Network flow extractor that analyzes pcap/pcapng files to identify outbound connections with automatic DNS hostname resolution. Use when you need to enumerate network destinations, identify what hosts a device communicates with, or map IP addresses to hostnames from packet captures.
You are helping the user extract and analyze network flows from packet capture files using the netflows tool.
NetFlows analyzes pcap/pcapng files to:
This is particularly useful for IoT device analysis to understand what external services a device communicates with.
When the user asks to analyze network flows, extract destinations, or identify what hosts a device talks to:
Gather requirements:
Execute the analysis:
Interpret results:
Analyze a pcap file showing all flows:
netflows capture.pcap
Extract flows from a specific device:
netflows capture.pcap --source-ip 192.168.1.100
Analyze multiple capture files:
netflows capture1.pcap capture2.pcapng
# Human-readable colored output (default)
netflows capture.pcap --format text
# Machine-readable JSON
netflows capture.pcap --format json
# Minimal output - just hostname:port list
netflows capture.pcap --format quiet
Input:
pcap_files: One or more pcap/pcapng files to analyze (required)Filtering:
-s, --source-ip: Filter flows originating from this IP addressOutput:
--format text|json|quiet: Output format (default: text)-v, --verbose: Enable verbose outputAnalyze IoT device traffic:
netflows iot-capture.pcap --source-ip 192.168.1.50
Get just the flow list for scripting:
netflows capture.pcap -s 10.0.0.100 --format quiet
JSON output for parsing:
netflows capture.pcap --format json | jq '.data[].flow_summary'
Text format includes:
JSON format includes:
dns_mappings: Dictionary of IP to hostname mappingstcp_flows: List of TCP flow objects with hostname, ip, portudp_flows: List of UDP flow objects with hostname, ip, portflow_summary: List of "hostname:port" or "ip:port" stringsdns_queries: List of DNS domains queriedtotal_packets: Number of packets analyzed