Difference between revisions of "Tcpflow"

From Forensics Wiki
Jump to: navigation, search
(New page: {{Infobox_Software | name = tcpflow | maintainer = Jeremy Elson | os = {{Linux}} | genre = Network forensics | license = {{GPL}} | website = [http://www.circlemud.org/~jelson/s...)
 
m (Vulnerabilities)
Line 18: Line 18:
 
== Limitations ==
 
== Limitations ==
  
tcpflow does not understand IP fragments.
+
* tcpflow does not understand IP fragments;
 +
* tcpflow does not understand 802.11 headers.
 +
 
 +
== Vulnerabilities ==
 +
 
 +
* tcpflow uses sequence numbers for resizing files, so a reconstruction of the sessions may create 600 megabyte files more or less empty.
  
 
[[Category:Network Forensics]]
 
[[Category:Network Forensics]]

Revision as of 14:41, 13 September 2008

tcpflow
Maintainer: Jeremy Elson
OS: Linux
Genre: Network forensics
License: GPL
Website: www.circlemud.org/~jelson/software/tcpflow/

tcpflow is a tool that captures data transmitted as part of TCP connections, and stores the data in a way that is convenient for protocol analysis, keyword searching, etc.

Overview

tcpflow stores all captured data in files that have names of the form

128.129.130.131.02345-010.011.012.013.45103

where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.

Limitations

  • tcpflow does not understand IP fragments;
  • tcpflow does not understand 802.11 headers.

Vulnerabilities

  • tcpflow uses sequence numbers for resizing files, so a reconstruction of the sessions may create 600 megabyte files more or less empty.