Similar to the TCPdump / Tcptrack tools the TcpFlow is another kind of tool which helps the administrators to investigate or manage their network by capturing the data flow transmitted on a TCP/IP network. Tcpflow can be installed in any different flavor of Linux or freebsd.
If you are using CentOS or RHEL you can use the rpm to install this package and rpm can be found here . I have explained how to install from source below. Ssh your server as root.
- # cd /usr/src
# wget http://www.circlemud.org/pub/jelson/tcpflow/tcpflow-0.21.tar.gz
# tar zxvf tcpflow-0.21.tar.gz
# cd tcpflow-0.21
# ./configure && make && make install
If you are getting ” Can’t find the pcap library (libpcap.a); install the pcap library ” make sure that you have installed the libpcap & libpcap-devel packages in your system (Tcpflow uses the pcap library to capture the packets). After installing use tcpflow -h to display the help menu.
Working with TcpFlow
Tcpflow is designed to work in the background. You will enter a command in the terminal window and results will also show in the terminal window. To start with just use the command with following syntax and you will get the overall data flow on your eth0 interface.
- # tcpflow -c -i eth0
To capture data only on a specific port(for example port 80), just use
- # tcpflow -c -i eth0 tcp 80
- # tcpflow -c -i eth0 udp <port>
You can also redirect the output to a separate file for later analysis.
- # tcpflow -c -i eth0 tcp 80 > /root/data.txt
If you are using your system as a router and want to capture data of a specific host.
- # tcpflow -c -i eth0 host host.hostname.com
- # tcpflow -c -i eth0 host <ipaddress>
I have attached a sample screen-caps below while monitoring the tcp port 80 traffic.