Tcpflow

From ForensicsWiki
Revision as of 15:41, 13 September 2008 by .FUF (Talk | contribs)

Jump to: navigation, search
tcpflow
Maintainer: Jeremy Elson
OS: Linux
Genre: Network forensics
License: GPL
Website: www.circlemud.org/~jelson/software/tcpflow/

tcpflow is a tool that captures data transmitted as part of TCP connections, and stores the data in a way that is convenient for protocol analysis, keyword searching, etc.

Overview

tcpflow stores all captured data in files that have names of the form

128.129.130.131.02345-010.011.012.013.45103

where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.

Limitations

  • tcpflow does not understand IP fragments;
  • tcpflow does not understand 802.11 headers.

Vulnerabilities

  • tcpflow uses sequence numbers for resizing files, so a reconstruction of the sessions may create 600 megabyte files more or less empty.