Tcpflow – To Monitor, Capture & Dump Packets

Tcpflow is a TCP/IP Demultiplexer. Tcpflow is used to record traffic mainly between 2 hosts although it can be used to monitor thousands of connections. Tcpflow differs from other tools by actually capturing the real data and dumping it to a file we specify.

It can be then further used for other analysis purposes. One more advantage of tcpflow is it effectively reconstructs broken packets. Also, tcpflow has a variety of filter options. We can filter out the capture in a lot of different ways and that too very easily.

Normally most of the sniffing attacks include arp-poisoning as the first stage. However, tcpflow captures almost all data without actively poisoning the subnet or network.

Options

Syntax: tcpflow [options] [expression] [host]

-b: max number of bytes per flow to save

-c: console print only (don't create files)

-C: console print only, but without the display of source/dest header

-d: debug level; default is 1

-e: output each flow in alternating colors(Blue=client to server;Red=server to client;Green=Unknown)

-f: maximum number of file descriptors to use

-h: print this help message

-i: network interface on which to listen

-p: don't use promiscuous mode

-r: read packets from tcpdump output file

-s: strip non-printable characters (change to '.')

-v: verbose operation equivalent to -d 10

Source: https://github.com/simsong/tcpflow

Reference: http://forensicswiki.org/wiki/Tcpflow

Lab 1: Basics

This lab demonstrates basic console-logging of data to and from the target. Here our target IP is 192.168.0.100. Also, domain/hostnames are acceptable.

command tcpflow -ce host 192.168.0.100<your target here>

Note: If you are using any other interface make sure to give -i option & the corresponding interface.

Suppose we need all the HTTP traffic in the network,

command: tcpflow -ce port 80

We can use logical comparisons also during capturing. For example, we want to see all the HTTP & https traffic from & to the host, we issue:

Command: tcpflow -ce host 192.168.0.100<your target> and port 80 or port 443.

Here the command selects the host “192.168.0.100”, do an “AND” operation to the condition: port 80 “OR” port 443. Specifically, HTTP or https traffic from & to host(192.168.0.100) is captured and displayed. Remember HTTP runs on port 80 & https on 443.

Lab2: Dump Data to a local folder

This lab demonstrates on dumping the all the data between the target. Tcpflow dumbs all data into the current working folder(execute the command:pwd to know your current present working directory). So let’s create a folder for dumping the data and then execute tcpflow.

Step 1: Create a new directory

Command: mkdir tcpflowdata<your name here>

Step 2: Change to the new directory

Command: cd tcpflowdata<yourname>

Step 3: execute tcpflow

Command: tcpflow host 192.168.0.103<your target here>

You can see all files being dumped into the directory with the host we have given as the beginning of the filename.

The advantage from this tool is that any clear text data like HTTP authentication or telnet connection or smb authentication etc will be visible to you. Once you dump all the traffic, you can view it later and analyze it at a later point in time and whatnot? You can load it to Wireshark or any tool like xplico for forensic analysis etc.

Try for yourself, start tcpflow, and go to any HTTP site(not facebook or twitter) maybe your local router login page. Give password and analyze the tcpflow output.

Don’t forget to Subscribe, Like us on FB, Follow us on Twitter, G+, and comment here.