Skip to content


TCP flow analyzer with sugar for Attack/Defense CTF

What is it?


Flower is an automatic packet analyzer made by Ca' Foscari University team for the CyberChallenge attack/defense CTF held in Rome on June 27th, 2018.

This tool was written in less than ten days, but it works! Every contribution is welcome!

Presentation of Flower (from min 7:30), and general introduction to CTFs at ESC2K18 in Italian:

tools presentation


  • Only one command needed to have it up, thanks to docker.
  • Flow list
  • Vim like navigation ( k and j to navigate the list)
  • Regex filtering with highlight img
  • Highlight in red flow with flags
  • Favorite management
  • Time filter
  • Service filter img
  • Colored hex dump img
  • Automatic export GET/POST requests directly in python-format img
  • Automatic export to pwntools img

Getting Started

Run with docker

Clone the repo, enter in the directory, and just run docker-compose up, and after a while, you will find flower at http://localhost:3000.

For the flag regex, modify REACT_APP_FLAG_REGEX in docker-compose.yml.

The build will automatically import the test pcaps.

To enter in the service to import other pcaps, run docker exec -it flower_flower-python_1 /bin/bash (if the flower is in a folder with a different name, modify the prefix after -it). The container shares the /shared folder with the host. Put the pcap files inside this folder and use python services/ /shared/pcap_file_here from the container to import pcaps to flower.

Manual installation

  1. Clone and install dependencies

git clone cd flower npm install pip install -r services/requirements.txt

  1. (Optional) Set the following environment variables:

  2. REACT_APP_FLOWER_MONGO IP of the host that will have flower db active (MongoDB)

  3. REACT_APP_FLOWER_SERVICES IP of the host that will have services active
  4. REACT_APP_FLAG_REGEX regex that matches flags.

  5. Mongodb is required on the same machine that run the services. To start it: sudo mongod --dbpath /path/to/mongodb/db --bind_ip


  1. Start flower


  1. Start flower services

cd services ./

Once everything has been started, the flower should be accessible at the address of the machine that started it on port 3000.

Pcap import

You must first install pynids from here. The pip version is outdated! Good luck with the installation. Then, you can import pcaps into MongoDB by executing the provided script as follows:

cd services
./ pcap_file.pcap

You can find a test_pcap in services/test_pcap. For a quick demo, run ./ test_pcap/dump-2018-06-27_13:25:31.pcap

Security tips (Important!)

If you are going to use the flower in a CTF, remember to set up the firewall in the most appropriate way, as the current implementation does not use other security techniques.

If you ignore this, everybody will be able to connect to your database and steal all your flags!

Github repo: