Passive TCP Reconstruction and Forensic Analysis with tcpflow
Loading...
Authors
Garfinkel, Simson L.
Shick, Michael
Subjects
Advisors
Date of Issue
2013-09-02
Date
Publisher
Monterey, CA; Naval Postgraduate School
Language
Abstract
Passive TCP session reconstruction essential for many kinds of network forensics and law enforcement operations, but it is is complicated by packet loss, retransmissions, and possible attacks by adversaries. The key problem is that participants in the TCP session may observe the TCP segments differently than the monitor. An Added complication is the lack of familiarity with network protocols by many forensic analysts, resulting in the need for tools that are easy-to-use and able to tolerate a wide range of data. To address these issues we rewrote the open source network forensics tool tcpflow, making it more robust to anomalies that had been reported to us by users. We also improved the program’s usability and performance on large packet captures, and added simple visualization that produces a one-page summary PDF for packet captures of any size.
Type
Technical Report
Description
Series/Report No
Department
Identifiers
NPS Report Number
NPS-CS-13-003
Sponsors
Funding
Format
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.