{"id":11541,"date":"2019-03-14T11:48:02","date_gmt":"2019-03-14T11:48:02","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=11541"},"modified":"2019-03-14T11:48:02","modified_gmt":"2019-03-14T11:48:02","slug":"tcpflow-analyze-and-debug-network-traffic-in-linux","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/14\/tcpflow-analyze-and-debug-network-traffic-in-linux\/","title":{"rendered":"TCPflow \u2013 Analyze and Debug Network Traffic in Linux"},"content":{"rendered":"

TCPflow<\/strong>\u00a0is a free, open source, powerful command line based tool for analyzing network traffic on Unix-like systems such as Linux. It captures data received or transferred over TCP connections, and stores it in a file for later analysis, in a useful format that allows for protocol analysis and debugging.<\/p>\n

Read Also<\/strong>:\u00a016 Best Bandwidth Monitoring Tools to Analyze Network Usage in Linux<\/a><\/p>\n

It is actually a\u00a0tcpdump-like<\/a>\u00a0tools as it processes packets from the wire or from a stored file. It supports the same powerful filtering expressions supported by its counterpart. The only difference is that tcpflow puts all the TCP packets into order and assembles each flow in a separate file (a file for each direction of flow) for later analysis.<\/p>\n

Its feature set includes an advanced plug-in system for decompressing compressed HTTP connections, undoing MIME encoding, or invoking third-party programs for post-processing and much more.<\/p>\n

There are many use cases for tcpflow which include to understand network packet flows and also supports for performing network forensics and divulge the contents of HTTP sessions.<\/p>\n

How to Install TCPflow in Linux Systems<\/h3>\n

TCPflow<\/strong>\u00a0is available in the official repositories of mainstream GNU\/Linux distributions, you can install it using your package manager as shown.<\/p>\n

$ sudo apt install tcpflow\t#Debian\/Ubuntu\r\n$ sudo yum install tcpflow\t#CentOS\/RHEL\r\n$ sudo dnf install tcpflow\t#Fedora 22+\r\n<\/pre>\n
After installing tcpflow, you can run it with superuser privileges, otherwise use the\u00a0sudo command<\/strong>. Note that it listens on the active network interface (for instance\u00a0enp0s3<\/strong>).<\/p>\n
$ sudo tcpflow<\/strong>\r\n\r\ntcpflow: listening on enp0s3\r\n<\/pre>\n
By default tcpflow stores all captured data in files that have names in the form (this may be different if you use certain options such as\u00a0timestamp<\/strong>).<\/p>\n
sourceip.sourceport-destip.destport\r\n192.168.043.031.52920-216.058.210.034.00443\r\n<\/pre>\n
Now let\u2019s do a directory listing to see if tcp flow has been captured in any files.<\/p>\n
$ ls -1<\/strong>\r\n\r\ntotal 20\r\n-rw-r--r--. 1 root    root     808 Sep 19 12:49 192.168.043.031.52920-216.058.210.034.00443\r\n-rw-r--r--. 1 root    root      59 Sep 19 12:49 216.058.210.034.00443-192.168.043.031.52920\r\n<\/pre>\n
As we mentioned earlier on, each TCP flow is stored in its own file. From the output above, you can see that there are three transcript file, which indicate tcpflow in two opposite directions, where the source IP in the first file and the destination IP in the second file and vice versa.<\/p>\n
The first file\u00a0192.168.043.031.52920-216.058.210.034.00443<\/strong>\u00a0contains data transfered from host\u00a0192.168.043.031<\/strong>\u00a0(the localhost on which tcpflow was run) via port\u00a052920<\/strong>, to host\u00a0216.058.210.034<\/strong>\u00a0(the remote host) via port\u00a0443<\/strong>.<\/p>\n
And the second file\u00a0216.058.210.034.00443-192.168.043.031.52920<\/strong>\u00a0contains data sent from host\u00a0216.058.210.034<\/strong>\u00a0(the remote host) via port\u00a0443<\/strong>\u00a0to host\u00a0192.168.043.031<\/strong>\u00a0(the localhost on which tcpflow was run) via port\u00a052920<\/strong>.<\/p>\n
There is also an\u00a0XML<\/strong>\u00a0report generated, which contains information about the program such as how it was compiled, and the computer it was run on and a record of every tcp connection.<\/p>\n
As you may have noticed, tcpflow stores the transcript files in the current directory by default. The\u00a0-o<\/code>\u00a0option can help you specify the output directory where the transcript files will be written.<\/p>\n
$ sudo tcpflow -o tcpflow_files<\/strong>\r\n$ sudo ls -l tcpflow_files<\/strong>\r\n\r\ntotal 32\r\n-rw-r--r--. 1 root root 1665 Sep 19 12:56 157.240.016.035.00443-192.168.000.103.45986\r\n-rw-r--r--. 1 root root   45 Sep 19 12:56 169.044.082.101.00443-192.168.000.103.55496\r\n-rw-r--r--. 1 root root 2738 Sep 19 12:56 172.217.166.046.00443-192.168.000.103.39954\r\n-rw-r--r--. 1 root root   68 Sep 19 12:56 192.168.000.102.00022-192.168.000.103.42436\r\n-rw-r--r--. 1 root root  573 Sep 19 12:56 192.168.000.103.39954-172.217.166.046.00443\r\n-rw-r--r--. 1 root root 4067 Sep 19 12:56 192.168.000.103.45986-157.240.016.035.00443\r\n-rw-r--r--. 1 root root   38 Sep 19 12:56 192.168.000.103.55496-169.044.082.101.00443\r\n-rw-r--r--. 1 root root 3159 Sep 19 12:56 report.xml\r\n<\/pre>\n
You can also print the contents of packets to\u00a0stdout<\/strong>\u00a0as they are received, without storing any captured data to files, using the\u00a0-c<\/code>\u00a0flag as follows.<\/p>\n
To test this effectively, open a second terminal and run a\u00a0ping<\/strong>, or browse the internet. You should be able to see the ping details or your browsing details being captured by tcpflow.<\/p>\n
$ sudo tcpflow -c\r\n<\/pre>\n
It is possible to capture all traffic on a particular port, for example port\u00a080<\/strong>\u00a0(HTTP<\/strong>). In the case of HTTP traffic, you will be able to see the HTTP Headers followed by the content all on the stdout or in one file if the\u00a0-c<\/code>\u00a0switch is removed.<\/p>\n
$ sudo tcpflow port 80\r\n<\/pre>\n
To capture packets from a specific network interface, use the\u00a0-i<\/code>\u00a0flag to specify the interface name.<\/p>\n
$ sudo tcpflow -i eth0 port 80\r\n<\/pre>\n
You can also specify a target host (accepted values are IP address, hostname or domains), as shown.<\/p>\n
$ sudo tcpflow -c host 192.68.43.1\r\nOR\r\n$ sudo tcpflow -c host www.google.com \r\n<\/pre>\n
You can enable all processing using all scanners with the\u00a0-a<\/code>\u00a0flag, this is equivalent to the\u00a0-e<\/code>\u00a0all switch.<\/p>\n
$ sudo tcpflow -a  \r\nOR\r\n$ sudo tcpflow -e all\r\n<\/pre>\n
A specific scanner can also be activated; the available scanners include md5, http, netviz, tcpdemux and wifiviz (run\u00a0tcpflow -H<\/strong>\u00a0to view detailed information about each scanner).<\/p>\n
$ sudo tcpflow -e http\r\nOR\r\n$ sudo tcpflow -e md5\r\nOR\r\n$ sudo tcpflow -e netviz\r\nOR\r\n$ sudo tcpflow -e tcpdemux\r\nOR\r\n$ sudo tcpflow -e wifiviz\r\n<\/pre>\n
The following example show how to enable all scanners except tcpdemux.<\/p>\n
$ sudo tcpflow -a -x tcpdemux \r\n<\/pre>\n
TCPflow usually tries to put the network interface into promiscuous mode before capturing packets. You can prevent this using the\u00a0-p<\/code>\u00a0flag as shown.<\/p>\n
$ sudo tcpflow -p -i eth0\r\n<\/pre>\n
To read packets from a tcpdump pcap file, use the\u00a0-r<\/code>\u00a0flag.<\/p>\n
$ sudo tcpflow -f file.pcap\r\n<\/pre>\n
You can enable verbose mode using the\u00a0-v<\/code>\u00a0or\u00a0-d 10<\/code>\u00a0options.<\/p>\n
$ sudo tcpflow -v\r\nOR\r\n$ sudo tcpflow -d 10\r\n<\/pre>\n
Important<\/strong>: One limitation of\u00a0tcpflow<\/strong>\u00a0is that, at the present time it does not understand IP fragments, thus data transmitted as part of TCP connections containing IP fragments will not be properly captured.<\/p>\n
For more information and usage options, see the\u00a0tcpflow<\/strong>\u00a0man page.<\/p>\n
$ man tcpflow \r\n<\/pre>\n
TCPflow Github repository<\/strong>:\u00a0https:\/\/github.com\/simsong\/tcpflow<\/a><\/p>\n
That\u2019s all for now!\u00a0TCPflow<\/strong>\u00a0is a powerful TCP flow recorder which is useful for understanding network packet flows and performing network forensics, and so much more. Try it out and share your thoughts about it with us in the comments.<\/p>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
TCPflow\u00a0is a free, open source, powerful command line based tool for analyzing network traffic on Unix-like systems such as Linux. It captures data received or transferred over TCP connections, and stores it in a file for later analysis, in a useful format that allows for protocol analysis and debugging. Read Also:\u00a016 Best Bandwidth Monitoring Tools … <\/p>\n
Continue reading “TCPflow \u2013 Analyze and Debug Network Traffic in Linux”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11541","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=11541"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11541\/revisions"}],"predecessor-version":[{"id":11542,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11541\/revisions\/11542"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=11541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=11541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=11541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}