+3 votes
753 views
TCPflow command to analyze network traffic on Linux

in Linux / Unix by (552k points)
reopened | 753 views

1 Answer

+4 votes
Best answer

1. How to install TCPflow on Linux
2. How to check navigation details captured by TCPflow Linux

The analysis of network traffic becomes one of the most common and necessary administration tasks regardless of the type of organization since a bad TCP configuration will cause connection and management errors of all network packets..

The TCP (Transmission-Control-Protocol) protocol is one of the most used protocols in network environments since it facilitates the administration of data that comes or goes to IP addressing so that the entire process Network is completed correctly.

features
Some of the features of this protocol are:
  • It facilitates the monitoring of the data flow avoiding network saturation
  • Allows data to be formed in segments of varying length to deliver to the IP protocol
  • It gives the possibility of multiplexing the data, that is, it makes the information whose origin is from different sources can circulate simultaneously.

Now, there are several options to analyze this network traffic and it is thanks to the TCPflow utility, TechnoWikis will explain how to install and use it in Linux environments..

What is TCPflow?
The tcpflow tool has been developed as a program that captures data transmitted through TCP connections and then stores this data for later protocol analysis and debugging.

Each TCP stream is stored in its respective file, so the typical TCP stream will be stored in two files, one for each managed address.

Its feature set includes an advanced add-on system which allows decompressing compressed HTTP connections , undo MIME encoding or invoke third-party programs for postprocessing and many more options.

TCPflow practical uses
Some of the practical uses where TCPflow is useful are:
  • Understand network packet flows and perform forensic network analysis
  • Reveal the content of HTTP sessions
  • Rebuild downloaded web pages over HTTP
  • Extract malware delivered with the drive-by downloads category

Now let's see how to use TCPflow


1. How to install TCPflow on Linux

Step 1

To install TCPflow we must execute one of the following commands according to the distribution used:
 sudo apt install tcpflow (Debian / Ubuntu) sudo yum install tcpflow (CentOS / RHEL) sudo dnf install tcpflow (Fedora) 
image

Enter the letter S to confirm the download and installation of the utility..

Step 2

After installing TCPflow, it will be possible to run it with superuser privileges or otherwise use the sudo command, TCPflow listens on the active network interface of the system.
 sudo tcpflow 
image

In this case we will see that the selected interface is enp0s3.

Step 3

By default, TCPflow stores all captured data in files that have names in the form with the following syntax:
 sourceip.sourceport-destip.destport 
Step 4

We can make a list of directories to check if the tcp flow has been captured in any available file, we execute:
 ls -l 
image

As mentioned before, each TCP stream is stored in its own file, there are different forms.
The first file 192.168.000.004.51548-040.112.187.188.05228 hosts the data transferred from the host on which it was executed through the selected port to the remote host through the indicated port.


2. How to check navigation details captured by TCPflow Linux

Step 1

To verify this, we can open another terminal and run a ping or browse the Internet, the navigation details that TCPflow is capturing will be reflected there, we execute the following:
 sudo tcpflow -c 
image
Step 2

TCPflow allows us to capture all traffic on a single port, such as port 80 (HTTP), for this case, you can see the HTTP headers followed by the content, we execute the following:
 sudo tcpflow port 80 
image
Step 3

We can capture packets from a specific network interface, with the -i parameter to specify the name of the interface like this:
 sudo tcpflow -i enp0s3 port 80 
It is also possible to indicate a destination host by taking its IP address or its URL:
 sudo tcpflow -c host www.solvetic.com 
image
Step 4

It will be possible to enable all scanner processes with the -a parameter:
 sudo tcpflow -a 
Step 5

We can specify a special scanner to be enabled, the available scanners include md5, http, netviz, tcpdemux and wifiviz, the options to use are:
 sudo tcpflow -e http sudo tcpflow -e md5 sudo tcpflow -e netviz sudo tcpflow -e tcpdemux sudo tcpflow -e wifiviz 
Step 5

If we want to enable verb mode we can execute any of the following options:
 sudo tcpflow -d 10 sudo tcpflow -v 
image

Finally, to access the help of the utility we execute:

 man tcpflow 
Thus, TCPflow allows us to have control over all TCP processes in Linux environments in a comprehensive and complete way.

by (3.5m points)
edited

Related questions

+5 votes
1 answer
+3 votes
1 answer
+4 votes
1 answer
asked Oct 9, 2019 in Linux / Unix by backtothefuture (552k points) | 470 views
+3 votes
1 answer
+3 votes
1 answer
Sponsored articles cost $40 per post. You can contact us via Feedback

Most popular questions within the last 30 days

10,659 questions
10,791 answers
510 comments
3 users