Abstract
Flowinspect is a tool developed specifically for network monitoring and inspection purposes. It takes network traffic as input and extracts layer 4 flows from it. These flows are then passed through an inspection engine that filters and extracts interesting network sessions. For flows that meet inspection criteria, the output mode dumps match statistics to either stdout or a file or both.
The primary difference between flowinspect and other network inspection tools is that flowinspect inspects network flows instead of individual layer 4 packet contents. As such, if for a flow certain data to be matched upon spans multiple packets, flowinspect would still be able to identify it. Inspection can be done in any of the following inspection modes (selected through appropriate command-line arguments):
- regex: PCRE-compatible regular expressions
- fuzzy: fuzzy string matching techniques
- shellcode: libemu based (x86 compatible) shellcode detection
- yara: yara-project based signature detection
There are a few mode-specific options that a user can use to tweak the behavior of the respective inspection engine. For example, regex matches could be made case insensitive, fuzzy string match threshold could be altered, generation of shellcode profile output that lists detected system calls, their arguments, and return values, etc. can be enabled, detected shellcode can be disassembled, and output could be dumped to a file. Once inspection completes, matching flows are passed to the output module that gathers statistics like match size, start of the match offset inside inspection buffer, packet IDs for a match, direction of the match (CTS/STC/ANY), etc. Matched content can also be dumped to a file or pcap generation for matched flows could also be requested.
Apart from these, there are a few other handy options that could prove useful in different network inspection scenarios. For example, inspection could be limited to interesting flows only using Berkeley Packet Filter (BPF) expressions, or via Snort-like offset/depth content modifiers, or via max packet-stream count options. Matches results can be negated, matched TCP flows could be killed, etc.
The current production version includes all the above features. Flowinspect is, however, under active development and new features/bug fixes are being pushed frequently.