tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like ‘tcpdump’ shows a summary of packets seen on the wire, but usually doesn’t store the data that’s actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.
tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like ‘tcpdump’ support. It should compile under most popular versions of UNIX; see the INSTALL file for details.
tcpflow stores all captured data in files that have names of the form
Where the contents of the above file would be data transmitted from host 184.108.40.206 port 2345, to host 10.11.12.13 port 45103.
The only downside to this tool is that it’s not being actively maintained, the last version was released in 2003.
The upside is that the TCP protocol hasn’t changed, so the tool still work just fine.
Definitely extremely useful for network forensics, it’s one of the tools I use to demo network dissection in classes.
You can download it here:
Or read more here.
- HoneyDrive 3 Released – The Premier Honeypot Bundle Distro
- Sysdig – Linux System Troubleshooting Tool
- HoneyDrive Desktop v0.2 Released – Honeypot LiveCD
- Chaosreader – Trace TCP/UDP Sessions from tcpdump
- Fiddler – Web Debugging Proxy For HTTP(S)
- ODA – Online Web Based Disassembler
Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 65,702 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 29,954 views
- sslsniff v0.6 Released – SSL MITM Tool - 26,915 views