# yum install `curl -s http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/|grep -o '"tcpflow[^"]*'|sed 's|"|http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/|'` Dependencies Resolved ====================================================================================================================================== Package Arch Version Repository Size ====================================================================================================================================== Installing: tcpflow x86_64 0.21-1.2.el7.rf /tcpflow-0.21-1.2.el7.rf.x86_64 61 k Transaction Summary ====================================================================================================================================== Install 1 Package Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : tcpflow-0.21-1.2.el7.rf.x86_64 1/1 Verifying : tcpflow-0.21-1.2.el7.rf.x86_64 1/1 Installed: tcpflow.x86_64 0:0.21-1.2.el7.rf Complete!
# tcpflow -cs -i eth0 port 80 tcpflow: listening on eth0 010.000.012.250.26633-010.000.022.012.00080: GET / HTTP/1.1 host: 10.0.22.12 User-Agent: ELB-HealthChecker/1.0 Accept: */* Connection: keep-alive 010.000.022.012.00080-010.000.012.250.26633: HTTP/1.1 200 OK Date: Mon, 08 Feb 2016 03:34:19 GMT Server: Apache Content-Type: text/plain;charset=ISO-8859-1 Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive
# man tcpflow tcpflow(1) NAME tcpflow - TCP flow recorder SYNOPSIS tcpflow [-chpsv] [-b max_bytes] [-d debug_level] [-f max_fds] [-i iface] [-r file] [expression] DESCRIPTION tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like tcpdump(4) shows a summary of pack‐ ets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. tcpflow stores all captured data in files that have names of the form 192.168.101.102.02345-010.011.012.013.45103 where the contents of the above file would be data transmitted from host 192.168.101.102 port 2345, to host 10.11.12.13 port 45103. OPTIONS -b Max bytes per flow. Capture no more than max_bytes bytes per flow. Any data captured for a flow beyond max_bytes from the first byte captured will be discarded. The default is to store an unlimited number of bytes per flow. -c Console print. Print the contents of packets to stdout as they are received, without storing any captured data to files (implies -s ). -d Debug level. Set the level of debugging messages printed to stderr to debug_level. Higher numbers produce more messages. -d 0 causes completely silent operation. -d 1 , the default, produces minimal status mes‐ sages. -d 10 produces verbose output equivalent to -v . Numbers higher than 10 can produce a large amount of debugging information useful only to developers. -f Max file descriptors used. Limit the number of file descriptors used by tcpflow to max_fds. Higher numbers use more system resources, but usually perform better. If the underlying operating system supports the setrlimit() system call, the OS will be asked to enforce the requested limit. The default is for tcpflow to use the maximum number of file descriptors allowed by the OS. The -v option will report how many file descriptors tcpflow is using. -h Help. Print usage information and exit. -i Interface name. Capture packets from the network interface named iface. If no interface is specified with -i , a reasonable default will be used by libpcap automatically. -p No promiscuous mode. Normally, tcpflow attempts to put the network interface into promiscuous mode before capturing packets. The -p option tells tcpflow not to put the interface into promiscuous mode. Note that it might already be in promiscuous mode for some other reason. -r Read from file. Read packets from file, which was created using the -w option of tcpdump(1). Standard input is used if file is ``-''. Note that for this option to be useful, tcpdump's -s option should be used to set the snaplen to the MTU of the interface (e.g., 1500) while capturing packets. -s Strip non-printables. Convert all non-printable characters to the "." character before printing packets to the console or storing them to a file. -v Verbose operation. Verbosely describe tcpflow's operation. Equivalent to -d 10 .