NetFlows - Network Flow Extractor with DNS Resolution

You are helping the user extract and analyze network flows from packet capture files using the netflows tool.

Tool Overview

NetFlows analyzes pcap/pcapng files to:

• Extract unique TCP and UDP flows (destination IP:port pairs)
• Build a DNS resolution table from DNS responses in the capture
• Automatically resolve IP addresses to hostnames where possible
• Filter flows by source IP address
• Generate a summary of all network destinations contacted

This is particularly useful for IoT device analysis to understand what external services a device communicates with.

Instructions

When the user asks to analyze network flows, extract destinations, or identify what hosts a device talks to:

1. Gather requirements:

   • Get the pcap/pcapng file path(s)
   • Ask if they want to filter by a specific source IP (e.g., the IoT device's IP)
   • Determine preferred output format

2. Execute the analysis:

   • Use the netflows command from the iothackbot bin directory

3. Interpret results:

   • Explain resolved hostnames and their significance
   • Note any unresolved IPs that may need further investigation
   • Highlight interesting patterns (cloud services, P2P connections, etc.)

Usage

Basic Analysis

Analyze a pcap file showing all flows:

netflows capture.pcap

Filter by Source IP

Extract flows from a specific device:

netflows capture.pcap --source-ip 192.168.1.100

Multiple Files

Analyze multiple capture files:

netflows capture1.pcap capture2.pcapng

Output Formats

# Human-readable colored output (default)
netflows capture.pcap --format text

# Machine-readable JSON
netflows capture.pcap --format json

# Minimal output - just hostname:port list
netflows capture.pcap --format quiet

Parameters

Input:

• pcap_files

  : One or more pcap/pcapng files to analyze (required)

Filtering:

• -s, --source-ip

  : Filter flows originating from this IP address

Output:

• --format text|json|quiet

  : Output format (default: text)

• -v, --verbose

  : Enable verbose output

Examples

Analyze IoT device traffic:

netflows iot-capture.pcap --source-ip 192.168.1.50

Get just the flow list for scripting:

netflows capture.pcap -s 10.0.0.100 --format quiet

JSON output for parsing:

netflows capture.pcap --format json | jq '.data[].flow_summary'

Output Information

Text format includes:

• DNS mappings discovered (IP -> hostname)
• TCP flows with hostname resolution status
• UDP flows with hostname resolution status
• Consolidated flow summary (hostname:port or ip:port)

JSON format includes:

• dns_mappings

  : Dictionary of IP to hostname mappings

• tcp_flows

  : List of TCP flow objects with hostname, ip, port

• udp_flows

  : List of UDP flow objects with hostname, ip, port

• flow_summary

  : List of "hostname:port" or "ip:port" strings

• dns_queries

  : List of DNS domains queried

• total_packets

  : Number of packets analyzed

Use Cases

1. IoT Device Profiling: Identify all cloud services and endpoints an IoT device communicates with
2. Network Forensics: Enumerate destinations contacted during an incident
3. Privacy Analysis: Discover telemetry and tracking endpoints
4. Firewall Rule Creation: Generate allowlist/blocklist of endpoints
5. Malware Analysis: Identify C2 servers and exfiltration destinations

Important Notes

• The tool resolves hostnames using DNS responses found within the same pcap file
• IPs without corresponding DNS lookups in the capture will show as "unresolved"
• Supports both pcap and pcapng formats
• Does not require elevated privileges (unlike live capture tools)
• Large pcap files may take time to process