2013-12-05_tcpflow-and-BE-update

More documents

Recommendations

Info

tcpflow can run batch or live-captureBatch operation is typical forensics:filename1.pcapfilename2.pcapfilename3.pcapfile.pcap.rarfile.pcap.gzfile.pcap.zipTCPflowconnection1connection1-HTTP-file.jpegconnection2connection3connection4...Live-capture is useful for testing & stunts• Run with ‘-c’ console output to see content of TCP connections as they go by.• Output to file system and read ‘report.xml’ or use alert_fd and process each file as it isclosed.4
Page 1 and 2: TCPBEflowTCP analysis with tcpflow;
Page 3: tcpflow is a command-line tool for
Page 7 and 8: tcpflow turns each side of the TCP
Page 13 and 14: The filename is created from a temp
Page 15 and 16: You can bin by IP address, port #,
Page 17 and 18: Provenance makes it easier to use r
Page 19 and 20: Decoded HTTP objects are represente
Page 21 and 22: The caseNITROBAState UniversityYou
Page 23 and 24: The attack email:NITROBAState Unive
Page 25 and 26: To solve the Nitroba University Har
Page 27 and 28: TCPflowInside tcpflow
Page 29 and 30: tcpflow understands packets so you
Page 31 and 32: 27Packets sometimes get delivered o
Page 33 and 34: 29tcpflow will detect replay/rewrit
Page 35 and 36: tcpflow can be extended and automat
Page 37 and 38: tcpflow — performance and compari
Page 39 and 40: Presently there is poor browser sup
Page 41 and 42: One-page visualization of packet fl
Page 43 and 44: tcpflow 1.5 — wifi supportwifi su
Page 45 and 46: Radiotap packet capture is built in
Page 47 and 48: eport.xml will contain a list 802.1
Page 49 and 50: tcpflow — future improvementsBuff
Page 51: ulk_extractor finds more informatio
Page 54 and 55:
zip.txt decodes every potential hea
Page 56 and 57:
We hypothesized that binary network
Page 58 and 59:
Author's personal copy84Binary carv
Page 60 and 61:
With cross-drive analysis, we could
Page 62 and 63:
BE 1.3 put IP addresses in ip.txt#
Page 64 and 65:
In 2012, scan_net was expanded to c
Page 66 and 67:
PCAP carving takes advantage of the
Page 68 and 69:
Example of packets from IN4001-1026
Page 70:
In conclusiontcpflow:• Fast offli
show all

2013-12-05_tcpflow-and-BE-update

Create successful ePaper yourself

Delete template?

Save as template?