Tcpflow. Data capture.

  • Tcpflow is a utility that captures data transmitted as part of TCP connections (streams), while maintaining data convenient for protocol analysis and debugging.

    The main difference between tcpflow and other elements is the actual capture of real data and its subsequent output to a file. Then it can be used for other purposes of analysis. Another advantage of this program is the recovery of broken packages, which is important.

    In addition, tcpflow has many filter options:

    We can filter the capture in many different ways. Usually, arp poisoning as a first step is an exception. However, tcpflow captures almost all data without an active count or network.


    Utility Options:

    Syntax: tcpflow [options] [expression] [host]

    -b: max number of bytes per flow to save

    -c: console print only (don't create files)

    -C: console print only, but without the display of source / dest header

    -d: debug level; default is 1

    -e: output each flow in alternating colors (Blue = client to server; Red = server to client; Green = Unknown)

    -f: maximum number of file descriptors to use

    -h: print this help message

    -i: network interface on which to listen

    -p: don't use promiscuous mode

    -r: read packets from tcpdump output file

    -s: strip non-printable characters (change to '.')

    -v: verbose operation equivalent to -d 10

    Options Source:

    Lab 1: The Basics

    This lab demonstrates a basic console logging of data to and from the target computer.

    Here our target IP address is

    In addition, domain / hostnames are acceptable.

    command tcpflow -ce host <your target here>

    Note. If you are using any other interface, be sure to specify -i and the corresponding interface.


    Suppose we need all the HTTP traffic on the network,

    command: tcpflow -ce port 80


    We can also use logical comparisons during capture.

    For example, we want to see all the HTTP & https traffic from & to the host, we issue the following command:

    Command: tcpflow -ce host <your target> and port 80 or port 443.

    Here, the command selects the host “”, performs the operation “and” for the condition: port 80 “or” port 443.

    In particular, HTTP or https traffic from and to the host ( is captured and displayed.

    Remember that HTTP runs on port 80 and https on 443.

    Lab 2: Dump Data to a Local Folder

    This lab demonstrates resetting all data between an object.

    Tcpflow dumps all data into the current working directory (run the command: pwd to find out the current current working directory).

    So, let's create a folder to dump the data, and then do tcpflow.

    Step 1. Create a new directory

    Command: mkdir tcpflowdata <your name here>

    Step 2: moving to a new directory

    Command: cd tcpflowdata <yourname>

    Step 3: do tcpflow

    Command: tcpflow host <your target here>


    You can see all the files that were uploaded to the directory from the host, which we specified as the beginning of the file name.

    The advantage of this tool is that any clear text data, such as HTTP authentication or telnet connection or smb authentication, etc., will be visible to you.

    As soon as you dump all the traffic, you can view it later and analyze it at a later point in time and much more.

    You can upload it to Wireshark or any tool, for example xplico for forensics.

    Try it yourself, run tcpflow and go to any HTTP site (not facebook or twitter), possibly to your local router login page. Give a password and analyze the output of tcpflow.

    If you liked this article, like and subscribe to the group, as for us it is a strong support and motivation to continue to post educational and useful material. See you soon and thank you for your attention!)

  • Performing MITM attacks including ssl certificate

Log in to reply

Login in your account to Start Chat