jump to navigation

tcpflow — A TCP flow recorder on Linux February 21, 2011

Posted by Tournas Dimitrios in Linux admin tools.

tcpflow is a command line utility that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging.  A program like tcpdump shows a summary of packets (headers ) seen on the wire, but usually doesn’t store the data that’s actually being transmitted (to force tcpdump to capture web traffic –> tcpdump -s0 ).  In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.  tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery .

tcpflow stores all captured data in files that have names of the form :
where the contents of the above file would be data transmitted from host port 2345, to host port 45103.

Because tcpflow uses the  libpcap library, tcpflow has the same powerful filtering language available as programs such as tcpdump .

In the wrong hands this program can be used to do things like read incoming and ougoing mail , sniff passwords  and copy cookies . Because crackers already have tools specifically optimized for doing “evil” network sniffing aeasily ,this progrmam will most likely not make their lives any easier .

For CentOs 5.x , tcpflow can be downloaded from “rpmforge” repository , but firstly verify that the libpcap library is already installed , as it’s needed from tcpflow  (rpm  -q  libpcap) .


Basic options
-i Interface name.  Capture packets from the network interface named iface.  If no interface is specified with -i , a reasonable default will be used by libpcap automatically.
-c Console print.  Print the contents of packets to stdout as they are received, without storing any
captured data to files (implies -s ).
-r Read from file.  Read packets from file, which was created using the -w option of tcpdump(1).
Standard input is used if file is ‘‘-’’.  Note that for this option to be useful, tcpdump’s -s
option should be used to set the snaplen to the MTU of the interface (e.g., 1500) while capturing
-p No promiscuous mode.  Normally, tcpflow attempts to put the network interface into promiscuous
mode before capturing packets.  The -p option tells tcpflow not to put the interface into promis-
cuous mode.  Note that it might already be in promiscuous mode for some other reason.


Practical examples

  • To record all packets arriving at or departing from sundown:
    tcpflow  host  sundown
  • To record traffic between helios and either hot or ace:
    tcpflow  host  helios  and \( hot or ace \)
  • To record all ftp traffic through internet gateway snup: (note that the expression is quoted to prevent
    the shell from (mis-)interpreting the parentheses):
    tcpflow ’gateway snup and (port ftp or ftp-data)’

Links :


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s