NetFlows - Network Flow Extractor with DNS Resolution
You are helping the user extract and analyze network flows from packet capture files using the netflows tool.
Tool Overview
NetFlows analyzes pcap/pcapng files to:
- Extract unique TCP and UDP flows (destination IP:port pairs)
- Build a DNS resolution table from DNS responses in the capture
- Automatically resolve IP addresses to hostnames where possible
- Filter flows by source IP address
- Generate a summary of all network destinations contacted
This is particularly useful for IoT device analysis to understand what external services a device communicates with.
Instructions
When the user asks to analyze network flows, extract destinations, or identify what hosts a device talks to:
-
Gather requirements:
- Get the pcap/pcapng file path(s)
- Ask if they want to filter by a specific source IP (e.g., the IoT device's IP)
- Determine preferred output format
-
Execute the analysis:
- Use the netflows command from the iothackbot bin directory
-
Interpret results:
- Explain resolved hostnames and their significance
- Note any unresolved IPs that may need further investigation
- Highlight interesting patterns (cloud services, P2P connections, etc.)
Usage
Basic Analysis
Analyze a pcap file showing all flows:
netflows capture.pcap
Filter by Source IP
Extract flows from a specific device:
netflows capture.pcap --source-ip 192.168.1.100
Multiple Files
Analyze multiple capture files:
netflows capture1.pcap capture2.pcapng
Output Formats
# Human-readable colored output (default)
netflows capture.pcap --format text
# Machine-readable JSON
netflows capture.pcap --format json
# Minimal output - just hostname:port list
netflows capture.pcap --format quiet
Parameters
Input:
pcap_files: One or more pcap/pcapng files to analyze (required)
Filtering:
-s, --source-ip: Filter flows originating from this IP address
Output:
--format text|json|quiet: Output format (default: text)-v, --verbose: Enable verbose output
Examples
Analyze IoT device traffic:
netflows iot-capture.pcap --source-ip 192.168.1.50
Get just the flow list for scripting:
netflows capture.pcap -s 10.0.0.100 --format quiet
JSON output for parsing:
netflows capture.pcap --format json | jq '.data[].flow_summary'
Output Information
Text format includes:
- DNS mappings discovered (IP -> hostname)
- TCP flows with hostname resolution status
- UDP flows with hostname resolution status
- Consolidated flow summary (hostname:port or ip:port)
JSON format includes:
dns_mappings: Dictionary of IP to hostname mappingstcp_flows: List of TCP flow objects with hostname, ip, portudp_flows: List of UDP flow objects with hostname, ip, portflow_summary: List of "hostname:port" or "ip:port" stringsdns_queries: List of DNS domains queriedtotal_packets: Number of packets analyzed
Use Cases
- IoT Device Profiling: Identify all cloud services and endpoints an IoT device communicates with
- Network Forensics: Enumerate destinations contacted during an incident
- Privacy Analysis: Discover telemetry and tracking endpoints
- Firewall Rule Creation: Generate allowlist/blocklist of endpoints
- Malware Analysis: Identify C2 servers and exfiltration destinations
Important Notes
- The tool resolves hostnames using DNS responses found within the same pcap file
- IPs without corresponding DNS lookups in the capture will show as "unresolved"
- Supports both pcap and pcapng formats
- Does not require elevated privileges (unlike live capture tools)
- Large pcap files may take time to process