Skip to main content

Network Forensic Acquisition

  • Chapter
  • First Online:
Fundamentals of Network Forensics

Part of the book series: Computer Communications and Networks ((CCN))


This chapter discusses about the acquisition of packets in the network forensic system. For the same topics such as TCP/IP protocol suite, packet capture format, pcapng dump file format, NetFlow record format, and IPFIX format are discussed. Their relevance with the network forensic system is elaborated. Identification and correlation architecture with all its events are also discussed in the last section of the chapter.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Similar content being viewed by others


  1. Tang Y, Daniels TE (2005) A simple framework for distributed forensics. In: Proc. 25th IEEE international conference on Distributed Computing Systems Workshops (ICDCS 05), Columbus, OH, USA, pp 163–169

    Google Scholar 

  2. Pilli ES, Joshi RC, Niyogi R (2010) Network forensic frameworks: survey and research challenges. Digit Investig 7(1–2):14–27

    Article  Google Scholar 

  3. Mukkamala S, Sung AH (2003) Identifying significant features for network forensic analysis using artificial intelligent techniques. Int J Digit Evid 1(4):1–17

    Google Scholar 

  4. Shanmugasundaram K, Memon N (2006) Network monitoring for security and forensics. In: Bagchi A, Atluri V (eds) Information systems security, vol 4332. Springer, Berlin/Heidelberg, pp 56–70

    Chapter  Google Scholar 

  5. Leiner B, Rekhter Y (1993) RFC1560: the MultiProtocol internet. Available:, 30 Apr 2011

  6. Forouzan BA (2006) TCP/IP protocol Suite, 3rd edn. McGraw Hill Publications, California

    Google Scholar 

  7. Postel J (1981) RFC 791: internet protocol. Defense Advanced Research Projects Agency, Available:, 30 Apr 2011

  8. Postel J (1981) RFC 792: internet control message protocol. Defense Advanced Research Projects Agency, Available:, 30 Apr 2011

  9. Postel J (1981) RFC 793: transmission control protocol. Defense Advanced Research Projects Agency, Available:, 30 Apr 2011

  10. Postel J (1980) RFC 768: user datagram protocol. Defense Advanced Research Projects Agency, Available:, 30 Apr 2011

  11. Fielding R, Gettys J, Mogul J, Frystyk H, Masinter L, Leach P, Berners-Lee T (1999) RFC 2616: hypertext transfer protocol – HTTP/1.1. Defense Advanced Research Projects Agency, Available:, 30 Apr 2011

  12. Jacobson V, Leres C, McCanne S (1994) libpcap. LBNL, Berkeley. Available: FileFormat, 30 Apr 2011

  13. Degioanni L, Risso F, Varenni G (2004) PCAPNG File Format, IETF, Available: draft/PCAP-DumpFileFormat.html, 31 Mar 2016

  14. Cisco Whitepaper (2007) Cisco IOS NetFlow version 9 flow-record format. Available: 00a3db9.pdf, 31 Mar 2016

  15. Scheck M (2009) NetFlow for incident detection. In: Proceedings of Forum of Incident Response and Security Teams (FIRST), Kyoto, Japan, pp 1–17

    Google Scholar 

  16. Claise B (2008) RFC 5101: specification of the IP Flow Information Export (IPFIX) protocol for the exchange of IP traffic flow information, Available:, 31Mar 2016

  17. Trammell B, Boschi E, Mark L, Zseby T, Wagner A (2009) RFC 5655: specification of the IP Flow Information Export (IPFIX) file format, Available:, 31Mar 2016

Download references

Author information

Authors and Affiliations


Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer-Verlag London

About this chapter

Cite this chapter

Joshi, R.C., Pilli, E.S. (2016). Network Forensic Acquisition. In: Fundamentals of Network Forensics. Computer Communications and Networks. Springer, London.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, London

  • Print ISBN: 978-1-4471-7297-0

  • Online ISBN: 978-1-4471-7299-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics