TCP flow Analyze and Debug Network Traffic in Linux
Last Updated :
04 Dec, 2022
TCPflow is a completely free and open-source tool used for the analysis of network traffic on Linux and Unix systems. The data which is transferred during the connection is stored in a file by TCPflow in a systematic format for later study. TCPflow is almost the same as its counterparts such as Wireshark and Tcpdump, but the main difference is the ability of TCPflow to reconstruct thousands of packets at a single time. This saves a lot of time and helps in the quick analysis of data. TCPflow was developed by Jeremy Elson in 1998 but the maintenance was stopped in 2003. Simson Garfinkel Took over the maintenance in 2006 and added some new features such as:
- Support for IPv6 and VLANs.
- Added C++ STL for fast operations.
- Added support for continuous operations.
- Created a plug-in architecture.
TCPflow has a variety of features that make it one of the best network analyzers in the market. Some of the features are discussed below.
Features of TCPflow:
- Completely free, open-source, and a very powerful network traffic analyzer.
- Supports powerful filtering expressions.
- Puts each flow in a systematic order and organizes them in a separate file.
- Helpful in performing network forensics and is used to divulge HTTP sessions.
- Capable of invoking third-party programs for enhanced processing.
- Contains an advanced plugin system, for the decompression of HTTP connections.
- Capable of undoing the MIME coding.
- Due to the proper storage of connections, debugging is also easy.
The Linux OS we will be using in this article will be Ubuntu, you can use any Distro of your choice.
Steps to get started with TCPflow
Step 1: Downloading and install TCPflow
Download TCPflow from the official repository using the below command:
sudo apt install tcpflow
Step 2: Running TCPflow
After installing TCPflow use the command below to run it, TCPflow listens over the active network interface.
sudo tcpflow
Step 3: Listing the files and analyze them using TCPflow
The default format in which TCPflow stores the captured data files is:
<ip_of_source>.<source_port>-<ip_of_destination>.<destination_port>
Let us list all the files and see the results and the TCP transcript files generated:
ls -l
The TCP output can be seen clearly if we take the first file in the list which is 010.000.002.015.35576-018.066.030.094.00443, this means that the first file has the data which was transferred from the remote host (18.66.30.94) via port 443 to the Localhost on which TCPflow was active (10.0.2.15) via the port 35576.
Along with the above files, a separate XML file is also generated which keeps information regarding the compilation of the program, the host it was run on, and all the TCP connections.
Step 4: Finding the location of the transcript files:
TCPflow by default stores the transcript files in the present working directory. With the help of the -o
the flag we can specify the location where these files will be written, using the below command:
sudo tcpflow -o tcpflow_files
sudo ls -l tcpflow_files
The XML file can also be seen clearly.
Step 5: Printing the Contents of Packets and capturing traffic
With the help of the below command, the user can print the content of packets on the screen. When this command is used no additional data is captured. The -c flag will be used:
sudo tcpflow -c
For Capturing the traffic on a specific port (ex. 22) use the below command:
sudo tcpflow port 22
Step 6: Capturing packets from a specific interface and host
The -i flag can be used to capture packets from a specific network interface:
sudo tcpflow -i enp0s3 port 80
A specific target host can also be specified and used. The values that can be considered for the target are Ip address, hostname, and domains.
sudo tcpflow -c host 10.0.2.15
or
sudo tcpflow -c host www.facebook.com
Step 7: Using the -a or -e flags
The functions of -e and -a flags are similar, with their help the user can enable processing using all the scanners.
sudo tcpflow -a
OR
sudo tcpflow -e all
Specific scanners can also be activated, use the below command for individual scanners:
sudo tcpflow -e http
If we want to disable a particular scanner then we will have to use the -x flag.
sudo tcpflow -a -x http
Now all the scanners except HTTP are enabled.
Step 8: Enabling the verbose mode
To enable the verbose mode use the below command:
sudo tcpflow -v
OR
sudo tcpflow -d 10
Step 9: Prevention of TCPflow to enter the promiscuous mode:
By default, TCPflow tries to put the network interface into a promiscuous mode (Without careful judgment or care), this can be prevented by using the -p flag:
sudo tcpflow -p -i enp0s3
More information about TCPflow can be found on the TCPflow’s man page.
man tcpflow
Conclusion
In this article, we saw various functions and uses of this very important and powerful tool. Each and every tool has its pros and its cons. TCPflow also has a minor flaw, in that it does not properly understand IP fragments, thus the data transmitted which contains IP fragments might not be captured. This limitation might be removed in the future. Apart from the above limitation, TCPflow is a very powerful tool that can help you out in carrying out network forensics and can give you a better understanding of network packets. Make sure to check this tool and learn something new.
Similar Reads
Network Traffic Analysis for Intrusion Detection and Prevention
Network traffic analysis is defined as a method of monitoring network activity to identify security and performance issues and other breaches. In this article, we will learn about the working, importance, and implementation of network traffic analysis. What is Network Traffic Analysis?Network traffi
4 min read
Linux iftop - Listen Network Traffic and Bandwidth
The iftop listens to network traffic on a specified network interface. The iftop is a perfect tool for remote Linux server over a ssh based session.iftop displays the bandwidth usage by a pair of hosts in the form of a table. To run this tool we must have superuser (root)permissions. Installation: I
3 min read
What is Network Traffic Analysis in Cybersecurity?
Network traffic analysis (NTA) is a way of monitoring network availability and activity to identify anomalies, such as security and operational issues. Network Traffic Analysis in Cybersecurity means monitoring the data that goes through a computer network. It helps to detect and prevent bad things
6 min read
Espionage - Network Packet And Traffic Interceptor
Espionage is a free and open-source tool available on GitHub. This is a free tool that can be downloaded and installed free of cost. Espionage is a network sniffer. Espionage performs sniffing on data packets of the network. Espionage is used to intercept data packets at the time when data is passed
2 min read
Telecommunication Network Traffic Analysis in R
Telecommunication network traffic analysis involves studying the data flow within a network to ensure efficient performance, identify bottlenecks, and predict future trends. With the increasing demand for high-speed internet and mobile services, understanding network traffic patterns is crucial for
6 min read
Network Traffic Analysis Visualization in R
In today's interconnected world, where the internet plays a crucial role in both personal and professional spheres, understanding network traffic becomes paramount. Network traffic analysis involves the monitoring and analysis of data flowing across a network, which helps identify patterns, anomalie
8 min read
How to Install and Use vnstat Network Traffic Monitoring Tool in Linux?
VnStat is a network utility that uses a command-line interface designed for Linux. Logs of the selected interface(s) of hourly, daily, and monthly network traffic are kept, although it is not a packet sniffer. The network interface statistics that are provided by the kernel as the information source
2 min read
Linux - Monitoring Network Traffic With nethogs
NetHogs is similar to Linux top command which is an open-source command-line program, that is used for monitoring network traffic in Linux. But do you ever wanted to notice which application in your system is eating up your bandwidth, Then Nethogs is one of the good choices. Nethogs will help you fi
5 min read
PortSpider - Advance Network Port scanner on Kali Linux
PortSpider is a free and open-source tool available on GitHub. PortSpider is an Open Source Intelligence and network scanning Tool based on (OSINT). This tool can scan huge network ranges to find open and closed ports and all the vulnerable services running on the server or on the system, not only s
2 min read
How to Audit Network Performance, Security, and Troubleshooting in Linux
Network security auditing is the process of assessing a network's health by analyzing and studying the flow of data through the network. Network auditing is one of the critical steps to detect potential security threats and errors within the network. Security audits are either performed manually or
6 min read