Raw Table

Overview

Evidence: Raw Table Description: Collect Raw table Category: Network Platform: Linux Short Name: rawtab Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers raw socket connection table information from the Linux system. This data is essential for understanding low-level network activity and detecting potentially suspicious raw socket usage.

Data Collected

This collector gathers structured data about raw table.

Raw Table Data

Field

Description

Example

ID

Inode

Inode

Example value

ProcessId

Process Id

Example value

UserId

User Id

Example value

LocalIP

Local IP

Example value

LocalPort

Local Port

Example value

RemoteIP

Remote IP

Example value

RemotePort

Remote Port

Example value

State

State

Example value

Collection Method

This collector parses /proc raw socket tables and records entries into the raw_table table.

Usage

This evidence is crucial for forensic investigations as it provides raw socket usage visibility. It helps investigators detect packet crafting tools, covert channels, and low-level networking anomalies.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousIP Tables NextNetwork Interfaces

Last updated 5 hours ago

Was this helpful?