How does Flowtriq capture PCAP data during attacks?

Flowtriq runs a continuous ring buffer on each node that captures recent traffic. When an attack is detected, the ring buffer preserves the packets from before detection (the first moments of the attack that most tools miss) and continues capturing throughout the event. This means you get pre-attack traffic, the full attack profile, and post-attack recovery data, all in standard PCAP format.

What formats does Flowtriq export forensic data in?

Flowtriq generates PDF, HTML, and JSON incident reports with full attack breakdowns. PCAP files can be downloaded directly for analysis in tools like Wireshark. CSV export for forensic data is also available. AI-generated incident summaries provide plain-language explanations of what happened.

DDoS Forensics

Your attack data disappears when you need it most

Q: What is DDoS attack forensics?

DDoS attack forensics is the process of capturing, preserving, and analyzing packet-level data during and immediately before an attack. This includes PCAP captures, traffic classification, source IP analysis, TTL distributions, packet size histograms, and spoofing detection. Good forensics lets you understand exactly what happened, build evidence for compliance and insurance, and improve your defenses for next time.

Q: Why do most DDoS tools lose attack data?

Most DDoS detection tools operate on flow data (NetFlow, sFlow, IPFIX) rather than raw packets. Flow data is aggregated and sampled, so it discards the packet-level detail needed for forensic analysis. Even tools that detect attacks in real time typically do not capture or retain the underlying traffic, and flow records are often rotated out within minutes or hours.

Q: Is DDoS evidence required for compliance?

Yes, in many frameworks. NIS2 Article 23 requires EU-regulated entities to report significant incidents with supporting data within 24 hours. PCI DSS, SOC 2, and various cyber insurance policies also require incident documentation. Without packet-level evidence, you are relying on log summaries and flow data that may not satisfy auditors or claims adjusters.

The attack is over. A customer wants a report. Your insurance carrier needs evidence. A regulator has questions. And the data that could answer all of it was never captured in the first place.

Start Free Trial → ← All Problems

"Once an attack that lasts for five minutes is done, the data is no longer there. It would be an improvement if we could see recent traffic in the dashboard." Technical Lead, PeerSpot

"Attack type detection logic is extremely basic and does not cover full variety of attack types." Network Engineer, G2

"Around 20Gbit of traffic was not visible. It seems it ignores UDP fragments." Infrastructure Lead, PeerSpot

The insurance company asked for attack evidence. The data expired five minutes after the attack ended. Cool.

See the full comic

The problem

Why post-attack evidence matters more than you think

Detection is only half the job. After the attack stops, the real questions start. And without evidence, you are guessing at the answers.

Customer reports

When a customer asks "what happened to my service for the last 10 minutes?" and you can only say "there was an attack," that is not a satisfying answer. Customers want specifics: what type of attack, how large, where it came from, and what was done about it. Without forensic data, you have nothing to show them.

Insurance and compliance

Cyber insurance carriers increasingly require incident documentation to process claims. NIS2 Article 23 requires EU-regulated entities to provide incident data within 24 hours. PCI DSS and SOC 2 auditors want evidence of detection and response. Flow summaries and screenshots rarely satisfy these requirements.

Root cause analysis

Understanding whether an attack was volumetric, protocol-based, or application-layer changes how you respond next time. Knowing the source ASN distribution tells you if traffic was spoofed or from a real botnet. Packet size histograms reveal amplification patterns. None of this is possible without packet-level capture.

Law enforcement referrals

If you need to involve law enforcement, they need evidence. PCAP files, source IP lists, timestamps, attack signatures. A log line that says "DDoS detected, 15 Gbps" is not actionable. Packet captures with full headers, on the other hand, give investigators something concrete to work with.

Trend analysis

Are you being targeted by the same attacker repeatedly? Is the attack profile changing over time? Are your mitigations actually working? Forensic data across incidents lets you spot patterns and adapt your defenses. Without it, every attack is a surprise all over again.

Upstream coordination

When you need your upstream provider to help with mitigation, you need to show them what you are seeing. PCAP evidence, traffic profiles, and source analysis make the conversation productive. Saying "we are getting attacked, please help" without data rarely gets a fast response.

The gap

Why most DDoS tools discard the data you need

Most detection tools were built to answer one question: "Is there an attack right now?" They watch flow data, apply thresholds, and fire alerts. That is useful, but it is not forensics. Flow data is sampled and aggregated, which means the packet-level detail that forensics require was never captured in the first place.

Threshold-based tools tend to classify attacks into broad categories like "UDP flood" or "SYN flood" without deeper analysis. They do not tell you about entropy distributions, TTL anomalies, or packet size clustering that reveal whether traffic is spoofed, amplified, or coming from a real botnet. When classification is shallow, so is your understanding of what happened.

Even tools that can capture packets often require manual intervention to start a capture. By the time someone notices an attack, logs in, and triggers a capture, the first minutes of the attack (often the most revealing) are already gone. Short attacks may be entirely over before anyone reacts.

The five-minute attack problem

Many DDoS attacks last under ten minutes. They are short, sharp, and designed to cause maximum disruption in minimum time. If your forensic workflow requires a human to start a capture, you will miss these entirely. The attack is over, the data was never saved, and all you have is a line in a log file.

What good forensics looks like

The data a DDoS incident report should contain

If you cannot produce this data after an attack, your forensic capabilities have gaps.

PCAP capture with ring buffer

A continuous ring buffer captures recent traffic on every node. When an attack is detected, the buffer is frozen and preserved. This means you get the packets from before detection triggered, not just the traffic after someone noticed. Pre-attack capture is the difference between seeing the full picture and arriving after the fact.

Multi-vector classification with confidence scoring

Real attacks are rarely a single vector. A sophisticated attack might combine a SYN flood, DNS amplification, and UDP fragmentation simultaneously. Good forensics classifies each vector independently, assigns confidence scores, and shows the relative contribution of each component. This is not "UDP flood detected" but rather a breakdown of exactly what is in the traffic.

Entropy-based spoofing detection

Source IP entropy analysis reveals whether attack traffic is coming from spoofed addresses or a real botnet. Spoofed traffic has high source IP entropy with random distributions. Botnet traffic shows clustering around real ASNs and geographies. This distinction changes your mitigation strategy and your upstream conversations.

TTL and packet size analysis

TTL distributions reveal the operating systems and hop counts of attack sources. Packet size histograms expose amplification patterns, where specific reflection protocols produce predictable packet sizes. Together, these create a fingerprint of the attack infrastructure that persists across incidents.

Source analysis with geo and ASN

Every source IP mapped to its originating ASN, geographic region, and network type. This shows whether traffic is concentrated in a few networks (suggesting compromised infrastructure) or distributed globally (suggesting a large botnet or widespread spoofing). It also identifies specific upstream networks you can coordinate with for filtering.

How Flowtriq addresses this

Automatic forensics on every attack, every node

Flowtriq captures forensic data automatically. There is no button to press, no manual workflow, no race against the clock. When an attack is detected (typically within 1-2 seconds using sliding-window p99 baselines), the agent preserves the ring buffer and continues capturing for the duration of the event.

Every incident generates a full report with multi-vector classification, confidence scoring, entropy analysis, TTL distributions, packet size histograms, and source IP breakdowns with geo and ASN data. Reports are available in PDF, HTML, and JSON formats. AI-generated summaries provide plain-language explanations alongside the technical detail.

PCAP files are available for download so you can open them in Wireshark or feed them into your own analysis pipeline. The data does not disappear. It is there when you need it, whether that is five minutes after the attack or five months later during an insurance claim.

Where we're still improving

CSV export for forensic data just shipped. We are continuing to expand export formats and long-term retention options based on customer feedback.

Full PCAP on every incident. The insurance adjuster was genuinely impressed.

See the full comic

Frequently asked questions

DDoS forensics: FAQ

What is DDoS attack forensics?

DDoS forensics is the process of capturing, preserving, and analyzing packet-level data during and immediately before an attack. It includes PCAP captures, multi-vector classification, source IP analysis with ASN and geo data, entropy-based spoofing detection, TTL distributions, and packet size histograms. The goal is to understand exactly what happened, build evidence, and improve future defenses.

Why do most DDoS tools lose attack data?

Most detection tools operate on flow data (NetFlow, sFlow, IPFIX), which is sampled and aggregated. Packet-level detail is never captured. Even tools that support PCAP capture often require someone to manually start a recording, which means short attacks are missed entirely. By the time a human reacts, the evidence is gone.

How does the ring buffer capture pre-attack traffic?

Flowtriq runs a continuous ring buffer that records recent traffic in a circular fashion. Older packets are overwritten by newer ones. When an attack is detected, the buffer is frozen and saved. This means the packets from the moments before detection, the very start of the attack, are preserved automatically. No manual trigger required.

Is DDoS evidence required for compliance?

In many frameworks, yes. NIS2 Article 23 requires incident data within 24 hours for EU-regulated entities. PCI DSS and SOC 2 auditors expect incident documentation. Cyber insurance carriers increasingly require packet-level evidence to process claims. Flow summaries and dashboard screenshots rarely satisfy these requirements.

What report formats does Flowtriq support?

Every incident generates reports in PDF, HTML, and JSON. PCAP files are available for direct download. CSV export is also available. AI-generated summaries provide plain-language incident explanations. Scheduled monthly digests aggregate attack data across your fleet for trend analysis and executive reporting.