1tcpflow(1) tcpflow 0.21 tcpflow(1)
2
6 tcpflow - TCP flow recorder
7
9 tcpflow [-cCehpsv] [-b max_bytes] [-d debug_level] [-f max_fds]
10 [-i iface] [-r file] [expression]
11
13 tcpflow is a program that captures data transmitted as part of TCP con‐
14 nections (flows), and stores the data in a way that is convenient for
15 protocol analysis or debugging. A program like tcpdump(4) shows a sum‐
16 mary of packets seen on the wire, but usually doesn't store the data
17 that's actually being transmitted. In contrast, tcpflow reconstructs
18 the actual data streams and stores each flow in a separate file for
19 later analysis. tcpflow understands TCP sequence numbers and will cor‐
20 rectly reconstruct data streams regardless of retransmissions or out-
21 of-order delivery.
22 tcpflow stores all captured data in files that have names of the form
24 192.168.101.102.02345-010.011.012.013.45103
25 where the contents of the above file would be data transmitted from
26 host 192.168.101.102 port 2345, to host 10.11.12.13 port 45103.
27
29 -b Max bytes per flow. Capture no more than max_bytes bytes per
30 flow. Any data captured for a flow beyond max_bytes from the
31 first byte captured will be discarded. The default is to store
32 an unlimited number of bytes per flow.
33 -c Console print. Print the contents of packets to stdout as they
35 are received, without storing any captured data to files
36 (implies -s ).
37 -C Console print without the packet source and destination details
39 being printed. Print the contents of packets to stdout as they
40 are received, without storing any captured data to files
41 (implies -s ).
42 -e When outputting to the console each flow will be output in dif‐
44 ferent colors (blue for client to server flows, red for server
45 to client flows, green for undecided flows).
46 -d Debug level. Set the level of debugging messages printed to
48 stderr to debug_level. Higher numbers produce more messages.
49 -d 0 causes completely silent operation. -d 1 , the default,
50 produces minimal status messages. -d 10 produces verbose output
51 equivalent to -v . Numbers higher than 10 can produce a large
52 amount of debugging information useful only to developers.
53 -f Max file descriptors used. Limit the number of file descriptors
55 used by tcpflow to max_fds. Higher numbers use more system
56 resources, but usually perform better. If the underlying oper‐
57 ating system supports the setrlimit() system call, the OS will
58 be asked to enforce the requested limit. The default is for
59 tcpflow to use the maximum number of file descriptors allowed by
60 the OS. The -v option will report how many file descriptors
61 tcpflow is using.
62 -h Help. Print usage information and exit.
64 -i Interface name. Capture packets from the network interface
66 named iface. If no interface is specified with -i , a reason‐
67 able default will be used by libpcap automatically.
68 -p No promiscuous mode. Normally, tcpflow attempts to put the net‐
70 work interface into promiscuous mode before capturing packets.
71 The -p option tells tcpflow not to put the interface into pro‐
72 miscuous mode. Note that it might already be in promiscuous
73 mode for some other reason.
74 -r Read from file. Read packets from file, which was created using
76 the -w option of tcpdump(1). Standard input is used if file is
77 ``-''. Note that for this option to be useful, tcpdump's -s
78 option should be used to set the snaplen to the MTU of the
79 interface (e.g., 1500) while capturing packets.
80 -s Strip non-printables. Convert all non-printable characters to
82 the "." character before printing packets to the console or
83 storing them to a file.
84 -v Verbose operation. Verbosely describe tcpflow's operation.
86 Equivalent to -d 10 .
87
89 The expression specified on the command-line specifies which packets
90 should be captured. Because tcpflow uses the the libpcap library,
91 tcpflow has the same powerful filtering language available as programs
92 such as tcpdump(1).
93 The following part of the man page is excerpted from the tcpdump man
95 page.
96 expression selects which packets will be dumped. If no expression is
98 given, all packets on the net will be dumped. Otherwise, only packets
99 for which expression is `true' will be dumped.
100 The expression consists of one or more primitives. Primitives usually
102 consist of an id (name or number) preceded by one or more qualifiers.
103 There are three different kinds of qualifier:
104 type qualifiers say what kind of thing the id name or number refers
106 to. Possible types are host, net and port. E.g., `host foo',
107 `net 128.3', `port 20'. If there is no type qualifier, host is
108 assumed.
109 dir qualifiers specify a particular transfer direction to and/or
111 from id. Possible directions are src, dst, src or dst and src
112 and dst. E.g., `src foo', `dst net 128.3', `src or dst port
113 ftp-data'. If there is no dir qualifier, src or dst is assumed.
114 For `null' link layers (i.e. point to point protocols such as
115 slip) the inbound and outbound qualifiers can be used to specify
116 a desired direction.
117 proto qualifiers restrict the match to a particular protocol. Possi‐
119 ble protos are: ether, fddi, ip, arp, rarp, decnet, lat, sca,
120 moprc, mopdl, tcp and udp. E.g., `ether src foo', `arp net
121 128.3', `tcp port 21'. If there is no proto qualifier, all pro‐
122 tocols consistent with the type are assumed. E.g., `src foo'
123 means `(ip or arp or rarp) src foo' (except the latter is not
124 legal syntax), `net bar' means `(ip or arp or rarp) net bar' and
125 `port 53' means `(tcp or udp) port 53'.
126 [`fddi' is actually an alias for `ether'; the parser treats them iden‐
128 tically as meaning ``the data link level used on the specified network
129 interface.'' FDDI headers contain Ethernet-like source and destination
130 addresses, and often contain Ethernet-like packet types, so you can
131 filter on these FDDI fields just as with the analogous Ethernet fields.
132 FDDI headers also contain other fields, but you cannot name them
133 explicitly in a filter expression.]
134 In addition to the above, there are some special `primitive' keywords
136 that don't follow the pattern: gateway, broadcast, less, greater and
137 arithmetic expressions. All of these are described below.
138 More complex filter expressions are built up by using the words and, or
140 and not to combine primitives. E.g., `host foo and not port ftp and
141 not port ftp-data'. To save typing, identical qualifier lists can be
142 omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the
143 same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port
144 domain'.
145 Allowable primitives are:
147 dst host host
149 True if the IP destination field of the packet is host, which
150 may be either an address or a name.
151 src host host
153 True if the IP source field of the packet is host.
154 host host
156 True if either the IP source or destination of the packet is
157 host. Any of the above host expressions can be prepended with
158 the keywords, ip, arp, or rarp as in:
159 ip host host
160 which is equivalent to:
161 ether proto \ip and host host
162 If host is a name with multiple IP addresses, each address will
163 be checked for a match.
164 ether dst ehost
166 True if the ethernet destination address is ehost. Ehost may be
167 either a name from /etc/ethers or a number (see ethers(3N) for
168 numeric format).
169 ether src ehost
171 True if the ethernet source address is ehost.
172 ether host ehost
174 True if either the ethernet source or destination address is
175 ehost.
176 gateway host
178 True if the packet used host as a gateway. I.e., the ethernet
179 source or destination address was host but neither the IP source
180 nor the IP destination was host. Host must be a name and must
181 be found in both /etc/hosts and /etc/ethers. (An equivalent
182 expression is
183 ether host ehost and not host host
184 which can be used with either names or numbers for host /
185 ehost.)
186 dst net net
188 True if the IP destination address of the packet has a network
189 number of net. Net may be either a name from /etc/networks or a
190 network number (see networks(5) for details).
191 src net net
193 True if the IP source address of the packet has a network number
194 of net.
195 net net
197 True if either the IP source or destination address of the
198 packet has a network number of net.
199 net net mask mask
201 True if the IP address matches net with the specific netmask.
202 May be qualified with src or dst.
203 net net/len
205 True if the IP address matches net a netmask len bits wide. May
206 be qualified with src or dst.
207 dst port port
209 True if the packet is ip/tcp or ip/udp and has a destination
210 port value of port. The port can be a number or a name used in
211 /etc/services (see tcp(4P) and udp(4P)). If a name is used,
212 both the port number and protocol are checked. If a number or
213 ambiguous name is used, only the port number is checked (e.g.,
214 dst port 513 will print both tcp/login traffic and udp/who traf‐
215 fic, and port domain will print both tcp/domain and udp/domain
216 traffic).
217 src port port
219 True if the packet has a source port value of port.
220 port port
222 True if either the source or destination port of the packet is
223 port. Any of the above port expressions can be prepended with
224 the keywords, tcp or udp, as in:
225 tcp src port port
226 which matches only tcp packets whose source port is port.
227 less length
229 True if the packet has a length less than or equal to length.
230 This is equivalent to:
231 len <= length.
232 greater length
234 True if the packet has a length greater than or equal to length.
235 This is equivalent to:
236 len >= length.
237 ip proto protocol
239 True if the packet is an ip packet (see ip(4P)) of protocol type
240 protocol. Protocol can be a number or one of the names icmp,
241 igrp, udp, nd, or tcp. Note that the identifiers tcp, udp, and
242 icmp are also keywords and must be escaped via backslash (\),
243 which is \\ in the C-shell.
244 ether broadcast
246 True if the packet is an ethernet broadcast packet. The ether
247 keyword is optional.
248 ip broadcast
250 True if the packet is an IP broadcast packet. It checks for
251 both the all-zeroes and all-ones broadcast conventions, and
252 looks up the local subnet mask.
253 ether multicast
255 True if the packet is an ethernet multicast packet. The ether
256 keyword is optional. This is shorthand for `ether[0] & 1 != 0'.
257 ip multicast
259 True if the packet is an IP multicast packet.
260 ether proto protocol
262 True if the packet is of ether type protocol. Protocol can be a
263 number or a name like ip, arp, or rarp. Note these identifiers
264 are also keywords and must be escaped via backslash (\). [In
265 the case of FDDI (e.g., `fddi protocol arp'), the protocol iden‐
266 tification comes from the 802.2 Logical Link Control (LLC)
267 header, which is usually layered on top of the FDDI header.
268 Tcpdump assumes, when filtering on the protocol identifier, that
269 all FDDI packets include an LLC header, and that the LLC header
270 is in so-called SNAP format.]
271 decnet src host
273 True if the DECNET source address is host, which may be an
274 address of the form ``10.123'', or a DECNET host name. [DECNET
275 host name support is only available on Ultrix systems that are
276 configured to run DECNET.]
277 decnet dst host
279 True if the DECNET destination address is host.
280 decnet host host
282 True if either the DECNET source or destination address is host.
283 ip, arp, rarp, decnet
285 Abbreviations for:
286 ether proto p
287 where p is one of the above protocols.
288 lat, moprc, mopdl
290 Abbreviations for:
291 ether proto p
292 where p is one of the above protocols. Note that tcpdump does
293 not currently know how to parse these protocols.
294 tcp, udp, icmp
296 Abbreviations for:
297 ip proto p
298 where p is one of the above protocols.
299 expr relop expr
301 True if the relation holds, where relop is one of >, <, >=, <=,
302 =, !=, and expr is an arithmetic expression composed of integer
303 constants (expressed in standard C syntax), the normal binary
304 operators [+, -, *, /, &, |], a length operator, and special
305 packet data accessors. To access data inside the packet, use
306 the following syntax:
307 proto [ expr : size ]
308 Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp,
309 and indicates the protocol layer for the index operation. The
310 byte offset, relative to the indicated protocol layer, is given
311 by expr. Size is optional and indicates the number of bytes in
312 the field of interest; it can be either one, two, or four, and
313 defaults to one. The length operator, indicated by the keyword
314 len, gives the length of the packet.
315 For example, `ether[0] & 1 != 0' catches all multicast traffic.
317 The expression `ip[0] & 0xf != 5' catches all IP packets with
318 options. The expression `ip[6:2] & 0x1fff = 0' catches only
319 unfragmented datagrams and frag zero of fragmented datagrams.
320 This check is implicitly applied to the tcp and udp index opera‐
321 tions. For instance, tcp[0] always means the first byte of the
322 TCP header, and never means the first byte of an intervening
323 fragment.
324 Primitives may be combined using:
326 A parenthesized group of primitives and operators (parentheses
328 are special to the Shell and must be escaped).
329 Negation (`!' or `not').
331 Concatenation (`&&' or `and').
333 Alternation (`||' or `or').
335 Negation has highest precedence. Alternation and concatenation have
337 equal precedence and associate left to right. Note that explicit and
338 tokens, not juxtaposition, are now required for concatenation.
339 If an identifier is given without a keyword, the most recent keyword is
341 assumed. For example,
342 not host vs and ace
343 is short for
344 not host vs and host ace
345 which should not be confused with
346 not ( host vs or ace )
347 Expression arguments can be passed to tcpdump as either a single argu‐
349 ment or as multiple arguments, whichever is more convenient. Gener‐
350 ally, if the expression contains Shell metacharacters, it is easier to
351 pass it as a single, quoted argument. Multiple arguments are concate‐
352 nated with spaces before being parsed.
353
355 The following part of the man page is excerpted from the tcpdump man
356 page.
357 To record all packets arriving at or departing from sundown:
359 tcpflow host sundown
360 To record traffic between helios and either hot or ace:
362 tcpflow host helios and \( hot or ace \)
363 To record traffic between ace and any host except helios:
365 tcpflow host ace and not helios
366 To record all traffic between local hosts and hosts at Berkeley:
368 tcpflow net ucb-ether
369 To record all ftp traffic through internet gateway snup: (note that the
371 expression is quoted to prevent the shell from (mis-)interpreting the
372 parentheses):
373 tcpflow 'gateway snup and (port ftp or ftp-data)'
374
376 Please send bug reports to jelson@circlemud.org.
377 tcpflow currently does not understand IP fragments. Flows containing
379 IP fragments will not be recorded correctly.
380 tcpflow never frees state associated with flows that it records, so
382 will grow large if used to capture a very large number of flows (e.g.,
383 on the order of 100,000 flows or more).
384 There appears to be a bug in the way that Linux delivers packets to
386 libpcap when using the loopback interface ("localhost"). When listen‐
387 ing to the Linux loopback interface, selective packet filtering is not
388 possible; all TCP flows on the localhost interface will be recorded.
389
391 Jeremy Elson <jelson@circlemud.org>
392 The current version of this software is available at
394 http://www.circlemud.org/~jelson/software/tcpflow
395
397 tcpdump(1), nit(4P), bpf(4), pcap(3)
398tcpflow 0.21 20 April 1999 tcpflow(1)