tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows.



tcpflow [-aBcCDhJpsvVZ] [-b max_bytes] [-d debug_level] [-[eE] scanner] [-f max_fds] [-F[ctTXMkmg]] [-i iface] [-L semlock] [-m min_bytes] [-o outdir] [-r file] [-R file] [-S name=value] [-T template] [-w file] [-x scanner] [-X xmlfile] [expression]


   -a: do ALL post-processing.
   -b max_bytes: max number of bytes per flow to save
   -d debug_level: debug level; default is 1
   -f: maximum number of file descriptors to use
   -h: print this help message (-hh for more help)
   -H: print detailed information about each scanner
   -i: network interface on which to listen
   -J: output each flow in alternating colors (note change!)
   -l: treat non-flag arguments as input files rather than a pcap expression
   -L  semlock - specifies that writes are locked using a named semaphore
   -p: don't use promiscuous mode
   -q: quiet mode - do not print warnings
   -r file: read packets from tcpdump pcap file (may be repeated)
   -R file: read packets from tcpdump pcap file TO FINISH CONNECTIONS
   -v: verbose operation equivalent to -d 10
   -V: print version number and exit
   -w file: write packets not processed to file
   -o  outdir   : specify output directory (default '.')
   -X  filename : DFXML output to filename
   -m  bytes    : specifies skip that starts a new stream (default 16777216).
   -F{p} : filename prefix/suffix (-hh for options)
   -T{t} : filename template (-hh for options; default %A.%a-%B.%b%V%v%C%c)
   -Z: do not decompress gzip-compressed HTTP transactions

Control of Scanners:
   -E scanner   - turn off all scanners except scanner
   -S name=value  Set a configuration parameter (-hh for info)

Settable Options (and their defaults): 
   -S http_cmd=    Command to execute on each HTTP attachment (http)
   -S http_alert_fd=-1    File descriptor to send information about completed HTTP attachments (http)
   -S netviz_histogram_dump=0    Dumps the histogram (netviz)
   -S netviz_histogram_size=1000    Maximum histogram size (netviz)
   -S tcp_timeout=0    Timeout for TCP connections (tcpdemux)
   -S check_fcs=YES    Require valid Frame Check Sum (FCS) (wifiviz)

   -e http - enable scanner http
   -e md5 - enable scanner md5
   -e netviz - enable scanner netviz
   -e wifiviz - enable scanner wifiviz

   -x tcpdemux - disable scanner tcpdemux
Console output options:
   -B: binary output, even with -c or -C (normally -c or -C turn it off)
   -c: console print only (don't create files)
   -C: console print only, but without the display of source/dest header
   -s: strip non-printable characters (change to '.')
   -D: output in hex (useful to combine with -c or -C)


To captures all traffic on port 80  on your machine

sudo tcpflow -i eth0 'port 80'

cyborg@cyborg:~$ sudo tcpflow -i eth0 'port 80'
tcpflow: listening on eth0

You should start this command in an empty directory. It will create files of the format x.x.x.x.y-a.a.a.a.z (where x.x.x.x and a.a.a.a are the source/destination IP addresses and y and z are the source/destination port numbers). When you are done, just Control-C that command to stop it.


tcpflow Tcpflow


Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?