tcpflow

Overview

tcpflow is a sophisticated command-line tool that captures and reconstructs TCP flows from network traffic. Unlike packet-level tools, tcpflow operates at the flow level, automatically reassembling TCP segments into coherent data streams. This makes it ideal for network forensics, traffic analysis, and payload extraction during security assessments and incident response.

Installation

Debian/Ubuntu

sudo apt-get update
sudo apt-get install tcpflow

macOS

brew install tcpflow

From Source

git clone https://github.com/simsong/tcpflow.git
cd tcpflow
./configure
make
sudo make install

Verify Installation

tcpflow --version
tcpflow -h

Basic Syntax

Command	Description
tcpflow [options] [filter]	Capture and reconstruct TCP flows
tcpflow -i eth0	Capture on specific interface
tcpflow -r pcapfile	Read from pcap file
tcpflow -h	Display help menu
tcpflow -V	Show version information

Interface Capture

List Available Interfaces

tcpflow -i -h
# or
ifconfig
ip link show

Capture on Specific Interface

tcpflow -i eth0
tcpflow -i wlan0
sudo tcpflow -i any

Capture All Interfaces

sudo tcpflow -i any

Background Capture

sudo tcpflow -i eth0 -d /tmp/flows &

Option	Function
-i interface	Specify network interface
-i any	Capture on all interfaces (requires root)
-B	Run in background
-d directory	Write output to specific directory

Packet Filtering

Basic TCP Filtering

# Capture HTTP traffic only
sudo tcpflow -i eth0 'tcp port 80'

# Capture HTTPS traffic
sudo tcpflow -i eth0 'tcp port 443'

# Capture specific source IP
sudo tcpflow -i eth0 'src 192.168.1.100'

Complex Filters

# Traffic between two hosts
sudo tcpflow -i eth0 'host 192.168.1.10 and host 192.168.1.20'

# Exclude specific traffic
sudo tcpflow -i eth0 'not port 53'

# Multiple ports
sudo tcpflow -i eth0 'tcp port 22 or tcp port 3389'

# Subnet-based filtering
sudo tcpflow -i eth0 'net 192.168.1.0/24'

Combined Filters

# HTTP traffic from specific network
sudo tcpflow -i eth0 'tcp port 80 and src net 192.168.0.0/16'

# HTTPS to specific host
sudo tcpflow -i eth0 'tcp port 443 and dst 10.0.0.5'

Filter Type	Example
port N	tcp port 80
host IP	src 192.168.1.1
net CIDR	net 10.0.0.0/8
not filter	not port 53
and/or	port 80 and host 192.168.1.1

Output Options

Specify Output Directory

# Write flows to directory
sudo tcpflow -i eth0 -d /tmp/tcpflow_output

# Flows organized by IP:port pairs
ls /tmp/tcpflow_output/

Output Format Options

# Console output (live)
sudo tcpflow -i eth0 -c

# Suppress console, only write to files
sudo tcpflow -i eth0 -q -d /tmp/flows

# Console and file output
sudo tcpflow -i eth0 -c -d /tmp/flows

JSON Output

# Generate JSON-formatted flow data
sudo tcpflow -i eth0 -F json -d /tmp/flows

Flow Naming

# Default: source_port-destination_port
# Example: 192.168.1.100.52341-172.217.14.206.80

# Custom separator
sudo tcpflow -i eth0 -c

Option	Function
-d dir	Output directory
-c	Print to console
-q	Quiet mode (no console output)
-F format	Output format (json, ascii)
-e	Decode and display payloads

Reading Pcap Files

Basic Pcap Analysis

# Analyze existing pcap file
tcpflow -r capture.pcap

# Extract flows to directory
tcpflow -r capture.pcap -d /tmp/flows

# Extract with output to console
tcpflow -r capture.pcap -c

Processing Multiple Pcap Files

# Process all pcap files in directory
for file in *.pcap; do
  tcpflow -r "$file" -d flows_${file%.pcap}
done

Pcap with Filtering

# Extract HTTP flows from pcap
tcpflow -r capture.pcap 'tcp port 80'

# Extract specific host traffic
tcpflow -r capture.pcap 'host 192.168.1.100' -d /tmp/flows

# Extract and save to file
tcpflow -r capture.pcap -c > analysis.txt

Flow Analysis

View Extracted Flows

# List extracted flow files
ls -la 192.168.1.100.52341-172.217.14.206.80

# Display flow content
cat 192.168.1.100.52341-172.217.14.206.80

# View in hex
hexdump -C 192.168.1.100.52341-172.217.14.206.80

Search in Flows

# Find specific strings in flows
grep -r "password" /tmp/flows/

# Search for HTTP requests
grep -r "GET\|POST" /tmp/flows/

# Find email addresses
grep -r "@" /tmp/flows/ | grep -oE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}'

Flow Statistics

# Count total flows
ls -1 | wc -l

# Sort by file size
ls -lSr

# Directory size
du -sh /tmp/flows/

Command	Purpose
cat file	Display flow contents
hexdump -C file	Show hex/ASCII dump
strings file	Extract readable strings
grep pattern *	Search in flows

Advanced Options

Verbose Output

# Detailed output
sudo tcpflow -i eth0 -v

# Very verbose
sudo tcpflow -i eth0 -vv

# Debug output
sudo tcpflow -i eth0 -d /tmp/flows -D

Payload Extraction

# Display reassembled payloads
sudo tcpflow -i eth0 -e

# Extract with directory output
sudo tcpflow -i eth0 -e -d /tmp/payloads

# Show only payloads, minimal headers
sudo tcpflow -i eth0 -e -q

Connection State Control

# Capture established connections only
sudo tcpflow -i eth0

# Include all TCP states
sudo tcpflow -i eth0 -a

Scan Mode (Passive)

# Passive capture without disruption
sudo tcpflow -i eth0 -p

# Read from offline pcap
tcpflow -r capture.pcap -p

Practical Workflow Examples

HTTP Traffic Analysis

# Capture HTTP traffic
sudo tcpflow -i eth0 'tcp port 80' -d /tmp/http_flows

# Search for credentials or sensitive data
grep -r "password\|Authorization\|session" /tmp/http_flows/

# Extract URLs from GET requests
grep -r "GET\|POST" /tmp/http_flows/ | head -20

Email Protocol Analysis

# Capture SMTP traffic
sudo tcpflow -i eth0 'tcp port 25' -d /tmp/smtp

# Capture POP3 traffic
sudo tcpflow -i eth0 'tcp port 110' -d /tmp/pop3

# Capture IMAP traffic
sudo tcpflow -i eth0 'tcp port 143' -d /tmp/imap

Database Connection Forensics

# Capture MySQL traffic
sudo tcpflow -i eth0 'tcp port 3306' -d /tmp/mysql_flows

# Capture MSSQL traffic
sudo tcpflow -i eth0 'tcp port 1433' -d /tmp/mssql_flows

# Analyze query patterns
grep -r "SELECT\|INSERT\|UPDATE" /tmp/mysql_flows/

Incident Response Analysis

# Capture all traffic during incident
sudo tcpflow -i eth0 -d /tmp/incident_capture -c

# Focus on external communications
sudo tcpflow -i eth0 'src net 192.168.0.0/16 and not dst net 192.168.0.0/16' -d /tmp/external

# Combine with pcap for complete record
sudo tcpdump -i eth0 -w incident.pcap &
sudo tcpflow -i eth0 -d /tmp/flows &

Multi-Interface Monitoring

# Monitor primary interface
sudo tcpflow -i eth0 -d /tmp/eth0_flows &

# Monitor secondary interface
sudo tcpflow -i eth1 -d /tmp/eth1_flows &

# Monitor all simultaneously
sudo tcpflow -i any -d /tmp/all_flows &

Output Interpretation

Flow Filename Format

source_ip.source_port-destination_ip.destination_port
192.168.1.100.52341-172.217.14.206.80

HTTP Flow Content

GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Connection: close

[Response content]

Session Reconstruction

• Request/Response Pairs: First direction is client->server, second is server->client
• Multiple Flows: One file per TCP connection
• Timing Information: Captured by tcpdump if used in parallel

Integration with Other Tools

With tcpdump

# Capture pcap while analyzing flows
sudo tcpdump -i eth0 -w capture.pcap &
sudo tcpflow -i eth0 -c

With Wireshark

# Create pcap from captured flows
# Then open in Wireshark for GUI analysis
tcpdump -r capture.pcap -w analyzed.pcap
wireshark analyzed.pcap

With Strings and Grep

# Extract readable strings from all flows
strings /tmp/flows/* | grep -i "password\|credit\|api"

# Find suspicious patterns
grep -r "exec\|cmd\|shell" /tmp/flows/

Automation Scripts

Continuous Monitoring

#!/bin/bash
INTERFACE="eth0"
OUTPUT_DIR="/var/log/tcpflow_$(date +%Y%m%d)"

mkdir -p "$OUTPUT_DIR"
sudo tcpflow -i "$INTERFACE" -d "$OUTPUT_DIR" -q

echo "Capture started: $OUTPUT_DIR"

Batch Pcap Processing

#!/bin/bash
for pcap in *.pcap; do
  echo "Processing: $pcap"
  tcpflow -r "$pcap" -d "flows_${pcap%.pcap}" -q
  echo "Completed: $pcap"
done

Threat Pattern Detection

#!/bin/bash
FLOWS_DIR="/tmp/flows"

echo "Searching for suspicious patterns..."
grep -r "DROP TABLE\|; DROP\|xp_cmdshell" "$FLOWS_DIR" && echo "SQL Injection detected"
grep -r "<script\|onclick\|javascript:" "$FLOWS_DIR" && echo "XSS attempts detected"
grep -r "../../\|..\\..\\\" "$FLOWS_DIR" && echo "Path traversal detected"

Common Flags Reference

Flag	Description
-i interface	Specify interface to capture on
-r file	Read from pcap file
-d directory	Output directory for flows
-c	Print to console
-q	Quiet mode
-e	Extract payloads
-v	Verbose output
-F format	Output format
-p	Passive mode
-a	All connections

Troubleshooting

Permission Denied

# Requires root/sudo for live capture
sudo tcpflow -i eth0

# Use pcap file (doesn't require sudo)
tcpflow -r existing_capture.pcap

No Flows Captured

# Verify interface exists
ip link show

# Check filter syntax
sudo tcpflow -i eth0 'port 80' -c

# Ensure traffic exists on interface
tcpdump -i eth0 -n

Large Output Files

# Limit capture time
timeout 300 sudo tcpflow -i eth0 -d /tmp/flows

# Use filters to reduce data
sudo tcpflow -i eth0 'tcp port 80' -d /tmp/flows

Reassembly Issues

# Verify pcap integrity
tcpdump -r capture.pcap -n | head

# Use verbose mode to diagnose
tcpflow -r capture.pcap -v -c | head

Related Tools

• tcpdump — Packet capture and filtering
• Wireshark — Interactive packet analyzer
• tshark — Command-line Wireshark
• ngrep — Network grep for pattern matching
• Suricata — Network threat detection engine