Network Session Analyzer (NeSA) is a Network Forensics tool for for analysing and recovering data from network packet dumps. NeSA can capture and store packets in the standard pcap format. It can also analyse packet dumps generated by third party tools in the pcap format. Using NeSA TCP/IP sessions can be recreated and the file contained in that sessions can be recreated. Presently NeSA supports HTTP, SMTP, POP3 and FTP application layer protocols. It is easy to recover mails and web pages using NeSA. NeSA also supports a regular expression based search facility in packet level as well as session level. Multiple search terms can be supplied at the same time. Another main feature is filtering. Filtering too can be performed in the packet level as well as in the TCP/IP session level. TCP/IP sessions can be filtered based on Date, Time, IP, MAC, Port and different logical combinations of all of these. In NeSA’s packet level analyser, it gives a very detailed dissected view of each packet. It has also different statistics views, mail viewer, thumbnail viewer, hex viewer, file viewer, packet and file exporting, whois lookup and many more. NeSA works on window 2000 and above.

The filtering system in this tool make the analysis more easier. To help the novice users, an easy filter expression building facility is added. Time zone based analysis is incorporated into NeSA to make it capable of analysing dumps collected from different time zones. Rebuilt files can be exported for future references. It has a good hex viewer which also indicates the data communication direction using different colours. The mail viewer gives very detailed information about the mails sent. The file viewer gives a detailed list of files available in the session and the Thumbnail viewer shows the thumbnails in the session. Multiple sessions can be selected and viewed at a time. Regular expression based search is available to locate the evidence and evidence related items. The analysis state of a file can be saved and the analysis can be resumed from that point at a later time.