tcpflow — A TCP Flow Recorder
Downloads and Documentation
The most recent version of tcpflow is v1.1, released 28 Jan 2012. You can also see the history of previous releases.
tcpflow is free software, distributed under the GNU General Public License (GPL); see the file COPYING (in the distribution) for details.
Sources and “Official” Builds
Contributed Builds and Packages (off-site)
- Packages for Slackware contributed by Kanedaaa
- Debian package by Robert McQueen
- Fedora Package by Terje Røsten
- FreeBSD Port by Jose M. Alcaide
- OpenBSD Package(it’s in there somewhere)
- Solaris 8 SPARC Binary for v0.12 from SunFreeware.com
- Mac OS X package by Marc Liyanage
What is tcpflow?
tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows.
tcpflow is similar to ‘tcpdump’, in that both process packets from the wire or from a stored file. But it’s different in that it reconstructs the actual data streams and stores each flow in a separate file for later analysis.
tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. Version 1.0 adds support for VLAN demultiplexing. However, tcpflow currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.
tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like ‘tcpdump’ support. It should compile under most popular versions of UNIX; see the INSTALL file for details.
tcpflow stores all captured data in files that have names of the form:
128.129.130.131.02345-010.011.012.013.45103[VLAN]
where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103. VLAN information, if provided is stored in brackets.
What use is it?
Simson Garfinkel uses tcpflow to analyze IP packets that were captured by packet sniffers or that were left in memory of computer systems under analysis. Jeremy Elson originally wrote this program to capture the data being sent by various programs that use undocumented network protocols in an attempt to reverse engineer those protocols. RealPlayer (and most other streaming media players), ICQ, and AOL IM are good examples of this type of application. It was later used for HTTP protocol analysis.
Bugs and Limitations
Please send bug reports to simsong@acm.org.
tcpflow currently does not understand IP fragments. Flows containing IP fragments will not be recorded correctly.
Release History
You can read the more detailed ChangeLog if you like.
- Version 1.1.0 (January 29, 2012)
- C++ rewrite; improved performance; DFXML output
- Version 1.0.0 (September 25, 2011)
- Applied patches from Debian repository.
- VLAN support added
- IPv6 support added
- Autoconf script created
- Now compiles on modern Linux and MacOS.
- Version 0.21 (August 7, 2003)
- Security fix (format string attack, reported by David Goldsmith
from atstake.com) - PPP interfaces supported
- Version 0.20 (Feburary 26, 2001)
- Graceful termination (does not leave interface in promisc mode)
- Can read from a tcpdump capture file in addition to a live
interface - Fixed broken use of fgetpos/fsetpos
- Now distributed in RPM form
- Version 0.12 (April 20, 1999)
- Now compiles under IRIX, and using non-GCC compilers.
- Workaround for the Linux/libpcap bug that prevented tcpflow from listening to packets on the Linux loopback interface. It’s not perfect — it appears impossible to install a libpcap filtering expression when listening to the Linux loopback interface. Thus, *all* flows on that interface are recorded. Someday I may try to fix either libpcap or the Linux kernel so that this workaround is not necessary.
- Version 0.11 (April 13, 1999)
- Support for older (libc5) Linux systems (submitted by Johnny Tevessen).
- Some minor fixes.
- Version 0.10 (April 12, 1999)
- First public release.