name: netflows
description: Network flow extractor that analyzes pcap/pcapng files to identify outbound connections with automatic DNS hostname resolution. Use when you need to enumerate network destinations, identify what hosts a device communicates with, or map IP addresses to hostnames from packet captures.

NetFlows - Network Flow Extractor with DNS Resolution

You are helping the user extract and analyze network flows from packet capture files using the netflows tool.

Tool Overview

NetFlows analyzes pcap/pcapng files to:
- Extract unique TCP and UDP flows (destination IP:port pairs)
- Build a DNS resolution table from DNS responses in the capture
- Automatically resolve IP addresses to hostnames where possible
- Filter flows by source IP address
- Generate a summary of all network destinations contacted

This is particularly useful for IoT device analysis to understand what external services a device communicates with.

Instructions

When the user asks to analyze network flows, extract destinations, or identify what hosts a device talks to:

1. Gather requirements:
2. Get the pcap/pcapng file path(s)
3. Ask if they want to filter by a specific source IP (e.g., the IoT device's IP)

4. Determine preferred output format

5. Execute the analysis:

6. Use the netflows command from the iothackbot bin directory

7. Interpret results:

8. Explain resolved hostnames and their significance
9. Note any unresolved IPs that may need further investigation
10. Highlight interesting patterns (cloud services, P2P connections, etc.)

Usage

Basic Analysis

Analyze a pcap file showing all flows:

netflows capture.pcap

Filter by Source IP

Extract flows from a specific device:

netflows capture.pcap --source-ip 192.168.1.100

Multiple Files

Analyze multiple capture files:

netflows capture1.pcap capture2.pcapng

Output Formats

# Human-readable colored output (default)
netflows capture.pcap --format text

# Machine-readable JSON
netflows capture.pcap --format json

# Minimal output - just hostname:port list
netflows capture.pcap --format quiet

Parameters

Input:
- pcap_files: One or more pcap/pcapng files to analyze (required)

Filtering:
- -s, --source-ip: Filter flows originating from this IP address

Output:
- --format text|json|quiet: Output format (default: text)
- -v, --verbose: Enable verbose output

Examples

Analyze IoT device traffic:

netflows iot-capture.pcap --source-ip 192.168.1.50

Get just the flow list for scripting:

netflows capture.pcap -s 10.0.0.100 --format quiet

JSON output for parsing:

netflows capture.pcap --format json | jq '.data[].flow_summary'

Output Information

Text format includes:
- DNS mappings discovered (IP -> hostname)
- TCP flows with hostname resolution status
- UDP flows with hostname resolution status
- Consolidated flow summary (hostname:port or ip:port)

JSON format includes:
- dns_mappings: Dictionary of IP to hostname mappings
- tcp_flows: List of TCP flow objects with hostname, ip, port
- udp_flows: List of UDP flow objects with hostname, ip, port
- flow_summary: List of "hostname:port" or "ip:port" strings
- dns_queries: List of DNS domains queried
- total_packets: Number of packets analyzed

Use Cases

1. IoT Device Profiling: Identify all cloud services and endpoints an IoT device communicates with
2. Network Forensics: Enumerate destinations contacted during an incident
3. Privacy Analysis: Discover telemetry and tracking endpoints
4. Firewall Rule Creation: Generate allowlist/blocklist of endpoints
5. Malware Analysis: Identify C2 servers and exfiltration destinations

Important Notes

• The tool resolves hostnames using DNS responses found within the same pcap file
• IPs without corresponding DNS lookups in the capture will show as "unresolved"
• Supports both pcap and pcapng formats
• Does not require elevated privileges (unlike live capture tools)
• Large pcap files may take time to process