tcpflow — A TCP flow recorder on Linux

tcpflow is a command line utility that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging.  A program like tcpdump shows a summary of packets (headers ) seen on the wire, but usually doesn’t store the data that’s actually being transmitted (to force tcpdump to capture web traffic –> tcpdump -s0 ).  In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.  tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery .

tcpflow stores all captured data in files that have names of the form :
192.168.101.102.02345-010.011.012.013.45103
where the contents of the above file would be data transmitted from host 192.168.101.102 port 2345, to host 10.11.12.13 port 45103.

Because tcpflow uses the  libpcap library, tcpflow has the same powerful filtering language available as programs such as tcpdump .

In the wrong hands this program can be used to do things like read incoming and ougoing mail , sniff passwords  and copy cookies . Because crackers already have tools specifically optimized for doing “evil” network sniffing aeasily ,this progrmam will most likely not make their lives any easier .

For CentOs 5.x , tcpflow can be downloaded from “rpmforge” repository , but firstly verify that the libpcap library is already installed , as it’s needed from tcpflow  (rpm  -q  libpcap) .

.

Basic options

-i	Interface name.  Capture packets from the network interface named iface.  If no interface is specified with -i , a reasonable default will be used by libpcap automatically.
-c	Console print.  Print the contents of packets to stdout as they are received, without storing any captured data to files (implies -s ).
-r	Read from file.  Read packets from file, which was created using the -w option of tcpdump(1). Standard input is used if file is ‘‘-’’.  Note that for this option to be useful, tcpdump’s -s option should be used to set the snaplen to the MTU of the interface (e.g., 1500) while capturing packets.
-p	No promiscuous mode.  Normally, tcpflow attempts to put the network interface into promiscuous mode before capturing packets.  The -p option tells tcpflow not to put the interface into promis- cuous mode.  Note that it might already be in promiscuous mode for some other reason.

..

Practical examples

To record all packets arriving at or departing from sundown: tcpflow  host  sundown To record traffic between helios and either hot or ace: tcpflow  host  helios  and \( hot or ace \) To record all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses): tcpflow ’gateway snup and (port ftp or ftp-data)’

Links :

• The official website
• httpflow , tcpflow parser to help debug http