TCPflow is a free, open source, powerful command line based tool for analyzing network traffic on Unix-like systems such as Linux. It captures data received or transferred over TCP connections, and stores it in a file for later analysis, in a useful format that allows for protocol analysis and debugging.
It is actually a tcpdump-like tools as it processes packets from the wire or from a stored file. It supports the same powerful filtering expressions supported by its counterpart. The only difference is that tcpflow puts all the TCP packets into order and assembles each flow in a separate file (a file for each direction of flow) for later analysis.
Its feature set includes an advanced plug-in system for decompressing compressed HTTP connections, undoing MIME encoding, or invoking third-party programs for post-processing and much more.
There are many use cases for tcpflow which include to understand network packet flows and also supports for performing network forensics and divulge the contents of HTTP sessions.
How to Install TCPflow in Linux Systems
TCPflow is available in the official repositories of mainstream GNU/Linux distributions, you can install it using your package manager as shown.
$ sudo apt install tcpflow #Debian/Ubuntu $ sudo yum install tcpflow #CentOS/RHEL $ sudo dnf install tcpflow #Fedora 22+
After installing tcpflow, you can run it with superuser privileges, otherwise use the sudo command. Note that it listens on the active network interface (for instance enp0s3).
$ sudo tcpflow tcpflow: listening on enp0s3
By default tcpflow stores all captured data in files that have names in the form (this may be different if you use certain options such as timestamp).
Now let’s do a directory listing to see if tcp flow has been captured in any files.
$ ls -1 total 20 -rw-r--r--. 1 root root 808 Sep 19 12:49 192.168.043.031.52920-216.058.210.034.00443 -rw-r--r--. 1 root root 59 Sep 19 12:49 216.058.210.034.00443-192.168.043.031.52920
As we mentioned earlier on, each TCP flow is stored in its own file. From the output above, you can see that there are three transcript file, which indicate tcpflow in two opposite directions, where the source IP in the first file and the destination IP in the second file and vice versa.
The first file 192.168.043.031.52920-216.058.210.034.00443 contains data transfered from host 192.168.043.031 (the localhost on which tcpflow was run) via port 52920, to host 216.058.210.034 (the remote host) via port 443.
And the second file 216.058.210.034.00443-192.168.043.031.52920 contains data sent from host 216.058.210.034 (the remote host) via port 443 to host 192.168.043.031 (the localhost on which tcpflow was run) via port 52920.
There is also an XML report generated, which contains information about the program such as how it was compiled, and the computer it was run on and a record of every tcp connection.
As you may have noticed, tcpflow stores the transcript files in the current directory by default. The
-o option can help you specify the output directory where the transcript files will be written.
$ sudo tcpflow -o tcpflow_files $ sudo ls -l tcpflow_files total 32 -rw-r--r--. 1 root root 1665 Sep 19 12:56 157.240.016.035.00443-192.168.000.103.45986 -rw-r--r--. 1 root root 45 Sep 19 12:56 169.044.082.101.00443-192.168.000.103.55496 -rw-r--r--. 1 root root 2738 Sep 19 12:56 172.217.166.046.00443-192.168.000.103.39954 -rw-r--r--. 1 root root 68 Sep 19 12:56 192.168.000.102.00022-192.168.000.103.42436 -rw-r--r--. 1 root root 573 Sep 19 12:56 192.168.000.103.39954-172.217.166.046.00443 -rw-r--r--. 1 root root 4067 Sep 19 12:56 192.168.000.103.45986-157.240.016.035.00443 -rw-r--r--. 1 root root 38 Sep 19 12:56 192.168.000.103.55496-169.044.082.101.00443 -rw-r--r--. 1 root root 3159 Sep 19 12:56 report.xml
You can also print the contents of packets to stdout as they are received, without storing any captured data to files, using the
-c flag as follows.
To test this effectively, open a second terminal and run a ping, or browse the internet. You should be able to see the ping details or your browsing details being captured by tcpflow.
$ sudo tcpflow -c
It is possible to capture all traffic on a particular port, for example port 80 (HTTP). In the case of HTTP traffic, you will be able to see the HTTP Headers followed by the content all on the stdout or in one file if the
-c switch is removed.
$ sudo tcpflow port 80
To capture packets from a specific network interface, use the
-i flag to specify the interface name.
$ sudo tcpflow -i eth0 port 80
You can also specify a target host (accepted values are IP address, hostname or domains), as shown.
$ sudo tcpflow -c host 220.127.116.11 OR $ sudo tcpflow -c host www.google.com
You can enable all processing using all scanners with the
-a flag, this is equivalent to the
-e all switch.
$ sudo tcpflow -a OR $ sudo tcpflow -e all
A specific scanner can also be activated; the available scanners include md5, http, netviz, tcpdemux and wifiviz (run tcpflow -H to view detailed information about each scanner).
$ sudo tcpflow -e http OR $ sudo tcpflow -e md5 OR $ sudo tcpflow -e netviz OR $ sudo tcpflow -e tcpdemux OR $ sudo tcpflow -e wifiviz
The following example show how to enable all scanners except tcpdemux.
$ sudo tcpflow -a -x tcpdemux
TCPflow usually tries to put the network interface into promiscuous mode before capturing packets. You can prevent this using the
-p flag as shown.
$ sudo tcpflow -p -i eth0
To read packets from a tcpdump pcap file, use the
$ sudo tcpflow -f file.pcap
You can enable verbose mode using the
-d 10 options.
$ sudo tcpflow -v OR $ sudo tcpflow -d 10
Important: One limitation of tcpflow is that, at the present time it does not understand IP fragments, thus data transmitted as part of TCP connections containing IP fragments will not be properly captured.
For more information and usage options, see the tcpflow man page.
$ man tcpflow
TCPflow Github repository: https://github.com/simsong/tcpflow
That’s all for now! TCPflow is a powerful TCP flow recorder which is useful for understanding network packet flows and performing network forensics, and so much more. Try it out and share your thoughts about it with us in the comments.