tcpkill
Kill TCP connections matching specified criteria
TLDR
Kill in-progress connections at a specified interface, host and port
SYNOPSIS
tcpkill [-i interface] [-v] [-w logfile] expression
PARAMETERS
-i interface
Specify the network interface to listen on. If omitted, tcpkill attempts to automatically determine the interface.
Example: -i eth0
-v
Verbose output. Displays more detailed information about the packets being matched and killed.
-w logfile
Write packets to a tcpdump compatible file.
expression
The tcpdump-like filter expression used to select the TCP connections to kill. This is mandatory.
Example: 'port 80' or 'host 192.168.1.100 and port 22'
DESCRIPTION
tcpkill terminates TCP connections by injecting TCP RST (reset) packets into the network. It operates by listening to network traffic and matching packets against a specified filter expression, similar to tcpdump. When a matching packet is found, tcpkill crafts and sends RST packets to both endpoints of the TCP connection, effectively closing it. This is useful for troubleshooting network issues, simulating connection failures, or terminating rogue connections. The command requires root privileges to access network interfaces in promiscuous mode and inject packets. It's important to use tcpkill responsibly as indiscriminate use can disrupt network services. It is a single purpose tool, focusing on terminating TCP connections based on specified criteria and unlike general purpose tools it doesn't have features like traffic analysis or packet modification. It provides a quick way to break troublesome connections.
CAVEATS
tcpkill requires root privileges. Using incorrect filters can disrupt intended network services. It is a tool to interrupt current connections and not to block or filter future connections. Network firewalls are the tools to achieve persistent policies.
FILTER EXPRESSIONS
The power of tcpkill lies in its ability to use complex tcpdump-like filter expressions. These expressions can target specific IP addresses, ports, protocols, or combinations thereof. Refer to the tcpdump documentation for a complete guide to filter syntax.
Example: 'src host 10.0.0.1 and dst port 80' will kill connections originating from 10.0.0.1 and destined for port 80.
HISTORY
tcpkill was developed by Dug Song as a tool for network troubleshooting and security analysis. Its initial purpose was to quickly terminate unwanted or malicious TCP connections. It has since become a standard tool in many network administrators' toolboxes. The code is relatively simple and focused on a single task: injecting RST packets to break TCP connections.