From ForensicsWiki
Jump to: navigation, search
Maintainer: Twitter/John Adams
OS: Linux
Genre: Network forensics
License: {{{license}}}
Website: [1]


Tcpdstat is an old, but useful tool for analyzing network based evidence. Tcpdstat offers very helpful statistical information about packet captures, including start/finish timestamps (to identify the total duration of the packet capture), breakdown by protocol/port, and packet size distribution.

Tcpdstat is useful for analyzing network trace data because it gives a high-level overview, which can identify where to look next. For example, if quite a few packets show up for a protocol/port that isn’t normally used on the victim machine, you've already been clued in on what to look for next on a lower level.

Download and Instructions

See the External Links section below for a link with instructions on how to download and build Tcpdstat.

External Links

Tcpdstat Overview and Build Instructions