Passive TCP Reconstruction and Forensic Analysis with tcpflow

Abstract

Passive TCP session reconstruction essential for many kinds of network forensics and law enforcement operations, but it is complicated by packet loss, retransmissions, and possible attacks by adversaries. The key problem is that participants in the TCP session may observe the TCP segments differently than the monitor. An Added complication is the lack of familiarity with network protocols by many forensic analysts, resulting in the need for tools that are easy-to-use and able to tolerate a wide range of data. To address these issues we rewrote the open source network forensics tool tcpflow, making it more robust to anomalies that had been reported to us by users. We also improved the program s usability and performance on large packet captures, and added simple visualization that produces a one-page summary PDF for packet captures of any size.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Sep 01, 2013
Accession Number
ADA585499

Entities

People

  • Michael Shick
  • Simson Garfinkel

Organizations

  • Naval Postgraduate School

Tags

Communities of Interest

  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • Application Software
  • Computational Forensics
  • Computer Programming
  • Computer Programs
  • Computer Science
  • Computers
  • Contracts
  • Cybersecurity
  • Denial Of Service Attack
  • Forensic Analysis
  • Information Operations
  • Intrusion Detection
  • Network Protocols
  • Operating Systems
  • Robotics
  • Transport Protocols
  • Web Browsers

Fields of Study

  • Computer science

Readers

  • Computer Networking
  • Database Systems and Applications
  • Educational Psychology