Active Traffic Capture for Network Forensics

  • Marco Slaviero
  • Anna Granova
  • Martin Olivier
Part of the IFIP Advances in Information and Communication book series (IFIPAICT, volume 222)


Network traffic capture is an integral part of network forensics, but current traffic capture techniques are typically passive in nature. Under heavy loads, it is possible for a sniffer to miss packets, which affects the quality of forensic evidence.

This paper explores means for active capture of network traffic. In particular, it examines how traffic capture can influence the stream under surveillance so that no data is lost. A tool that forces TCP retransmissions is presented. The paper also provides a legal analysis—based on United States and South African laws—which shows that few legal obstacles are faced by traffic capture techniques that force attackers to retransmit data.


Network forensics active traffic capture TCP retransmission 


  1. [1]
    ANSI, Information Processing Systems: Local Area Networks — Part 3, Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications, American National Standards Institute, 1992.Google Scholar
  2. [2]
    P. Bekker, T. Geldenhuys, J. Joubert, J. Swanepoel, S. Terblanche and S. van der Merwe, Criminal Procedure Handbook (Sixth Edition), Juta and Company, Lansdowne, South Africa, 2003.Google Scholar
  3. [3]
    J. Bellardo and S. Savage, Measuring packet reordering, Proceedings of the Second ACM SIGCOMM Workshop on Internet Measurement, pp. 97–105, 2002.Google Scholar
  4. [4]
    R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach and T. Berners-Lee, Hypertext transfer protocol — HTTP/1.1, RFC 2616, Internet Engineering Task Force, June 1999.Google Scholar
  5. [5]
    S. Floyd, J. Mahdavi, M. Mathis and M. Podolsky, An extension to the selective acknowledgement (SACK) option for TCP, RFC 2883, Internet Engineering Task Force, July 2000.Google Scholar
  6. [6]
    V. Jacobson, Congestion avoidance and control, Proceedings of the ACM SIGCOMM Symposium on Communications Architectures and Protocols, pp. 314–329, 1988.Google Scholar
  7. [7]
    M. Mathis, J. Madhavi, S. Floyd and A. Romanow, TCP selective acknowledgement options, RFC 2018, Internet Engineering Task Force, October 1996.Google Scholar
  8. [8]
    ISO, Information Processing Systems — OSI Reference Model — The Basic Model (ISO 7498-1: 1994), International Organization for Standardization, 1994.Google Scholar
  9. [9]
    V. Paxson, End-to-end Internet packet dynamics, Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures and Protocols for Computer Communication, pp. 139–152, 1997.Google Scholar
  10. [10]
    J. Postel, Internet protocol, RFC 791, Internet Engineering Task Force, September 1981.Google Scholar
  11. [11]
    J. Postel, Transmission control protocol, RFC 793, Internet Engineering Task Force, September 1981.Google Scholar
  12. [12]
    J. Postel, Simple mail transfer protocol, RFC 821, Internet Engineering Task Force, August 1982.Google Scholar
  13. [17]
    W. Stevens, TCP slow start, congestion avoidance, fast retransmit and fast recovery algorithms, RFC 2001, Internet Engineering Task Force, January 1997.Google Scholar
  14. [18]
    J. Stone and C. Partridge, When the CRC and TCP checksum disagree, Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 309–319, 2000.Google Scholar
  15. [20]
    J. Winn and B. Wright, The Law of Electronic Commerce (Fourth Edition), Aspen Publishers, New York, 2005.Google Scholar

Copyright information

© IFIP Internatonal Federation for Information Processing 2006

Authors and Affiliations

  • Marco Slaviero
    • 1
  • Anna Granova
    • 1
  • Martin Olivier
    • 1
  1. 1.University of PretoriaPretoriaSouth Africa

Personalised recommendations