tcpkill

Kill in-progress connections at a specified interface, host and port

$ tcpkill -i [eth1] host [192.95.4.27] and port [2266]

tcpkill [-i interface] [-r file] [-a] [-l] [-v] [expression]

-i <interface>
    Specifies the network interface to listen on and inject packets from (e.g., eth0, wlan0).

-r <file>
    Reads packets from a pcap-compatible capture file instead of a live network interface. In this mode, no packets are injected.

-a
    Kills all connections matching the specified expression. By default, tcpkill only kills the first matching connection it finds and then exits.

-l
    Limits killing to connections where either the source or destination IP address is local to the machine running tcpkill. Requires a local subnet or IP to be part of the filter expression.

-v
    Enables verbose output, showing more details about connections being killed.

expression
    A pcap-filter expression (e.g., 'host 192.168.1.1 and port 80') used to select which TCP connections to target. If no expression is provided, tcpkill attempts to kill the first TCP connection it sees.

tcpkill is a powerful command-line utility designed to forcibly terminate active TCP connections. Part of the dsniff suite of network auditing tools, it operates by injecting spoofed TCP RST (reset) or FIN (finish) packets into an ongoing TCP stream. When tcpkill identifies a connection matching its specified filter criteria, it constructs and sends these control packets to both the client and server ends of the communication. This action causes the applications on both sides to believe the connection has been gracefully closed or abruptly reset, effectively disrupting the data flow.

Commonly used in network testing, penetration testing, or for administrative purposes to clear stale or unwanted connections, tcpkill requires root privileges to perform packet capturing and injection. It leverages libpcap for packet filtering, allowing users to specify precise criteria using standard tcpdump-like expressions to target specific hosts, ports, or protocols. Its ability to disrupt network services makes it a potent tool for demonstrating network vulnerabilities or managing network flow, though it must be used with caution due to its disruptive nature.

Using tcpkill requires root privileges. Improper use can severely disrupt legitimate network services and should be exercised with extreme caution. It may not be effective against all types of connections, especially those employing strong sequence number randomization or operating over encrypted tunnels where initial handshake information is not visible. Since it actively injects packets, it's an intrusive tool and can be detected by network intrusion detection systems.

tcpkill relies on libpcap for its packet filtering capabilities. This means the expression argument follows the same syntax as tcpdump, allowing for highly specific targeting of connections based on IP addresses, ports, protocols, and other TCP/IP header fields.

By default, tcpkill operates in an active mode, listening on a live network interface and injecting forged TCP RST/FIN packets. However, with the -r option, it can operate in a passive, offline mode, processing a saved packet capture file without any network injection. This is useful for analysis or testing filter expressions.

tcpkill is a component of the dsniff suite of network analysis and penetration testing tools, originally developed by Dug Song. The dsniff project gained prominence in the late 1990s and early 2000s, providing a collection of tools for passive and active network security auditing. tcpkill specifically addresses the need to disrupt TCP streams, a common technique in network security assessments to test resilience or clear network paths. Its design reflects the network security landscape of its time, though it remains a relevant tool for certain tasks today.

dsniff(8), tcpdump(1), ss(8), netstat(8)