tcpflow
Record TCP connection data for analysis
TLDR
Show all data on the given interface and port
SYNOPSIS
tcpflow [options] [expression]
PARAMETERS
-a
Do not perform TCP sequence number reconstruction (i.e., do not reassemble TCP streams). Useful for analyzing raw packet data.
-b <buffer_size>
Set socket buffer size (default is 64KB). Increase for high-speed networks.
-c
Console output: write all output to standard output instead of creating files.
-d <directory>
Specify the output directory for flow files. Default is the current directory.
-e <program>
Invoke
-F <filter>
Apply an additional filter to the packets, only processing packets which match this filter. This is implemented using libpcap's filtering capabilities.
-g
Do not perform gzip compression.
-h
Display help information.
-i <interface>
Specify the network interface to listen on. If not specified, tcpflow tries to auto-detect a suitable interface. Use -i any to capture on all interfaces.
-j
Do not print the connection summary lines at the beginning and end of each flow file.
-J <seconds>
Specify the idle timeout in seconds for TCP connections. If a connection remains idle for this amount of time, it will be closed and the corresponding files will be closed. Default is 3600 seconds.
-k <keepalive>
Use
-l
Follow TCP sequence numbers strictly and report out-of-order packets as errors.
-o <output_prefix>
Prepend output with output_prefix
-p
Do not put the program into promiscuous mode. Only packets addressed to the capture host will be collected.
-P <ports>
Set the ports to analyze. Separated by commas or colons. i.e. -P 80,443 or -P 21:25
-q
Quiet mode; suppress diagnostic output.
-Q
Very quiet mode; suppress file open/close messages.
-r <input_file>
Read packets from the specified pcap file instead of capturing live traffic.
-R <seconds>
Specify the time interval (in seconds) for reporting statistics.
-s
Report TCP sequence numbers in output.
-S
When capturing live traffic, after capturing the first packet, skip over the remainder of the initial network capture window.
-t
Timestamp each line of output. (Only valid for console output, -c)
-T
Timestamp each packet of output. (Only valid for console output, -c)
-v
Verbose mode. Displays additional information about the packets and flows being processed.
-V
Print version information.
-x
Don't print \x escapes for non-printable characters.
-w
Write raw packets to disk for later analysis. For development use only.
[expression]
A pcap filter expression (e.g., 'tcp port 80' or 'host 192.168.1.1'). Filters which packets tcpflow captures.
DESCRIPTION
tcpflow is a program that captures TCP connections (flows) as data and stores each flow in its own file, creating a detailed record of network activity. It can reassemble TCP streams from packet traces, making it suitable for analyzing network traffic, debugging network applications, and capturing data exchanged during network sessions.
It's especially useful when you need to examine the contents of network conversations, such as HTTP requests/responses, email transfers, or any other TCP-based protocol. Tcpflow captures the data transmitted in both directions of a TCP connection and saves them as separate files, making analysis easier.
CAVEATS
Large packet captures can generate a significant amount of data and disk I/O. Ensure sufficient disk space is available and consider using filters to limit the scope of the capture. Sequence number reconstruction can be computationally expensive and might impact performance on high-speed networks.
OUTPUT FILENAMES
Tcpflow names files in the following format: ip.src.addr.port-ip.dst.addr.port. Each direction of the flow is written to a separate file.