tcpflow
tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored tcpdump packet flows.
tcpflow stores all captured data in files that have names of the form: [timestampT]sourceip.sourceport-destip.destport[--VLAN][cNNNN]
where: timestamp is an optional timestamp of the time that the first packet was seen T is a delimiter that indicates a timestamp was provided sourceip is the source IP address sourceport is the source port destip is the destination ip address destport is the destination port VLAN is the VLAN port c is a delimiter indicating that multiple connections are present NNNN is a connection counter, when there are multiple connections with the same [time]/sourceip/sourceport/destip/destport combination.
Usage
Usage: tcpflow [options] [expression]
| Option | Description |
|---|---|
-a | do ALL post-processing. |
-b max_bytes | max number of bytes per flow to save |
-d debug_level | debug level; default is 1 |
-f | maximum number of file descriptors to use |
-H | print detailed information about each scanner |
-i | network interface on which to listen |
-I | write for each flow another file *.findx to provide byte-indexed timestamps |
-g | output each flow in alternating colors (note change!) |
-l | treat non-flag arguments as input files rather than a pcap expression |
-L semlock | specifies that writes are locked using a named semaphore |
-p | don’t use promiscuous mode |
-q | quiet mode - do not print warnings |
-r file | read packets from tcpdump pcap file (may be repeated) |
-R file | read packets from tcpdump pcap file TO FINISH CONNECTIONS |
-v | verbose operation equivalent to -d 10 |
-V | print version number and exit |
-w file | write packets not processed to file |
-o outdir | specify output directory (default ’.‘) |
-X filename | DFXML output to filename |
-m bytes | specifies skip that starts a new stream (default 16777216) |
-F{p} | filename prefix/suffix (-hh for options) |
-T{t} | filename template (-hh for options; default %A.%a-%B.%b%V%v%C%c) |
-Z | do not decompress gzip-compressed HTTP transactions |
-K | output/keep pcap flow structure. |
-U user | relinquish privileges and become user (if running as root) |
-z dir | chroot to dir (requires that -U be used) |
-E scanner | turn off all scanners except scanner |
-S name=value | Set a configuration parameter (-hh for info) |
-B | binary output, even with -c or -C (normally -c or -C turn it off) |
-c | console print only (don’t create files) |
-C | console print only, but without the display of source/dest header |
-0 | don’t print newlines after packets when printing to console |
-s | strip non-printable characters (change to ’.‘) |
-J | output JSON format. |
-D | output in hex (useful to combine with -c or -C) |