Difference between revisions of "Tcpflow"
From Forensics Wiki
(New page: {{Infobox_Software | name = tcpflow | maintainer = Jeremy Elson | os = {{Linux}} | genre = Network forensics | license = {{GPL}} | website = [http://www.circlemud.org/~jelson/s...) |
m (Vulnerabilities) |
||
| Line 18: | Line 18: | ||
== Limitations == | == Limitations == | ||
| − | tcpflow does not understand IP fragments. | + | * tcpflow does not understand IP fragments; |
| + | * tcpflow does not understand 802.11 headers. | ||
| + | |||
| + | == Vulnerabilities == | ||
| + | |||
| + | * tcpflow uses sequence numbers for resizing files, so a reconstruction of the sessions may create 600 megabyte files more or less empty. | ||
[[Category:Network Forensics]] | [[Category:Network Forensics]] | ||
Revision as of 14:41, 13 September 2008
| tcpflow | |
|---|---|
| Maintainer: | Jeremy Elson |
| OS: | Linux |
| Genre: | Network forensics |
| License: | GPL |
| Website: | www.circlemud.org/~jelson/software/tcpflow/ |
tcpflow is a tool that captures data transmitted as part of TCP connections, and stores the data in a way that is convenient for protocol analysis, keyword searching, etc.
Overview
tcpflow stores all captured data in files that have names of the form
- 128.129.130.131.02345-010.011.012.013.45103
where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.
Limitations
- tcpflow does not understand IP fragments;
- tcpflow does not understand 802.11 headers.
Vulnerabilities
- tcpflow uses sequence numbers for resizing files, so a reconstruction of the sessions may create 600 megabyte files more or less empty.
