Install

• apt install tcpflow

Starten

Standardmäßig speichert tcpflow alle erfassten Daten in Dateien mit Namen

• tcpflow

Format

sourceip.sourceport-destip.destport

010.000.010.101.49018-095.101.230.115.00443

095.101.230.115.00443-010.000.010.101.49018

Jeder TCP-Flow in einer eigenen Datei gespeichert. Aus der obigen Ausgabe können Sie sehen, dass es drei Transkriptdateien gibt, die tcpflow in zwei entgegengesetzte Richtungen anzeigen, wobei die Quell-IP in der ersten Datei und die Ziel-IP in der zweiten Datei und umgekehrt sind

Es wird auch ein XML-Bericht generiert, der Informationen über das Programm enthält, z. B. wie es kompiliert wurde und auf welchem ​​Computer es ausgeführt wurde, sowie eine Aufzeichnung jeder TCP-Verbindung.

Output Directory

• tcpflow -o tcpflow_files

You can also print the contents of packets to stdout as they are received, without storing any captured data to files, using the -c flag as follows.

To test this effectively, open a second terminal and run a ping, or browse the internet. You should be able to see the ping details or your browsing details being captured by tcpflow.

$ sudo tcpflow -c It is possible to capture all traffic on a particular port, for example port 80 (HTTP). In the case of HTTP traffic, you will be able to see the HTTP Headers followed by the content all on the stdout or in one file if the -c switch is removed.

$ sudo tcpflow port 80 To capture packets from a specific network interface, use the -i flag to specify the interface name.

$ sudo tcpflow -i eth0 port 80 You can also specify a target host (accepted values are IP address, hostname or domains), as shown.

$ sudo tcpflow -c host 192.68.43.1 OR $ sudo tcpflow -c host www.google.com You can enable all processing using all scanners with the -a flag, this is equivalent to the -e all switch.

$ sudo tcpflow -a OR $ sudo tcpflow -e all A specific scanner can also be activated; the available scanners include md5, http, netviz, tcpdemux and wifiviz (run tcpflow -H to view detailed information about each scanner).

$ sudo tcpflow -e http OR $ sudo tcpflow -e md5 OR $ sudo tcpflow -e netviz OR $ sudo tcpflow -e tcpdemux OR $ sudo tcpflow -e wifiviz The following example show how to enable all scanners except tcpdemux.

$ sudo tcpflow -a -x tcpdemux TCPflow usually tries to put the network interface into promiscuous mode before capturing packets. You can prevent this using the -p flag as shown.

$ sudo tcpflow -p -i eth0 To read packets from a tcpdump pcap file, use the -r flag.

$ sudo tcpflow -f file.pcap You can enable verbose mode using the -v or -d 10 options.

$ sudo tcpflow -v OR $ sudo tcpflow -d 10 Important: One limitation of tcpflow is that, at the present time it does not understand IP fragments, thus data transmitted as part of TCP connections containing IP fragments will not be properly captured.

For more information and usage options, see the tcpflow man page.

$ man tcpflow TCPflow Github repository: https://github.com/simsong/tcpflow

That’s all for now! TCPflow is a powerful TCP flow recorder which is useful for understanding network packet flows and performing network forensics, and so much more. Try it out and share your thoughts about it with us in the comments.

TagsLinux Networking Tools Post navigation How to Install and Configure Apache Tomcat 9 in CentOS 8/7 How to Find Out File Types in Linux If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.