LinuxCommandLibrary

tcpkill

Kill TCP connections matching specified criteria

TLDR

Kill in-progress connections at a specified interface, host and port

$ tcpkill -i [eth1] host [192.95.4.27] and port [2266]
copy

SYNOPSIS

tcpkill [-i interface] [-v] [-w logfile] expression

PARAMETERS

-i interface
    Specify the network interface to listen on. If omitted, tcpkill attempts to automatically determine the interface.
Example: -i eth0

-v
    Verbose output. Displays more detailed information about the packets being matched and killed.

-w logfile
    Write packets to a tcpdump compatible file.

expression
    The tcpdump-like filter expression used to select the TCP connections to kill. This is mandatory.
Example: 'port 80' or 'host 192.168.1.100 and port 22'

DESCRIPTION

tcpkill terminates TCP connections by injecting TCP RST (reset) packets into the network. It operates by listening to network traffic and matching packets against a specified filter expression, similar to tcpdump. When a matching packet is found, tcpkill crafts and sends RST packets to both endpoints of the TCP connection, effectively closing it. This is useful for troubleshooting network issues, simulating connection failures, or terminating rogue connections. The command requires root privileges to access network interfaces in promiscuous mode and inject packets. It's important to use tcpkill responsibly as indiscriminate use can disrupt network services. It is a single purpose tool, focusing on terminating TCP connections based on specified criteria and unlike general purpose tools it doesn't have features like traffic analysis or packet modification. It provides a quick way to break troublesome connections.

CAVEATS

tcpkill requires root privileges. Using incorrect filters can disrupt intended network services. It is a tool to interrupt current connections and not to block or filter future connections. Network firewalls are the tools to achieve persistent policies.

FILTER EXPRESSIONS

The power of tcpkill lies in its ability to use complex tcpdump-like filter expressions. These expressions can target specific IP addresses, ports, protocols, or combinations thereof. Refer to the tcpdump documentation for a complete guide to filter syntax.
Example: 'src host 10.0.0.1 and dst port 80' will kill connections originating from 10.0.0.1 and destined for port 80.

HISTORY

tcpkill was developed by Dug Song as a tool for network troubleshooting and security analysis. Its initial purpose was to quickly terminate unwanted or malicious TCP connections. It has since become a standard tool in many network administrators' toolboxes. The code is relatively simple and focused on a single task: injecting RST packets to break TCP connections.

SEE ALSO

tcpdump(1), iptables(8)

Copied to clipboard