to the following tabs:
	 - Files
	 - Parameters
	 - DNS
	 - Messages
	 - Sessions
	The keyword filter allows rows to be filtered based on a keyword. The entered
	keyword is matched against all text in all columns of the tab. This new feature
	has been requested by many users in the past, so it's great to finally have it
	implemented!

	* HttpPacketHandler.cs: Previously assembled data sent in an HTTP session is
	now flushed out to disk when a new file assembler is created for Multipart MIME
	HTTP POSTs. Thanks to Shchemelev Dmitry for finding this bug.

	* PacketParser.Mime.UnbufferedReader.cs: Default encoding is now assumed to be
	UTF8 when parsing binary data as strings. This is useful for example when
	files sent with HTTP POST have unicode file names and the browser encodes the
	filename parameter value with UTF8.
	Thanks to @xredumb for finding and reporting this bug!

	* NetworkTcpSession.cs: Increased allowed level of "out-of-order" for packets.
	Every uni-directional stream now allows packets to be 256 frames "late"
	within a TcpDataStream.

	* ModbusTcpPakcet.cs: Added support for Modbus/TCP protocol, as requested by
	attendees at the 4SICS 2014 conference (4sics.se).

	* FileStreamAssembler.cs: Changed path of reassembled files from:
	"AssembledFiles/HTTP - TCP 80/<directory>/<filename>"
	into:
	"AssembledFiles/TCP-80/<directory>/<filename>"

	* HttpPacketHandler.cs: Added HTTP request methods and URI's to Parameters tab
	as well ass HTTP response status codes and headers

	* NetBiosSessionService.cs: Defaulting to RAW transport type for NetBIOS when
	source or destination port is 445. Allows for larger NetBIOS messages.

	* Smb2Packet.cs: Added parser for SMB2 protocol.

	* FtpPacketHandler.cs: Uploaded files are now reassembled under the FTP server
	host's folder.

	* DnsPacket.cs: Bug in parsing of DNS answer records when the record contains
	the queried domain name instead of am relative offset to the query-record.
	Thanks to Ulf Skoglund of FM CERT fame for reporting this bug!

	* NetBiosSessionService: Even more command types are now supported, thanks
	to feedback from Eric Kollmann.


NetworkMiner 1.6.1	2014-06-24
	* ReceivePcapOverTcpForm.cs: Removed call to Application.DoEvents() to make
	PCAP-over-IP feature more reliable.

	* NetworkMinerForm.cs: Removed calls to Application.DoEvents().

NetworkMiner 1.6	2014-06-16

	* DnsPacket.cs: Added error handling of recursive DNS Name Labels that
	contains a forever-loop pointer. Thanks to Dan Eriksson (of FM CERT fame)
	for notifying us about this bug!

	* NetworkMinerForm.cs: Removed sniffing capability from GUI when running
	NetworkMiner under Mono (in Linux for example). Users should instead use the
	PCAP-over-IP feature to perform live sniffing in Linux, OSX etc.

	* NetworkMienrForm.cs: Files and images can now be drag-and-dropped to any
	desired application or location directly from the "Files" and "Images" tabs
	in the GUI.

	* SmtpPacketHandler.cs: Improved extraction of SMTP e-mails and attachments

	* Rfc2047Parser.cs: Added simple parser for RFC 2047 encoding in order to
	properly parse strings in SMTP headers, such as subject lines and attachment
	filenames.

	* PcapFileWriter.cs: Increased file buffer size to 8MB for improved performance

	* PacketHandler.cs: Increase packet queue size to 16000 packets for live
	sniffing

	* NetworkHost.cs: Fixed OS fingerprinting mixup where Apple iOS was
	confused with Cisco IOS.

	* DnsPacket.cs: Added DNS response error messages like NXDOMAIN and
	SERVFAIL to DNS tab. Thanks to Lenny Hansson for the idea!

	* PcapOverIP: Moved PCAP-over-IP implementation from the Professional
	edition of NetworkMiner into the Free Open Source version.

	* PcapStreamReader.cs: Improved performance of backgroundStreamReader by
	making sleep durations adaptive. This has significant impact on computers
	and VM's with limited CPU resources.

NetworkMiner 1.5	2013-09-10	Erik Hjelmvik

	* ErfFrame.cs: Added support to parse pcap files containing Extensible
	Record Format (ERF) frames.

	* PointToPointOverEthernetPacket.cs: Added PPPoE protocol parser.

	* PointToPointPacket.cs: Improved PPP parser to support non-HDLC type PPP
	packets. Example: "AOLTraffic_00000_20071029163901.pcap" from pcapr.net

	* NetworkMinerForm.cs: Added feature to load keywords from text file.
	
	* FileStreamAssembler.cs: Fixed directory traversal vulnerability. Thanks
	to Alyssa Milburn for discovering and notifying us regarding this vulnerability!

	* FileStreamAssembler.cs: Improved exception handling, especially for SMTP
	Thanks to Jonas Lejon for supplying captured packets that triggered the
	exception!

	* NetworkWrapper.Utils.Security.cs: Added detection of DLL Injection.
	Thanks to Ucha Gobejishvili for reporting this vulnerability!

	* NetworkMinerForm.cs: Fixed NullReferenceException when masking credentials
	with null values. Thanks to Claus Valca for finding this bug.

	* UdpPortProtocolFinder.cs: Added parsing of LLMNR DNS queries over UDP 5355

NetworkMiner 1.4.1	2012-08-29	Erik Hjelmvik
	
	* PacketHandler.cs: Now allowing large "virtual" frames for reassembled
	TCP streams.

	* IEC-104_PacketHandler.cs: Fixed confusion about what TCP endpoint a command
	is sent from when server and client have the same IP.

NetworkMiner 1.4	2012-08-12	Erik Hjelmvik

	* DhcpPacketHandler.cs: DHCP option data is now extracted to the parameters
	tab. Thanks to Paul Cockayne for the idea.

	* IPv4Packet.cs: Fragmented IPv4 packets are now properly reassembled to
	full IP packets with payload.

	* IEC_60870-5-104Packet.cs: Implemented the SCADA protocol IEC 60870-5-104.
	Thanks to Aivar Liimets from Martem for his great support on this one!

	* PacketHandler.cs: Added proper timestamps to detected anomaly events and
	improved ARP poisoning reporting to anomalies tab.

	* NetworkMinerForm.cs: Verification of file extention is completely removed.
	Files with any extention can now be loaded, as long as they are valid
	libpcap files.

	* NetworkMinerForm.cs: Added "Clear GUI" button to Tools menu.

	* NetworkMinerForm.cs: Added option to show/hide cookies, NTLM challenge-
	responses as well as the ability to mask passwords in credentials tab.
	
NetworkMiner 1.3	2012-04-12	Erik Hjelmvik

	* NullLoopbackPacket.cs: Added support for the Null / Loopback link layer
	packets used when sniffing localhost on BSD operating systems.

	* NetworkTcpSession.cs: Modified getter for FinPacketReceived to solve the
	bug found by TCB13.

	* HttpPacket.cs: Added extraction of usernames from Digest Authorization
	such as those found in web_recon.pcap in:
	http://uscc.cyberquests.org/february2012.php

	* HttpPacketHandler.cs: Added HTTP headers to Parameters tab.

	* HttpPacketHandler.cs: Added HTTP X headers, such as x-up-calling-line-id
	and HTTP_X_UP_CALLING_LINE_ID, to host details under ExtraDetails.

	* NetworkMinerForm.cs: Added support to load .raw files as pcap files, such
	as those generated from Sguil. Thanks to Doug Burks for the idea!

	* NetworkMinerForm.cs: Disabled nag-dialogue-box about WinPcap not being
	installed on startup since NetworkMiner is primarily designed to be a pcap
	parser rather than a sniffer.

	* StringManglerUtil.cs: Added support to handle null strings in
	GetExtension function.

	* MultiPart.cs: Added exception handler to ReadHeaderAttributes function
	to avoid exceptions from negative length Substring calls.

	* NetworkMinerForm.cs: Added the option of selecting a different cleartext
	database file in the "Cleartext" tab. This feature can be used in order to
	for example look for text in a specific language.
	
	* IPv4Packet.cs: Error handling of IP packets with fragment offset > 0.
	Thanks to Aivar Liimets for finding this bug.

NetworkMiner 1.2	2011-11-19	Erik Hjelmvik

	* Updated directory separators to be platform independent. This means that
	NetworkMiner can now be run on Linux, Mac etc. with Mono:
	http://www.mono-project.com/
	
	* PcapStreamReader.cs: Updated exception handling to cope more nicely with
	end-of-stream issues, such as PCAP files cut in the middle of a frame.
	Thanks to James Lay for identifying this bug.

	* SmtpPacketHandler.cs: Added exception handler to fileData.AddRange() call

	* PartBuilder.cs: Added support for extracting data from non-multipart data

	* HttpPacketHandler.cs: Added support for extracting emails from AOL webmail
	as in here: http://forensicscontest.com/2011/10/11/puzzle-10-the-l33t-pill

	* GrePacket.cs: Added GRE protocol implementation.

	* PacketHandler.cs: Added code to extract messages from unencrypted
	SquirrelMail webmail, comments on Wordpress and comments on Blogspot.

	* NetworkCredential.cs: Unencrypted login credentials to SquirrelMail
	webmail are now extracted to the credentials tab.

	* HttpPacketHandler.cs: Updated "Details" column in "Files" tab to display
	[http.host][http.request.uri] insted of just [http.request.uri].

NetworkMiner 1.1	2011-09-15	Erik Hjelmvik

	* NetworkMinerForm.cs: Fixed so that one or multiple pcap files can be
	loaded on startup by drag-n-droping them onto NetworkMiner.exe. Same thing
	goes for when providing pcap files as command line arguments.

	* PacketHandler.cs:
		- Fixed concurrency issues by locking the correct queue object. Thanks to
		  psteier for being first to find and solve this bug!
		- Added new PacketHandler for NetBiosSessionService

	* PointToPointPacket.cs: Added support for PPP frames in pcap files, such
	as this one: http://www.pcapr.net/view/tyson.key/2009/8/2/13/Social_Networks_and_RSS_00005_20090929212859.html

	* SmbCommandPacketHander.cs: Added FileID to assembler's ExtendedFileId in
	order to support multiple simultaneous SMB file transfers over the same TCP
	session. Thanks to I S for reporting this bug!

	* NetBiosSessionService.cs: Implemented interface ISessionPacket and added
	support for the NetBios Session Service session keep-alive message

	* WinPCapNative.cs: Changed CallingConvention to Cdecl

	* PcapFileReader.cs: Added a more generic base class "PcapStreamReader" that
	PcapFileReader extends to parse a FileStream rather than an IO-stream.

	* HttpPacketHandler.cs: Added support to extract data submitted to Google
	Analytics into "Host Details". This includes attributes like:
	 - Screen resolution
	 - Color depth
	 - Browser language
	 - Flash version


NetworkMiner 1.0	2011-02-05	Erik Hjelmvik

	* FileStreamAssembler.cs: Implemented support to avoid reserved file and folder
	names such as COM2, LPT1 and CON for files extracted to disk.

	* SmtpPacket.cs: Extended the protocol parser to handle multiple requests and
	responses in a single SMTP packet.
	
	* TlsRecordPacketHandler.cs: Improved parsing of SSL/TLS traffic to use the
	underlying TCP stream properly in order to handle TLS record breakes on
	non-even TCP packet boundaries.

	* TcpPortProtocolFinder.cs: Added more default TCP service ports: 8021=FTP,
	5223+8170+8443+9001+9030=SSL

	* Converted Visual Studio project to Visual C# 2010 format, .NET framework
	is still let back in 2.0 so that NetworkMiner will be able to run on as
	many machines as possible.

	* Improved TCP reassembly to support out-of-order TCP segments that are
	paritally overlapping.

	* NetworkTcpSession.cs: Modiefied FinPacketReceived to require a FIN in each
	direction in order for the session to be closed.
	
	* FtpPacketHandler.cs: File sizes are extracted from the FTP control session
	and stored to the file stream assembler object for better file size precision.

	* PacketFactory.cs: Added support for Per-Packet Information header
	(WTAP_ENCAP_PPI) as used by Kismet and sometimes Wireshark WiFi sniffing.

	* PacketHandler.cs: Added extraction of Facebook as well as Twitter messages
	into the message tab. Added support to extract emails sent with Microsoft
	Hotmail (I.e. Windows Live) into Messages tab.

	* NetworkCredential.cs:
		- Added extraction of twitter passwords from when settings are changed.
		Facebook user account names are also extracted (but not Facebook
		passwords).
		- Added extraction of gmailchat parameter from cookies in order to
		identify users through their Google account logins.

	* MacCollection.cs: Fixed bug with incorrect NIC vendor extraction. Also
	added support for the original IEEE OUI file format as used in:
	http://standards.ieee.org/regauth/oui/oui.txt

	* SyslogPacket.cs: Added protocol parser for Syslog. Syslog messages are
	displayed on the Parameter tab.

NetworkMiner 0.92	2010-05-27	Erik Hjelmvik

	* ChangeLog: Added this ChangeLog file to the project. I also added some info
	about the previous two releases.
	
	* NetworkMinerForm.cs: Added Extension column to files list
	
	* NetworkCredential.cs: Added support to extract login credentials from the
	AfterLogic AJAX based webmail service.
	
	* NetworkTcpSession.cs: Improved server detection when the TCP 3-way
	handshake is missing in a TCP session by looking at TCP port numbers for known
	protocols.


NetworkMiner 0.91	2009-11-22	Erik Hjelmvik

	* SmtpPacketHandler.cs: Fixed bug where full TCP content length was returned
	instead of 0 when other protocols than SMTP were parsed. This caused
	NetworkMiner to fail when reassembling layer 7 protocol headers that were
	segmented in multiple TCP packets.

	* PacketHandler.cs: Added ability to extract messages from web-based e-mail
	and chat services, such as Gmail, Gmail chat, Yahoo e-mail, MS Exchange webmail


NetworkMiner 0.90	2009-11-09	Erik Hjelmvik

	* SmtpPacket.cs: Added SMTP parser. The main reason was to compete in the
	Network Forensics Puzzle Contest at http://forensicscontest.com/
	
	* NetworkMinerForm.cs: Added the "Messages" tab in the GUI. Emails and chat
	messages are displayed on this tab.