Sniffing & Spoofingtcpflowcapturereconstructionprotocolanalysisdebuggingpcap

tcpflow

tcpflow captures TCP connection data streams and stores them in separate files for protocol analysis or debugging. Unlike tcpdump which shows packet summaries, tcpflow reconstructs the actual data flows.

Description

tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.

tcpflow is based on the LBL Packet Capture Library and therefore supports the same rich filtering expressions that programs like 'tcpdump' support. tcpflow can also rebuild flows from data captured with 'tcpdump -w'.

How It Works

tcpflow captures TCP flows using the LBL Packet Capture Library (libpcap), supporting tcpdump-like filtering expressions. It reconstructs data streams by understanding TCP sequence numbers, handling retransmissions and out-of-order delivery correctly. Each flow is stored in a separate file. It does not handle IP fragments properly. tcpflow can process live captures or files from tcpdump -w.

Installation

bash

sudo apt install tcpflow

Flags

-ado ALL post-processing.

-b max_bytesmax number of bytes per flow to save

-d debug_leveldebug level; default is 1

-fmaximum number of file descriptors to use

-hprint this help message (-hh for more help)

-Hprint detailed information about each scanner

-inetwork interface on which to listen

-Iwrite for each flow another file *.findx to provide byte-indexed timestamps

-Urelinquish privileges and become user (if running as root)

-zchroot to dir (requires that -U be used)

-Bbinary output, even with -c or -C (normally -c or -C turn it off)

-cconsole print only (don't create files)

-Cconsole print only, but without the display of source/dest header

-sstrip non-printable characters (change to '.')

-Joutput json format.

-Doutput in hex (useful to combine with -c or -C)

Examples

Prints the help message for tcpflow

tcpflow -h

Captures TCP flows with all post-processing enabled

tcpflow -a

Captures TCP flows limiting each to max 1MB

tcpflow -b 1000000

Listens on network interface eth0 for TCP flows

tcpflow -i eth0

Prints captured TCP flow data to console only, no files created

tcpflow -c

Console print without source/destination headers

tcpflow -C

Strips non-printable characters when printing to console

tcpflow -s

Captures TCP flows on port 80 using tcpdump-like filter expression

tcpflow port 80

Updated 2026-04-16kali.org ↗