Fetching latest commit…
Cannot retrieve the latest commit at this time
|Failed to load latest commit information.|
=== TCPFLOW 1.2 By Simson L. Garfinkel <firstname.lastname@example.org> originally by Jeremy Elson <email@example.com> For the latest information on tcpflow, please see: http://www.afflib.org/software/tcpflow/ == What is tcpflow? tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored 'tcpdump' packet flows. tcpflow stores all captured data in files that have names of the form: [timestampT]sourceip.sourceport-destip.destport[--VLAN][cNNNN] where: timestamp is an optional timestamp of the time that the first packet was seen T is a delimiter that indicates a timestamp was provided sourceip is the source IP address sourceport is the source port destip is the destination ip address destport is the destination port VLAN is the VLAN port c is a delimiter indicating that multiple connections are present NNNN is a connection counter, when there are multiple connections with the same [time]/sourceip/sourceport/destip/destport combination. Note that connection counting rarely happens when timestamp prefixing is performed. HERE are some examples: 188.8.131.52.02345-010.011.012.013.45103 The contents of the above file would be data transmitted from host 184.108.40.206 port 2345, to host 10.11.12.13 port 45103. 220.127.116.11.02345-010.011.012.013.45103c0005 The sixth connection from 18.104.22.168 port 2345, to host 10.11.12.13 port 45103. 1325542703T22.214.171.124.02345-010.011.012.013.45103 A connection from 126.96.36.199 port 2345, to host 10.11.12.13 port 45103, that started on at 5:19pm (-0500) on January 2, 2012 188.8.131.52.02345-010.011.012.013.45103--3 A connection from 184.108.40.206 port 2345, to host 10.11.12.13 port 45103 that was seen on VLAN port 3. You can change the template that is used to create filenames with the -F and -T options. If you use the -AH option, tcpflow will automatically interpert HTTP responses. If the output file is 220.127.116.11.00080-192.168.001.064.37314, Then the post-processing will create the files: 18.104.22.168.00080-192.168.001.064.37314-HTTP 22.214.171.124.00080-192.168.001.064.37314-HTTPBODY If the HTTPBODY was compressed with GZIP, you may get a third file as well: 126.96.36.199.00080-192.168.001.064.37314-HTTPBODY-GZIP Additional information about these streams, such as their MD5 hash value, is also written to the DFXML file tcpflow is similar to 'tcpdump', in that both process packets from the wire or from a stored file. But it's different in that it reconstructs the actual data streams and stores each flow in a separate file for later analysis. tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, tcpflow currently does not understand IP fragments; flows containing IP fragments will not be recorded properly. tcpflow can output a summary report file in DFXML format. This file includes information about the systme on which the tcpflow program was compiled, where it was run, and every TCP flow, including source and destination IP addresses and ports, number of bytes, number of packets, and (optionally) the MD5 hash of every bytestream. tcpflow uses the LBL Packet Capture Library (available at ftp://ftp.ee.lbl.gov/libpcap.tar.Z) and therefore supports the same rich filtering expressions that programs like 'tcpdump' support. It should compile under most popular versions of UNIX; see the INSTALL file for details. == What use is it? tcpflow is a useful tool for understanding network packet flows and performing network forensics. Unlike programs such as WireShark, which show lots of packets or a single TCP connection, tcpflow can show hundreds, thousands, or hundreds of thousands of TCP connections in context. A common use of tcpflow is to reveal the contents of HTTP sessions. Using tcpflow you can reconstruct web pages downloaded over HTTP. You can even extract malware delivered as 'drive-by downloads.' Jeremy Elson originally wrote this program to capture the data being sent by various programs that use undocumented network protocols in an attempt to reverse engineer those protocols. RealPlayer (and most other streaming media players), ICQ, and AOL IM are good examples of this type of application. It was later used for HTTP protocol analysis. Simson Garfinkel founded Sandstorm Enterprises in 1998. Sandstorm created a program similar to tcpflow called TCPDEMUX and another version of the program called NetIntercept. Those programs are commercial. After Simson left Sandstorm he had need for a tcp flow reassembling program. He found tcpflow and took over its maintenance. == Bugs Please send bug reports to firstname.lastname@example.org. tcpflow currently does not understand IP fragments. Flows containing IP fragments will not be recorded correctly. IP fragmentation is increasingly a rare event, so this does not seem to be a significant problem.