IPv4 Routes

Overview

Evidence: IPv4 Routes Description: Collect IPv4 Routes Category: Network Platform: windows Short Name: ipv4 Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The IPv4 routing table determines how network packets are forwarded from the local system to destination networks. It contains routes to local subnets, default gateways, and any manually configured or dynamically learned routes.

Routing table modifications can indicate network manipulation, VPN usage, or routing-based attacks.

Data Collected

This collector gathers structured data about ipv4 routes.

IPv4 Routes Data

Field

Description

Example

Destination

Destination network address

0.0.0.0

Mask

Network mask

0.0.0.0

Policy

Forwarding policy

Adapter

Network adapter index

Type

Route type

3 (Indirect)

Protocol

Routing protocol

3 (NETMGMT)

Age

Route age in seconds

3600

Collection Method

This collector uses Windows API to enumerate routes:

GetIpForwardTable to retrieve routing table
Parses each route entry
Extracts destination, mask, and next-hop information

Forensic Value

Routing tables reveal network topology and potential network manipulation. Investigators use this data to identify VPN or tunnel routes, detect routing table manipulation, understand network architecture, identify static routes to suspicious networks, and detect network-based persistence or C2 infrastructure.

PreviousInstalled Applications NextiTunes Backups

Last updated 3 days ago

Was this helpful?