tcpflow — A TCP flow recorder on Linux February 21, 2011Posted by Tournas Dimitrios in Linux admin tools.
tcpflow is a command line utility that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like tcpdump shows a summary of packets (headers ) seen on the wire, but usually doesn’t store the data that’s actually being transmitted (to force tcpdump to capture web traffic –> tcpdump -s0 ). In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery .
tcpflow stores all captured data in files that have names of the form :
where the contents of the above file would be data transmitted from host 192.168.101.102 port 2345, to host 10.11.12.13 port 45103.
Because tcpflow uses the libpcap library, tcpflow has the same powerful filtering language available as programs such as tcpdump .
In the wrong hands this program can be used to do things like read incoming and ougoing mail , sniff passwords and copy cookies . Because crackers already have tools specifically optimized for doing “evil” network sniffing aeasily ,this progrmam will most likely not make their lives any easier .
For CentOs 5.x , tcpflow can be downloaded from “rpmforge” repository , but firstly verify that the libpcap library is already installed , as it’s needed from tcpflow (rpm -q libpcap) .
|-i||Interface name. Capture packets from the network interface named iface. If no interface is specified with -i , a reasonable default will be used by libpcap automatically.|
|-c||Console print. Print the contents of packets to stdout as they are received, without storing any
captured data to files (implies -s ).
|-r||Read from file. Read packets from file, which was created using the -w option of tcpdump(1).
Standard input is used if file is ‘‘-’’. Note that for this option to be useful, tcpdump’s -s
option should be used to set the snaplen to the MTU of the interface (e.g., 1500) while capturing
|-p||No promiscuous mode. Normally, tcpflow attempts to put the network interface into promiscuous
mode before capturing packets. The -p option tells tcpflow not to put the interface into promis-
cuous mode. Note that it might already be in promiscuous mode for some other reason.