Overview
tcpflow is a sophisticated command-line tool that captures and reconstructs TCP flows from network traffic. Unlike packet-level tools, tcpflow operates at the flow level, automatically reassembling TCP segments into coherent data streams. This makes it ideal for network forensics, traffic analysis, and payload extraction during security assessments and incident response.
Installation
Debian/Ubuntu
sudo apt-get update
sudo apt-get install tcpflow
macOS
brew install tcpflow
From Source
git clone https://github.com/simsong/tcpflow.git
cd tcpflow
./configure
make
sudo make install
Verify Installation
tcpflow --version
tcpflow -h
Basic Syntax
| Command | Description |
|---|
tcpflow [options] [filter] | Capture and reconstruct TCP flows |
tcpflow -i eth0 | Capture on specific interface |
tcpflow -r pcapfile | Read from pcap file |
tcpflow -h | Display help menu |
tcpflow -V | Show version information |
Interface Capture
List Available Interfaces
tcpflow -i -h
# or
ifconfig
ip link show
Capture on Specific Interface
tcpflow -i eth0
tcpflow -i wlan0
sudo tcpflow -i any
Capture All Interfaces
sudo tcpflow -i any
Background Capture
sudo tcpflow -i eth0 -d /tmp/flows &
| Option | Function |
|---|
-i interface | Specify network interface |
-i any | Capture on all interfaces (requires root) |
-B | Run in background |
-d directory | Write output to specific directory |
Packet Filtering
Basic TCP Filtering
# Capture HTTP traffic only
sudo tcpflow -i eth0 'tcp port 80'
# Capture HTTPS traffic
sudo tcpflow -i eth0 'tcp port 443'
# Capture specific source IP
sudo tcpflow -i eth0 'src 192.168.1.100'
Complex Filters
# Traffic between two hosts
sudo tcpflow -i eth0 'host 192.168.1.10 and host 192.168.1.20'
# Exclude specific traffic
sudo tcpflow -i eth0 'not port 53'
# Multiple ports
sudo tcpflow -i eth0 'tcp port 22 or tcp port 3389'
# Subnet-based filtering
sudo tcpflow -i eth0 'net 192.168.1.0/24'
Combined Filters
# HTTP traffic from specific network
sudo tcpflow -i eth0 'tcp port 80 and src net 192.168.0.0/16'
# HTTPS to specific host
sudo tcpflow -i eth0 'tcp port 443 and dst 10.0.0.5'
| Filter Type | Example |
|---|
port N | tcp port 80 |
host IP | src 192.168.1.1 |
net CIDR | net 10.0.0.0/8 |
not filter | not port 53 |
and/or | port 80 and host 192.168.1.1 |
Output Options
Specify Output Directory
# Write flows to directory
sudo tcpflow -i eth0 -d /tmp/tcpflow_output
# Flows organized by IP:port pairs
ls /tmp/tcpflow_output/
# Console output (live)
sudo tcpflow -i eth0 -c
# Suppress console, only write to files
sudo tcpflow -i eth0 -q -d /tmp/flows
# Console and file output
sudo tcpflow -i eth0 -c -d /tmp/flows
JSON Output
# Generate JSON-formatted flow data
sudo tcpflow -i eth0 -F json -d /tmp/flows
Flow Naming
# Default: source_port-destination_port
# Example: 192.168.1.100.52341-172.217.14.206.80
# Custom separator
sudo tcpflow -i eth0 -c
| Option | Function |
|---|
-d dir | Output directory |
-c | Print to console |
-q | Quiet mode (no console output) |
-F format | Output format (json, ascii) |
-e | Decode and display payloads |
Reading Pcap Files
Basic Pcap Analysis
# Analyze existing pcap file
tcpflow -r capture.pcap
# Extract flows to directory
tcpflow -r capture.pcap -d /tmp/flows
# Extract with output to console
tcpflow -r capture.pcap -c
Processing Multiple Pcap Files
# Process all pcap files in directory
for file in *.pcap; do
tcpflow -r "$file" -d flows_${file%.pcap}
done
Pcap with Filtering
# Extract HTTP flows from pcap
tcpflow -r capture.pcap 'tcp port 80'
# Extract specific host traffic
tcpflow -r capture.pcap 'host 192.168.1.100' -d /tmp/flows
# Extract and save to file
tcpflow -r capture.pcap -c > analysis.txt
Flow Analysis
# List extracted flow files
ls -la 192.168.1.100.52341-172.217.14.206.80
# Display flow content
cat 192.168.1.100.52341-172.217.14.206.80
# View in hex
hexdump -C 192.168.1.100.52341-172.217.14.206.80
Search in Flows
# Find specific strings in flows
grep -r "password" /tmp/flows/
# Search for HTTP requests
grep -r "GET\|POST" /tmp/flows/
# Find email addresses
grep -r "@" /tmp/flows/ | grep -oE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}'
Flow Statistics
# Count total flows
ls -1 | wc -l
# Sort by file size
ls -lSr
# Directory size
du -sh /tmp/flows/
| Command | Purpose |
|---|
cat file | Display flow contents |
hexdump -C file | Show hex/ASCII dump |
strings file | Extract readable strings |
grep pattern * | Search in flows |
Advanced Options
Verbose Output
# Detailed output
sudo tcpflow -i eth0 -v
# Very verbose
sudo tcpflow -i eth0 -vv
# Debug output
sudo tcpflow -i eth0 -d /tmp/flows -D
# Display reassembled payloads
sudo tcpflow -i eth0 -e
# Extract with directory output
sudo tcpflow -i eth0 -e -d /tmp/payloads
# Show only payloads, minimal headers
sudo tcpflow -i eth0 -e -q
Connection State Control
# Capture established connections only
sudo tcpflow -i eth0
# Include all TCP states
sudo tcpflow -i eth0 -a
Scan Mode (Passive)
# Passive capture without disruption
sudo tcpflow -i eth0 -p
# Read from offline pcap
tcpflow -r capture.pcap -p
Practical Workflow Examples
HTTP Traffic Analysis
# Capture HTTP traffic
sudo tcpflow -i eth0 'tcp port 80' -d /tmp/http_flows
# Search for credentials or sensitive data
grep -r "password\|Authorization\|session" /tmp/http_flows/
# Extract URLs from GET requests
grep -r "GET\|POST" /tmp/http_flows/ | head -20
Email Protocol Analysis
# Capture SMTP traffic
sudo tcpflow -i eth0 'tcp port 25' -d /tmp/smtp
# Capture POP3 traffic
sudo tcpflow -i eth0 'tcp port 110' -d /tmp/pop3
# Capture IMAP traffic
sudo tcpflow -i eth0 'tcp port 143' -d /tmp/imap
Database Connection Forensics
# Capture MySQL traffic
sudo tcpflow -i eth0 'tcp port 3306' -d /tmp/mysql_flows
# Capture MSSQL traffic
sudo tcpflow -i eth0 'tcp port 1433' -d /tmp/mssql_flows
# Analyze query patterns
grep -r "SELECT\|INSERT\|UPDATE" /tmp/mysql_flows/
Incident Response Analysis
# Capture all traffic during incident
sudo tcpflow -i eth0 -d /tmp/incident_capture -c
# Focus on external communications
sudo tcpflow -i eth0 'src net 192.168.0.0/16 and not dst net 192.168.0.0/16' -d /tmp/external
# Combine with pcap for complete record
sudo tcpdump -i eth0 -w incident.pcap &
sudo tcpflow -i eth0 -d /tmp/flows &
Multi-Interface Monitoring
# Monitor primary interface
sudo tcpflow -i eth0 -d /tmp/eth0_flows &
# Monitor secondary interface
sudo tcpflow -i eth1 -d /tmp/eth1_flows &
# Monitor all simultaneously
sudo tcpflow -i any -d /tmp/all_flows &
Output Interpretation
source_ip.source_port-destination_ip.destination_port
192.168.1.100.52341-172.217.14.206.80
HTTP Flow Content
GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Connection: close
[Response content]
Session Reconstruction
- Request/Response Pairs: First direction is client->server, second is server->client
- Multiple Flows: One file per TCP connection
- Timing Information: Captured by tcpdump if used in parallel
With tcpdump
# Capture pcap while analyzing flows
sudo tcpdump -i eth0 -w capture.pcap &
sudo tcpflow -i eth0 -c
With Wireshark
# Create pcap from captured flows
# Then open in Wireshark for GUI analysis
tcpdump -r capture.pcap -w analyzed.pcap
wireshark analyzed.pcap
With Strings and Grep
# Extract readable strings from all flows
strings /tmp/flows/* | grep -i "password\|credit\|api"
# Find suspicious patterns
grep -r "exec\|cmd\|shell" /tmp/flows/
Automation Scripts
Continuous Monitoring
#!/bin/bash
INTERFACE="eth0"
OUTPUT_DIR="/var/log/tcpflow_$(date +%Y%m%d)"
mkdir -p "$OUTPUT_DIR"
sudo tcpflow -i "$INTERFACE" -d "$OUTPUT_DIR" -q
echo "Capture started: $OUTPUT_DIR"
Batch Pcap Processing
#!/bin/bash
for pcap in *.pcap; do
echo "Processing: $pcap"
tcpflow -r "$pcap" -d "flows_${pcap%.pcap}" -q
echo "Completed: $pcap"
done
Threat Pattern Detection
#!/bin/bash
FLOWS_DIR="/tmp/flows"
echo "Searching for suspicious patterns..."
grep -r "DROP TABLE\|; DROP\|xp_cmdshell" "$FLOWS_DIR" && echo "SQL Injection detected"
grep -r "<script\|onclick\|javascript:" "$FLOWS_DIR" && echo "XSS attempts detected"
grep -r "../../\|..\\..\\\" "$FLOWS_DIR" && echo "Path traversal detected"
Common Flags Reference
| Flag | Description |
|---|
-i interface | Specify interface to capture on |
-r file | Read from pcap file |
-d directory | Output directory for flows |
-c | Print to console |
-q | Quiet mode |
-e | Extract payloads |
-v | Verbose output |
-F format | Output format |
-p | Passive mode |
-a | All connections |
Troubleshooting
Permission Denied
# Requires root/sudo for live capture
sudo tcpflow -i eth0
# Use pcap file (doesn't require sudo)
tcpflow -r existing_capture.pcap
No Flows Captured
# Verify interface exists
ip link show
# Check filter syntax
sudo tcpflow -i eth0 'port 80' -c
# Ensure traffic exists on interface
tcpdump -i eth0 -n
Large Output Files
# Limit capture time
timeout 300 sudo tcpflow -i eth0 -d /tmp/flows
# Use filters to reduce data
sudo tcpflow -i eth0 'tcp port 80' -d /tmp/flows
Reassembly Issues
# Verify pcap integrity
tcpdump -r capture.pcap -n | head
# Use verbose mode to diagnose
tcpflow -r capture.pcap -v -c | head
- tcpdump — Packet capture and filtering
- Wireshark — Interactive packet analyzer
- tshark — Command-line Wireshark
- ngrep — Network grep for pattern matching
- Suricata — Network threat detection engine
