IPv4 Routes
Overview
Section titled “Overview”Evidence: IPv4 Routes
Description: Collect IPv4 Routes
Category: Network
Platform: windows
Short Name: ipv4
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The IPv4 routing table determines how network packets are forwarded from the local system to destination networks. It contains routes to local subnets, default gateways, and any manually configured or dynamically learned routes.
Routing table modifications can indicate network manipulation, VPN usage, or routing-based attacks.
Data Collected
Section titled “Data Collected”This collector gathers structured data about ipv4 routes.
IPv4 Routes Data
Section titled “IPv4 Routes Data”| Field | Description | Example |
|---|---|---|
Destination | Destination network address | 0.0.0.0 |
Mask | Network mask | 0.0.0.0 |
Policy | Forwarding policy | 0 |
Adapter | Network adapter index | 12 |
Type | Route type | 3 (Indirect) |
Protocol | Routing protocol | 3 (NETMGMT) |
Age | Route age in seconds | 3600 |
Collection Method
Section titled “Collection Method”This collector uses Windows API to enumerate routes:
GetIpForwardTableto retrieve routing table- Parses each route entry
- Extracts destination, mask, and next-hop information
Forensic Value
Section titled “Forensic Value”Routing tables reveal network topology and potential network manipulation. Investigators use this data to identify VPN or tunnel routes, detect routing table manipulation, understand network architecture, identify static routes to suspicious networks, and detect network-based persistence or C2 infrastructure.