TCPFLOW

A network forensic analysis tool that reconstructs TCP flows from packet captures. It provides a comprehensive view of network traffic by reassembling TCP connections and displaying detailed information about each flow.

Features

• Reconstructs TCP flows from packet captures
• Displays source and destination IP addresses and ports, number of bytes and packets, and MD5 hash of every bytestream (optional)
• Supports rich filtering expressions like tcpdump
• Can output a summary report file in DFXML format

Use Cases

• Understand network packet flows
• Perform network forensics
• Reveal contents of HTTP sessions and extract malware delivered via "drive-by downloads"

History

• Originally written by Jeremy Elson to reverse-engineer undocumented network protocols
• Later used for HTTP protocol analysis
• Maintained by Simson Garfinkel, founder of Sandstorm Enterprises

Bugs

• Does not understand IP fragments, which may lead to incorrect flow reconstruction
• Report bugs on the github issue tracker

Recommended Citation

Passive TCP Reconstruction and Forensic Analysis with tcpflow, Simson Garfinkel and Michael Shick, Naval Postgraduate School Technical Report NPS-CS-13-003, September 2013

Maintainer

Simson L. Garfinkel [email protected]