Capture File Forensics quickly and easily extracts network forensic information from capture files. When a capture file is loaded, CFF analyzes all packets in the file and creates IPv4 and IPv6 endpoint tables with forensic information for ARP, DHCP, DHCPv6, IPv4, IPv6, ICMP, ICMPv6, TCP, UDP, DNS, MDNS, LLMNR, SNMP, and Telnet protocols and the traceroute command. From the endpoint tables, users can drill down to individual IP, TCP, and UDP flows. The current release supports detection of 403 forensic items including Amplification Attacks, SYN Floods, Ping Sweeps, Port Scans, Checksum Errors, Duplicate IP Addresses, Segment Gaps, LAND Attacks, ARP Request Storms, Null Scans, Ping Floods, and SNMP Zero Payloads.

• Amplification Attack
• Any IP
• ANY Query
• Bad Name Label
• Bad Name Pointer
• Bad Record Count
• Bad Time to Live
• Cache Flush
• Class Unknown
• Error Format
• Error Non-Existent Domain
• Error Other
• Error Query Refused
• Error Response Flood
• Error Server Failure
• Extraneous Data
• Header Truncated
• Loopback IP
• Malformed Over TCP
• Many Records
• Message Over TCP
• Multicast IP
• Multiple Questions
• Name Forward Pointer
• Name Pointer Loop
• Name Too Long

• No Error
• Nonzero Reserved Bit
• Null Query
• OpCode Unknown
• Private IP
• Query
• Record Malformed
• Record Truncated
• Record Type A
• Record Type AAAA
• Record Type CNAME
• Record Type HTTPS
• Record Type MX
• Record Type NS
• Record Type NSEC
• Record Type Other
• Record Type PTR
• Record Type SOA
• Record Type SRV
• Record Type TXT
• Record Type Unknown
• Response
• Truncation Flag
• UDP Zero-Payload
• Unanswered Query Flood
• Unsolicited Response Flood

• All Flags
• Bad Header Length
• Bad Option Length
• Bad Window Scale
• Checksum Error
• Connection Reset
• D-SACK Sequence
• Data Truncated
• Duplicate ACK
• Flow End FIN
• Flow No Data
• Flow Start SYN
• Flow Start SYN + ACK
• Header Truncated
• Keep-Alive
• Keep-Alive ACK
• Known-to-Known Ports
• LAND Attack
• MSS Option No SYN
• Nonzero ACK No Flag
• Nonzero Option Pad
• Nonzero Urgent No Flag
• Null Scan

• Partial Checksum
• Port Loopback
• Port Scan
• Prior Segment
• Prior Segment + New Data
• Reused Port Number
• SACK Perm Option No SYN
• Segment Gap
• SYN + FIN Flags
• SYN + URG Flags
• SYN Flood
• SYN No MSS Option
• SYN No SACK Perm Option
• SYN No Window Scale Option
• Unidirectional Flow
• Urgent Flag
• Window Exceeded
• Window Full
• Window Scale Option No SYN
• Window Update
• Xmas Tree Scan
• Zero Window
• Zero Window Probe

• Bad Length
• Checksum Error
• Data Truncated
• Flow No Data
• Known-to-Known Ports

• Partial Checksum
• Port Loopback
• Port Scan
• Unidirectional Flow
• Zero Checksum

• 4 Consecutive NOPs
• Bad Header Length
• Bad Length Field
• Bad Option Length
• Bad Route Option
• Bad Timestamp Option
• Bad Version Field
• Checksum Error
• Fragment Bad Length

• Fragment Count
• Fragment Empty
• Fragment Overlap
• Fragment Too Big
• Loopback Flow
• Option Deprecated
• Option Unknown
• Payload Truncated
• Protocol Unknown
• TTL Too Small

• Atomic Fragment
• Bad Jumbo Option
• Bad Jumbogram
• Bad Payload Length
• Bad Version Field
• Dest Option Deprecated
• Dest Option Jumbo
• Dest Option Unknown
• Fragment Bad Length
• Fragment Count
• Fragment Empty
• Fragment Excess Headers

• Fragment Overlap
• Fragment Too Big
• Hop-by-Hop Option Deprecated
• Hop-by-Hop Option Unknown
• Jumbogram
• Loopback Flow
• Misplaced Hop-by-Hop
• Payload Truncated
• Protocol Unknown
• Route Type Deprecated
• Route Type Unknown
• Zero Payload Length

• Bad IP Header Length
• Echo (ping) Reply
• Echo (ping) Request
• Host Prohibited Unreachable
• Host Unreachable
• Network Unreachable
• Ping Flood

• Ping Sweep
• Port Unreachable
• Protocol Unreachable
• Time Exceeded
• Timestamp
• Timestamp Reply
• Type Deprecated
• Type Other
• Type Unknown
• Unreachable Other

• Address Unreachable
• Bad IP Header Length
• Echo (ping) Reply
• Echo (ping) Request
• Neighbor Advert
• Neighbor Solicit
• No Route Unreachable

• Packet Too Big
• Ping Flood
• Ping Sweep
• Port Unreachable
• Router Advert
• Router Solicit
• Time Exceeded
• Type Other
• Unreachable Other

• Ack Message
• Bad Option Length
• Boot File Missing Null
• Boot File Overload
• Boot Reply
• Boot Request
• Bootp Vendor Options
• Discover Flood
• Discover Message
• End Option Missing
• Large Message

• Message Other
• Message Truncated
• Message Unknown
• Offer Message
• Operation Unknown
• Option Overflow
• Overload End Option Missing
• Request Message
• Request to Client
• Response to Server
• Server Name Missing Null
• Server Name Overload

• Advertise Message
• Bad Option Length
• Client Request
• Message Other
• Message Truncated
• Message Unknown
• Option Overflow
• Option Unknown
• Release Message
• Renew Message
• Renew Message Flood
• Reply Message
• Request Message

• Request Message Flood
• Request to Client
• Response to Server
• Server Response
• Solicit Message
• Status No Addrs Avail
• Status No Binding
• Status No Prefix Avail
• Status Not On Link
• Status Other
• Status Success
• Status Unknown
• Status Unspec Fail
• Status Use Multicast

• Any IP Target
• Bad Hardware Length
• Duplicate IP Address
• Hardware Type Unknown

• OpCode Other
• OpCode Unknown
• Probe
• Reply
• Request
• Request Storm

• Agent Messages
• Authentication Failure
• Authorization Error
• Bad Community
• Bad Enterprise Tag
• Bad Error Index
• Bad Error Status
• Bad Generic Trap
• Bad Length
• Bad Max Repetitions
• Bad Non Repeaters
• Bad Object Name
• Bad Object Value
• Bad PDU Type
• Bad Request ID
• Bad Specific Trap
• Bad Trap Address
• Bad Trap Timestamp
• Bad V3 Message
• Bad V3 Scoped PDU
• Bad V3 USM
• Bad Value
• Bad Varbind List
• Bad Variable Binding
• Bad Version
• Cisco Systems
• Cold Start
• Commit Failed
• EGP Neighbor Loss
• Empty Community
• Enterprise Trap
• Error Status Unknown
• Gen Error
• Get Bulk Request
• Get Next Request
• Get Request
• IBM
• Inconsistent Name
• Inconsistent Value
• Inform Request
• Large Max Repetitions
• Link Down
• Link Up
• Long Community
• Malformed Length
• Manager Messages
• Message Truncated

• MIB Unknown
• mib-2 at
• mib-2 dot1dBridge
• mib-2 entityMIB
• mib-2 host
• mib-2 icmp
• mib-2 ifMIB
• mib-2 interfaces
• mib-2 ip
• mib-2 Other
• mib-2 printmib
• mib-2 rmon
• mib-2 snmp
• mib-2 system
• mib-2 tcp
• mib-2 udp
• Missing Field
• Negative Request ID
• No Access
• No Creation
• No Error
• No Such Name
• Not Writable
• NULL In Community
• PDU In Wrong Version
• Popular Community
• Private Enterprise
• Read Only
• Report
• Resource Unavailable
• Response
• Set Request
• SNMPv1
• snmpV2
• SNMPv2 Trap
• SNMPv2c
• SNMPv2u
• SNMPv3
• Too Big
• Trap
• Trap Other
• UDP Zero-Payload
• Undo Failed
• Warm Start
• Wrong Encoding
• Wrong Length
• Wrong Type
• Wrong Value

• Abort Output
• Are You There
• Bad Baud Rate
• Bad COM Port Cmd
• Bad Control
• Bad Data Size
• Bad Line State
• Bad Modem State
• Bad Option Data
• Bad Option Length
• Bad Parity
• Bad Purge Data
• Bad Stop Size
• Bad Terminal Type
• Break
• Command Unknown
• Data Mark
• DO
• DON’T
• Environment Variable
• Erase Character
• Erase Line
• Go Ahead
• Interrupt Process
• Kerberos v4

• Kerberos v5
• Loki
• Long Auth Name
• Long Password
• Long Terminal Type
• Long User Name
• NOP
• NTLM
• NULL
• Option Malformed
• Option Unknown
• Password
• RSA
• SB
• SE
• Server Packets
• SPX
• SSL
• Total
• Type Other
• Type Unknown
• User Name
• User Packets
• WILL
• WON’T

• Hop 1
• Hop 2
• Hop 3
• Hop 4
• Hop 5
• Hop 6

• Hop 7
• Hop 8
• Hop 9
• Hop 10
• Hop 11+
• UDP Packets

• pcap
• pcap.gz
• pcapng
• pcapng.gz

• Microsoft NetMon 2.x
• Sun snoop
• Network General Sniffer (DOS)

• Ethernet
• Token Ring
• Frame Relay
• FDDI
• PPP
• Cisco HDLC
• Linux “cooked”
• Linux “cooked” v2
• Linux Netlink
• Linux ATM CLIP
• Raw IP

• Raw IPv4
• Raw IPv6
• Solaris IPNET
• NULL/Loopback
• IP over IB
• Per-Packet Information header
• Ethernet Broadcom insert
• Ethernet Broadcom prepend
• Marvell DSA Ethernet
• Marvell EDSA Ethernet

DNS, MDNS, and LLMNR address records are used to map names to endpoints’ IPv4 and IPv6 addresses.

• IP Protocols
• Application Protocols (TCP and UDP)
• Well-Known Ports (TCP and UDP)

If Wireshark is installed, Capture File Forensics can launch the currently loaded capture file in Wireshark by right-clicking on one of the following locations:

• IP Endpoints table
• IP Flows table
• TCP Flows table
• UDP Flows table

• Protocols in Forensics list
• IP Protocols bar chart
• TCP Well-Known Ports list
• UDP Well-Known Ports list
• Protocols in Forensic Column Filter popover

Each information element can be configured to one of four levels (Info, Note, Warn, Alert) or Disabled.