Network forensics is a developing network security models that focused on the capture, recording, and analysis of network traffic, for the purposes of investigation. One of the problems in the Network forensics is the quantity or volume of data problems. Winnowing Multi hashing method can be used to conduct an investigation of attacks on the network forensic analysis. Value of Fingerprint is generated on Winnowing method Multi hashing (WMH), can be used as a marker of an attack that was captured by the Intrusion Detection System (IDS). WMH is a method that only takes excerpt of a payload. With this algorithm, the payload volume will be much more efficient because it only stores the fingerprint alone. This research is focused on the calculation of the efficiency of the storage medium and the optimum point combination fingerprint length, degree of similarity and storage media.