Abstract
Network traffic capture is an integral part of network forensics, but current traffic capture techniques are typically passive in nature. Under heavy loads, it is possible for a sniffer to miss packets, which affects the quality of forensic evidence.
This paper explores means for active capture of network traffic. In particular, it examines how traffic capture can influence the stream under surveillance so that no data is lost. A tool that forces TCP retransmissions is presented. The paper also provides a legal analysis—based on United States and South African laws—which shows that few legal obstacles are faced by traffic capture techniques that force attackers to retransmit data.
Chapter PDF
Similar content being viewed by others
References
ANSI, Information Processing Systems: Local Area Networks — Part 3, Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications, American National Standards Institute, 1992.
P. Bekker, T. Geldenhuys, J. Joubert, J. Swanepoel, S. Terblanche and S. van der Merwe, Criminal Procedure Handbook (Sixth Edition), Juta and Company, Lansdowne, South Africa, 2003.
J. Bellardo and S. Savage, Measuring packet reordering, Proceedings of the Second ACM SIGCOMM Workshop on Internet Measurement, pp. 97–105, 2002.
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach and T. Berners-Lee, Hypertext transfer protocol — HTTP/1.1, RFC 2616, Internet Engineering Task Force, June 1999.
S. Floyd, J. Mahdavi, M. Mathis and M. Podolsky, An extension to the selective acknowledgement (SACK) option for TCP, RFC 2883, Internet Engineering Task Force, July 2000.
V. Jacobson, Congestion avoidance and control, Proceedings of the ACM SIGCOMM Symposium on Communications Architectures and Protocols, pp. 314–329, 1988.
M. Mathis, J. Madhavi, S. Floyd and A. Romanow, TCP selective acknowledgement options, RFC 2018, Internet Engineering Task Force, October 1996.
ISO, Information Processing Systems — OSI Reference Model — The Basic Model (ISO 7498-1: 1994), International Organization for Standardization, 1994.
V. Paxson, End-to-end Internet packet dynamics, Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures and Protocols for Computer Communication, pp. 139–152, 1997.
J. Postel, Internet protocol, RFC 791, Internet Engineering Task Force, September 1981.
J. Postel, Transmission control protocol, RFC 793, Internet Engineering Task Force, September 1981.
J. Postel, Simple mail transfer protocol, RFC 821, Internet Engineering Task Force, August 1982.
W. Stevens, TCP slow start, congestion avoidance, fast retransmit and fast recovery algorithms, RFC 2001, Internet Engineering Task Force, January 1997.
J. Stone and C. Partridge, When the CRC and TCP checksum disagree, Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 309–319, 2000.
J. Winn and B. Wright, The Law of Electronic Commerce (Fourth Edition), Aspen Publishers, New York, 2005.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP Internatonal Federation for Information Processing
About this paper
Cite this paper
Slaviero, M., Granova, A., Olivier, M. (2006). Active Traffic Capture for Network Forensics. In: Olivier, M.S., Shenoi, S. (eds) Advances in Digital Forensics II. DigitalForensics 2006. IFIP Advances in Information and Communication, vol 222. Springer, Boston, MA. https://doi.org/10.1007/0-387-36891-4_17
Download citation
DOI: https://doi.org/10.1007/0-387-36891-4_17
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-36890-0
Online ISBN: 978-0-387-36891-7
eBook Packages: Computer ScienceComputer Science (R0)