FlowCarp
FlowCarp is a software that identifies protocols in network traffic based on behavior instead of port numbers. FlowCarp reads packet data in the form of PCAP, Pcap-NG or TZSP streams and outputs information about the flows it finds, including the detected application layer protocol for each flow.
Download links and more detailed information about FlowCarp can be found on the official website:
Commercial FlowCarp Licenses
The free community edition of FlowCarp is limited with regards to how much data that can be analyzed per day and what protocols it can identify. A commercial FlowCarp license is required to analyze more than 10 000 flows per day. The commercial licenses are sold as a combo of Protocol Package (P1 to P3) and Traffic Volume Level (L1 to UNLIMITED).
Protocol Packages
| Package | Protocols | Malicious protocols | Sub-protocol identification | Use case |
|---|---|---|---|---|
| P1 | 200+ | No | No | Traffic classification |
| P2 | 300+ | Yes | No | Security monitoring |
| P3 | 600+ | Yes | Yes | Any |
All commercial protocol packages also include identification of the 25 protocols from the community edition.
The P3 protocol package allows FlowCarp to detect what we call sub-protocols, which are protocols inside of other protocols. This sub-protocol detection enables users to differentiate between different types of HTTP based communications like Windows Update, CRL, OCSP or WebSocket.
FlowCarp's sub-protocol identification feature can also detect many malicious protocols that run on top of HTTP, such as AdaptixC2, DCRat, Formbook, LummaC2, NetSupport RAT, RedLine and StealC. The sub-protocol identification feature can even detect what's running inside of a TLS encrypted session, without having to decrypt the traffic! Identification of sub-TLS protocols is much more complex than for HTTP, which is why the precision will not be quite as high. But it can usually accurately identify many legitimate as well as malicious protocols that run on top of TLS, regardless of which port is being used.
Volume Levels
FlowCarp customers can run multiple FlowCarp instances using a single commercial FlowCarp license. The volume licenses restrict the total number of flows, across all running FlowCarp instances, that a customer organization can inspect per day with FlowCarp.
| Level | Flows per day |
|---|---|
| L1 | 1 000 000 (1M) |
| L2 | 3 000 000 (3M) |
| L3 | 10 000 000 (10M) |
| L4 | 30 000 000 (30M) |
| L5 | 100 000 000 (100M) |
| UNLIMITED | No limit |
FlowCarp will still continue extracting flow information from PCAP data when this daily limit is reached, but it will not identify any more protocols.
All commercial FlowCarp licenses, including UNLIMITED, require online connection so that they can be validated by our license server.
To request a quote for a commercial FlowCarp license, please contact us and let us know which Protocol Package and Volume Level you are interested in. We can also provide guidance on what license type that is best for your specific use case.