1tcptrack(1)                 General Commands Manual                tcptrack(1)
2
3
4

NAME

6       tcptrack - Monitor TCP connections on the network
7

SYNOPSIS

9       tcptrack [ -dfhvp ] [ -r seconds ] -i interface
10        [ filter expression ]
11

DESCRIPTION

13       tcptrack displays the status of TCP connections that it sees on a given
14       network interface. tcptrack monitors their state and displays  informa‐
15       tion such as state, source/destination addresses and bandwidth usage in
16       a sorted, updated list very much like the top(1) command.
17
18       The filter expression is a standard pcap filter  expression  (identical
19       to the expressions used by tcpdump(8)) which can be used to filter down
20       the characteristics of TCP connections that tcptrack will see. See tcp‐
21       dump(8) for more information about the syntax of this expression.
22
23

OPTIONS

25       -d     Only  track  connections  that  were  started after tcptrack was
26              started. Do not try to detect existing connections.
27
28       -f     Enable fast average recalculation. TCPTrack will  calculate  the
29              average  speeds  of connections by using a running average. TCP‐
30              Track will use more memory and CPU time, but averages will  seem
31              closer  to real time and will be updated more than once per sec‐
32              ond and may be more accurate under heavy load.   The  number  of
33              times per second that averages will be recalculated in fast mode
34              is a compile-time setting that defaults to 10 times per second.
35
36       -h     Display command line help
37
38       -i [interface]
39              Sniff packets from the specified network interface.
40
41       -T [pcap file]
42              Read packets from the specified file instead  of  sniffing  from
43              the network.  Useful for testing.
44
45       -p     Do not put the interface being sniffed into promiscuous mode.
46
47       -r [seconds]
48              Wait  this many seconds before removing a closed connection from
49              the display.  Defaults to 2 seconds. See also the pause interac‐
50              tive command (below).
51
52       -v     Display tcptrack version
53

INTERACTIVE COMMANDS

55       The  following  keys may be pressed while tcptrack is running to change
56       runtime options:
57
58       p - Pause/unpause display. No new connections will be added to the dis‐
59       play,  and  all currently displayed connections will remain in the dis‐
60       play.
61
62       q - Quit tcptrack.
63
64       s - Cycle through the sorting options: unsorted, sorted by rate, sorted
65       by total bytes.
66
67       The  options  for  pausing  and  toggling  sorting are useful if you're
68       watching a very busy network and want to look at  the  display  without
69       connections  jumping  around  (due to sorting and new connections being
70       added) and disappearing (due to being closed for a certain time).
71
72       When paused (via the p command) no new connections will  be  displayed,
73       however  tcptrack  will still monitor and track all connections it sees
74       as usual. This option affects the display only, not internals. When you
75       unpause,  the display will be updated with all current information that
76       tcptrack has been gathering all along.
77

EXAMPLES

79       tcptrack requires only one parameter to run: the -i flag followed by an
80       interface  name  that  you  want  tcptrack to monitor. This is the most
81       basic way to run tcptrack:
82
83       # tcptrack -i eth0
84
85       tcptrack can also take a pcap filter expression  as  an  argument.  The
86       format  of this filter expression is the same as that of tcpdump(8) and
87       other libpcap-based sniffers. The following example will only show con‐
88       nections from host 10.45.165.2:
89
90       # tcptrack -i eth0 src or dst 10.45.165.2
91
92       The next example will only show web traffic (ie, traffic on port 80):
93
94       # tcptrack -i eth0 port 80
95
96

SEE ALSO

98       tcpdump(8), pcap(3), http://www.rhythm.cx/~steve/devel/tcptrack
99

BUGS

101       When  picking  up a connection that was already running before tcptrack
102       was started, there is no way tcptrack can know for sure  which  end  of
103       the  connection  is  the client (ie, which peer started the connection)
104       and which is the server (ie, which peer was listening). tcptrack  makes
105       a  crude guess at which is which by looking at the port numbers; which‐
106       ever end has the lower port number is considered the server side.  This
107       isn't  always  accurate  of course, but future versions may have better
108       heuristics to figure out which end is which.
109
110       Currently the interface is not very flexible. Display  timing  settings
111       (such  as  the  refresh  interval)  can  only be changed by editing the
112       source code (defs.h in particular). See the TODO file included with the
113       source distribution for further bugs.
114
115
116
117                                                                   tcptrack(1)
Impressum