The analysis of network traffic becomes one of the most common and necessary administration tasks regardless of the type of organization since a bad TCP configuration will cause connection and management errors of all network packets..
The TCP (Transmission-Control-Protocol) protocol is one of the most used protocols in network environments since it facilitates the administration of data that comes or goes to IP addressing so that the entire process Network is completed correctly.
features
Some of the features of this protocol are:
- It facilitates the monitoring of the data flow avoiding network saturation
- Allows data to be formed in segments of varying length to deliver to the IP protocol
- It gives the possibility of multiplexing the data, that is, it makes the information whose origin is from different sources can circulate simultaneously.
Now, there are several options to analyze this network traffic and it is thanks to the TCPflow utility, TechnoWikis will explain how to install and use it in Linux environments..
What is TCPflow?
The tcpflow tool has been developed as a program that captures data transmitted through TCP connections and then stores this data for later protocol analysis and debugging.
Each TCP stream is stored in its respective file, so the typical TCP stream will be stored in two files, one for each managed address.
Its feature set includes an advanced add-on system which allows decompressing compressed HTTP connections , undo MIME encoding or invoke third-party programs for postprocessing and many more options.
TCPflow practical uses
Some of the practical uses where TCPflow is useful are:
- Understand network packet flows and perform forensic network analysis
- Reveal the content of HTTP sessions
- Rebuild downloaded web pages over HTTP
- Extract malware delivered with the drive-by downloads category
Now let's see how to use TCPflow
1. How to install TCPflow on Linux
Step 1
To install TCPflow we must execute one of the following commands according to the distribution used:
sudo apt install tcpflow (Debian / Ubuntu) sudo yum install tcpflow (CentOS / RHEL) sudo dnf install tcpflow (Fedora)
Enter the letter S to confirm the download and installation of the utility..
Step 2
After installing TCPflow, it will be possible to run it with superuser privileges or otherwise use the sudo command, TCPflow listens on the active network interface of the system.
sudo tcpflow
In this case we will see that the selected interface is enp0s3.
Step 3
By default, TCPflow stores all captured data in files that have names in the form with the following syntax:
sourceip.sourceport-destip.destport
Step 4
We can make a list of directories to check if the tcp flow has been captured in any available file, we execute:
ls -l
As mentioned before, each TCP stream is stored in its own file, there are different forms.
The first file 192.168.000.004.51548-040.112.187.188.05228 hosts the data transferred from the host on which it was executed through the selected port to the remote host through the indicated port.
2. How to check navigation details captured by TCPflow Linux
Step 1
To verify this, we can open another terminal and run a ping or browse the Internet, the navigation details that TCPflow is capturing will be reflected there, we execute the following:
sudo tcpflow -c
Step 2
TCPflow allows us to capture all traffic on a single port, such as port 80 (HTTP), for this case, you can see the HTTP headers followed by the content, we execute the following:
sudo tcpflow port 80
Step 3
We can capture packets from a specific network interface, with the -i parameter to specify the name of the interface like this:
sudo tcpflow -i enp0s3 port 80
It is also possible to indicate a destination host by taking its IP address or its URL:
sudo tcpflow -c host www.solvetic.com
Step 4
It will be possible to enable all scanner processes with the -a parameter:
sudo tcpflow -a
Step 5
We can specify a special scanner to be enabled, the available scanners include md5, http, netviz, tcpdemux and wifiviz, the options to use are:
sudo tcpflow -e http sudo tcpflow -e md5 sudo tcpflow -e netviz sudo tcpflow -e tcpdemux sudo tcpflow -e wifiviz
Step 5
If we want to enable verb mode we can execute any of the following options:
sudo tcpflow -d 10 sudo tcpflow -v
Finally, to access the help of the utility we execute:
man tcpflow
Thus, TCPflow allows us to have control over all TCP processes in Linux environments in a comprehensive and complete way.
