tcpflow is a program that captures data transmitted as part of TCP connections and stores the data in a convenient format for protocol analysis and debugging. Unlike tcpdump which shows packet headers, tcpflow reassembles the actual data streams, making it ideal for analyzing application-layer protocols and extracting transferred content from network captures.
📑 Table of Contents
Key Features
- Stream Reconstruction – Reassemble TCP sessions into complete streams
- File Extraction – Automatically extract files from HTTP and other protocols
- Per-Flow Files – Save each TCP flow to separate files
- Live Capture – Process traffic in real-time
- PCAP Support – Analyze existing packet captures
- HTTP Processing – Decompress and decode HTTP content
Installation
# Debian/Ubuntu
sudo apt install tcpflow
# RHEL/CentOS/Fedora
sudo dnf install tcpflow
# Arch Linux
sudo pacman -S tcpflowCommon Usage Examples
# Capture live traffic
sudo tcpflow -i eth0
# Read from pcap file
tcpflow -r capture.pcap
# Filter specific port
sudo tcpflow -i eth0 port 80
# Filter specific host
sudo tcpflow -i eth0 host 192.168.1.100
# Output to specific directory
sudo tcpflow -i eth0 -o /tmp/flows
# Extract HTTP content
tcpflow -r capture.pcap -e http
# Verbose output
tcpflow -v -r capture.pcapOutput Format
tcpflow creates files named with the format: source_ip.source_port-dest_ip.dest_port. Each file contains the complete data stream in one direction, making analysis straightforward.
Use Cases
tcpflow is invaluable for network forensics, malware analysis, debugging applications, extracting files from captures, and understanding application behavior.
Was this article helpful?