Difference between pages "Tcpflow" and "Thumbnails"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Distributions)
 
(New page: '''Thumbnails''' are reduced-size versions of pictures, serving the same role for images as a normal text index does for words. == Windows == See Thumbs.db. == Windows Vista...)
 
Line 1: Line 1:
{{Infobox_Software |
+
'''Thumbnails''' are reduced-size versions of pictures, serving the same role for images as a normal text index does for words.
  name = tcpflow |
+
  maintainer = Simson Garfinkel |
+
  os = {{Linux}} |
+
  genre = Network forensics |
+
  license = {{GPL}} |
+
  website = https://github.com/simsong/tcpflow |
+
}}
+
  
'''tcpflow''' is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows.
+
== [[Windows]] ==
  
tcpflow is similar to ‘tcpdump’, in that both process packets from the wire or from a stored file. But it’s different in that it reconstructs the actual data streams and stores each flow in a separate file for later analysis.
+
See [[Thumbs.db]].
  
tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery.
+
== [[Windows]] Vista ==
  
Jeremy Elson developed the first version of tcpflow in 1999 but stopped maintaining it in 2003. In 2006 Simson Garfinkel took over maintenance of the program and added:
+
[[Thumbs.db]] no longer exists in Vista. This data has been moved to ''User Profile/Application Data/Microsoft Internet Explorer/Thumbscache32, 96 and 128'
 +
''
 +
== KDE & GNOME ==
  
* support for VLANs
+
KDE and GNOME are popular desktop environments for [[Linux]] and [[UNIX]] platforms. They are storing thumbnails in ''~/.thumbnails''.
* support for IPv6
+
* [[DFXML]] output of the connections in a '''report.xml''' file.
+
* Improved performance through the use of the C++ STL classes.
+
* Support for continuous operation (tcpflow now purges out old flows).
+
* Variable Filename specifications.
+
* A plug-in architecture.
+
 
+
tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like ‘tcpdump’ support. It should compile under most popular versions of UNIX; see the INSTALL file for details.
+
tcpflow stores all captured data in files that have names of the form:
+
    128.129.130.131.02345-010.011.012.013.45103[VLAN]
+
where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103. VLAN information, if provided is stored in brackets.
+
 
+
== Overview ==
+
 
+
tcpflow stores all captured data in files that have names of the form
+
: 128.129.130.131.02345-010.011.012.013.45103
+
where the contents of the above file would be data transmitted from host ''128.129.131.131'' port ''2345'', to host ''10.11.12.13'' port ''45103''.
+
 
+
== Limitations ==
+
 
+
* tcpflow does not understand IP fragments;
+
* tcpflow does not understand 802.11 headers.
+
 
+
== Distributions==
+
* Packages for [http://kaneda.bohater.net/slackware/packages/ Slackware] contributed by [http://kaneda.bohater.net Kanedaaa]
+
* [http://packages.debian.org/testing/tcpflow Debian package] by [[Robert McQueen]]
+
* [https://admin.fedoraproject.org/pkgdb/acls/name/tcpflow Fedora Package] by [http://koji.fedoraproject.org/koji/userinfo?userID=278 Terje Røsten]
+
* [ftp://ftp5.freebsd.org/pub/FreeBSD/branches/-current/ports/net/tcpflow FreeBSD Port] by [[Jose M. Alcaide]]
+
* [http://www.openbsd.org/ports.html OpenBSD Package] (it’s in there somewhere)
+
* [ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/tcpflow-0.12-sol8-sparc-local.gz Solaris 8 SPARC Binary] for v0.12 from [http://www.sunfreeware.com SunFreeware.com]
+
* [http://www.entropy.ch/software/macosx/#tcpflow Mac OS X package] by [[Marc Liyanage]]
+
 
+
 
+
 
+
[[Category:Network Forensics]]
+

Revision as of 15:22, 4 August 2008

Thumbnails are reduced-size versions of pictures, serving the same role for images as a normal text index does for words.

Windows

See Thumbs.db.

Windows Vista

Thumbs.db no longer exists in Vista. This data has been moved to User Profile/Application Data/Microsoft Internet Explorer/Thumbscache32, 96 and 128'

KDE & GNOME

KDE and GNOME are popular desktop environments for Linux and UNIX platforms. They are storing thumbnails in ~/.thumbnails.