TCP Table

Overview

Evidence: Tcp Table Description: Collect Tcp Table Category: Network Platform: Linux Short Name: tcptable Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Linux TCP table provides information about active TCP connections and network sockets. This data is essential for understanding network connectivity and detecting unauthorized network connections.

Data Collected

This collector gathers structured data about tcp table.

Tcp Table Data

Field

Description

Example

ID

Primary key (auto-increment)

Inode

Socket inode number

12345

ProcessId

Process ID using the socket

1234

UserId

User ID of the process

1000

LocalIP

Local IP address

0.0.0.0

LocalPort

Local port number

RemoteIP

Remote IP address

192.168.1.100

RemotePort

Remote port number

45678

State

Connection state

ESTABLISHED

Collection Method

This collector parses the necessary data from the tcp_table table.

This collector collects files from the following locations:

/proc/net/tcp
/proc/net/tcp6

Usage

This evidence is crucial for forensic investigations as it provides TCP connection information. It helps investigators understand network connectivity, detect unauthorized connections, and investigate network-based attacks. The data can reveal active connections, network sockets, and potential network vulnerabilities. Analysts can use this information to identify network compromises, trace network activities, and assess network security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousNetwork Interfaces NextUDPLite Table

Last updated 15 minutes ago

Was this helpful?