NetFlows - Network Flow Extractor with DNS Resolution

You are helping the user extract and analyze network flows from packet capture files using the netflows tool.

Tool Overview

NetFlows analyzes pcap/pcapng files to:

• •Extract unique TCP and UDP flows (destination IP:port pairs)
• •Build a DNS resolution table from DNS responses in the capture
• •Automatically resolve IP addresses to hostnames where possible
• •Filter flows by source IP address
• •Generate a summary of all network destinations contacted

This is particularly useful for IoT device analysis to understand what external services a device communicates with.

Instructions

When the user asks to analyze network flows, extract destinations, or identify what hosts a device talks to:

1. •

   Gather requirements:

   • •Get the pcap/pcapng file path(s)
   • •Ask if they want to filter by a specific source IP (e.g., the IoT device's IP)
   • •Determine preferred output format
2. •

   Execute the analysis:

   • •Use the netflows command from the iothackbot bin directory
3. •

   Interpret results:

   • •Explain resolved hostnames and their significance
   • •Note any unresolved IPs that may need further investigation
   • •Highlight interesting patterns (cloud services, P2P connections, etc.)

Usage

Basic Analysis

Analyze a pcap file showing all flows:

netflows capture.pcap

Filter by Source IP

Extract flows from a specific device:

netflows capture.pcap --source-ip 192.168.1.100

Multiple Files

Analyze multiple capture files:

netflows capture1.pcap capture2.pcapng

Output Formats

# Human-readable colored output (default)
netflows capture.pcap --format text

# Machine-readable JSON
netflows capture.pcap --format json

# Minimal output - just hostname:port list
netflows capture.pcap --format quiet

Parameters

Input:

• •pcap_files: One or more pcap/pcapng files to analyze (required)

Filtering:

• •-s, --source-ip: Filter flows originating from this IP address

Output:

• •--format text|json|quiet: Output format (default: text)
• •-v, --verbose: Enable verbose output

Examples

Analyze IoT device traffic:

netflows iot-capture.pcap --source-ip 192.168.1.50

Get just the flow list for scripting:

netflows capture.pcap -s 10.0.0.100 --format quiet

JSON output for parsing:

netflows capture.pcap --format json | jq '.data[].flow_summary'

Output Information

Text format includes:

• •DNS mappings discovered (IP -> hostname)
• •TCP flows with hostname resolution status
• •UDP flows with hostname resolution status
• •Consolidated flow summary (hostname:port or ip:port)

JSON format includes:

• •dns_mappings: Dictionary of IP to hostname mappings
• •tcp_flows: List of TCP flow objects with hostname, ip, port
• •udp_flows: List of UDP flow objects with hostname, ip, port
• •flow_summary: List of "hostname:port" or "ip:port" strings
• •dns_queries: List of DNS domains queried
• •total_packets: Number of packets analyzed

Use Cases

1. •IoT Device Profiling: Identify all cloud services and endpoints an IoT device communicates with
2. •Network Forensics: Enumerate destinations contacted during an incident
3. •Privacy Analysis: Discover telemetry and tracking endpoints
4. •Firewall Rule Creation: Generate allowlist/blocklist of endpoints
5. •Malware Analysis: Identify C2 servers and exfiltration destinations

Important Notes

• •The tool resolves hostnames using DNS responses found within the same pcap file
• •IPs without corresponding DNS lookups in the capture will show as "unresolved"
• •Supports both pcap and pcapng formats
• •Does not require elevated privileges (unlike live capture tools)
• •Large pcap files may take time to process