tcpflow
NAME
tcp.flow - TC.P flow recorder 美容
SYNOPSIS
tcpflow .[-chpsv] [-b max_bytes] [.-d debug_level] [-f max_fds] [-i. iface] [-r file] [expression] .
DESCRIPTION
tcpflow is .a program that. captures data transmitted as part. of TCP connections (flows), an.d stores the data in a way that is convenient for proto.col analysis or debugging.. A program like tcpdump(4) shows a summary of packets seen on the wire, but usually doesn't st.ore the data that's actually being transmit.ted. In contrast, tcpflow reconstructs the actual data str.eams and s.tores each flow in a separate file for later analysis. tcpflow understands TC.P sequence numbers and will correctly .reconstruct data streams regardless of retransmissions or out-of-order delivery.(广告)
tcpflow stores all captured data in files that have names of t.he fo.rm--- 印刷
192.168.101.102.02345-010.011.012.01.3..45103.
where the contents of the above file would be data. transmitted from host 192.168.101..102 .port 2345, to host 10.11.12.13 port 45103. . .
OPTIONS
-b
Max bytes per flow. Capture no more than max_bytes byte.s per flow. Any data captured for a f.low beyond max_bytes from the firs.t byte captured will b.e discard.ed. The default is to store an unlimited number of bytes pe.r flow. 建材
-c
Console print. Print the co.ntents of packets to stdout as they are received, without storing any capt..ured data t.o files (implies -s ). 服务器
-d
Debug level. Set the level of debugging mes.sages printed to stder.r to debug_level. Higher numbe.rs prod.uce more messages. -d 0 causes completely silent operation. -d 1 , the default, produces minimal status messages. -d 10 pro.duces verbose output equivalent to -.v . Number.s higher than 10 can produce a large amount of debugging information useful only to develop.ers. 健康
-f
Max file descriptors used. Limit the number of file d.escr.iptors used by tcpflow to max_fds. Higher numbers u.se more system resources, but .usually perform better. If the underlying operating system supports the. setrlimit() system call, the OS will be asked to enforce t..he requested limit. The default is for tcpfl.ow to use the maximum number of file descri.ptors allowed by the OS. The -v option will report how many file descriptors tcpflow is u.sing. ( 游戏 )
-h
Help. P.rin.t usage information and exit. 域名
-i
Interfa.ce name. Capture packets from the network interface name.d iface. If no interface is specified wit.h -i , a reasonable defaul.t will be used by libpcap automatically. 健康
-p
No promiscuous mode. Normally, tcpflow attempts to put the network i.nterface into promiscuous mode before cap.turing packe.ts. The -p option tells tcpflow not to put. the i.nterface into promiscuous mode. Note t.hat it might already be in promiscuous mode for some .other reason. 电脑
-r
Read from file. R.ead packets from file, w.hich was created using the -w option of t.cpd.ump(1).. Standard input is used if fi.le is ``-''. Note that for this option to be useful, tcpdump's -s. option should be used to set the snaplen to the MTU of the interface (e.g., 1500) while capturing packets. 女人
-s
Strip non-printables. Convert all non-printable characters to the "." character be.fore pr.inting p.ackets to the console or s.toring them to a file. 建材
-v
Verbose operation.. Verbosely describe tcpflow's operation. Equivalent .to -d 10. . [成人用品]
FILTERING E.XPRESSIONS外贸
The. expression specified on the command-line specifies. which packets should be .captured. Because tcpflow uses the the libpcap library, tcp.flow has the same powerful .filtering language available as programs such as tcpdump(1). 婚庆
The following pa.rt of the man page is exce.rpted from the tcpdump man page.(广告)
exp.ression selects which pac.kets. will be dumped. If no expres.sion is given, all pack.ets on the net will be dumped. Otherwise, only packets for which expression is `true' will be dumped.虚拟主机
The express.ion consists of one or more primitives. Pri.mitives usually consist of .an id (name or num.ber) preced.ed by one or more qualifiers. There are three different kinds of qualifier: 电子
type
qualifiers say what kind of thing the id n.a.me or number refer.s to. Possible types are host, net and port. E.g., `host foo', `net 128.3', `port 20'. If there is no t.ype qualifi.er, host is assumed. 外贸
dir
quali.fiers specify a particular transfer direction to and/or from id. Possible .directions are src, dst., src or dst and src. and dst. E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If there is no dir qualifier, src or dst is assumed. For `null' link layers (i.e. point to point protocols such as slip). the inbound and outbound qualifier.s can be used to s.peci.fy a desired .direction. 学习
proto
qualifiers restrict. the match t.o a particular protocol. P.ossible protos are: ether, fddi, i.p, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp. E.g., `ether s.rc foo.', `arp .net 128.3', `tcp port 21'. If there is no proto qualifier, a.ll protocols consistent with the type are assumed. E.g., `src foo' means `(ip or arp or rarp) src foo' (except the latter is not legal. syntax), .`net bar' means `(ip or arp or rarp) net bar' and `port 53' means `(tcp or u.dp) port 53'. [成人用品]
[`fddi' is actually an alias for `ether'; the parser treats them identicall.y as meaning ``the data link l.evel used on the specified ..network interface.'' FDDI headers contain Ethernet-like source and desti.nation addresses, and of.ten .contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ethernet fields. FDDI headers also contain other .fields, but you cannot name them explicitly in a f.ilter exp.ression.]( 游戏 )
In addition to th.e above, there are some spe.cial .`primitive' keywords that don't follow the pattern: gateway, broadcast, .less, greater and arithmetic expr.essions. All of these are described below.域名
More complex filter expressions are built up by using the words and, or and not to combine primiti.ves. E.g., `host foo and not port .ftp and not port f.tp-.data'. To save typing, identical qualifier lists can b.e omitted. E.g.., `tcp dst port ftp or ftp-data or domain' is exactly the same as .`tcp dst port ftp or tcp dst port ftp-data or tcp .dst port domain'.学习
Allowa.ble primitives are:.
dst host host
True if the IP destin.ation field of the packet is host., which may be either an addr.ess or a name. .
src host host
True if the IP source field o.f the packe.t is host. 投资
host host
True if either the IP source or destination of the pa.cket is host. Any .of the above host expressions can be prep.ended with the keywor.ds, ip, arp, or rarp as in:( 游戏 )
i.p host host电脑
which i.s equi.valent to: 杀毒
. ethe.r proto \ip and host host.
If h.ost is a .name with multiple IP addresses, each address will be check.ed for a match. .
ether dst eh.ost 杀毒
True if the ethernet destination a.ddress is ehost. Ehost may be either a name from /etc/e.thers. or a number (see ethers(3N) .for numeric format). 电子
et.her src ehost 外汇
True .if the ethernet source address is. ehost. 健康
ether host eho.st.
True if either the ethernet. source or destination. address is ehost. 虚拟主机
gateway host
True if .the packet used host as a gateway. I.e., the ethernet source or destination address was h.ost but neither the IP source nor the. IP d.estination was host. Host must be a name and must be found in .both /etc/hosts and /et.c/ethers. (An equivalent expression is 乙肝
ether host ehost and .not hos.t host--- 印刷
which can be used with either .names or numbers for host / e.host.) .
dst net net
True if .the IP desti.nation address of the packet has a network number of net. Net may be either a name from /etc/networks o.r a network nu.mber (see networks(5) f.or details). 健康
src net net
True if the IP source addre.ss o.f the packet has a. network number of net. 教育
net net
True if either .the IP source or destination address of the pac.ket has a network number of net.. --- 印刷
net net ma.sk mask 鲜花
Tr.ue if the IP address matches net with t.he specific netmask. May .be qualified with src or dst. 电子
net net/len
True if the IP address matches ne.t a netm.ask len bits wide. May be qualified w.ith src or dst. --- 印刷
dst port port
True if t.he packet is ip/tcp or ip/udp and has a destination port value of port. The port can be a number or a name use.d in /etc/services (see tcp(4P) and udp(4P)). If a name i.s used, both the .po.rt number and p.ro.tocol are checked. If a number or ambiguous name is used,. only the port number is checked (e.g., ds.t port 513 will print both tcp/login traffic and udp/who traffic, and port domain will print both tcp/domain and. udp/domain traffic). .
src port port
True if the pac.ket has. a source port value of port. 乙肝
port port
True if either the source or destination port of the pac.ke.t is port. Any of the above port expressions can be. prepended with the. keywords, tcp or udp, as in:.
t.cp src port port教育
which matches only tcp packets whose source. port is p.ort. .
less length
.. True if the packet has a length less than or equal to length.. This is equivalent to: 婚庆
. len <= length.电脑
greater length
True if the. packet has a length greater tha.n or equal to len.gth. This is equivalent to: 杀毒
len >= length.. 杀毒
ip. proto protocol 外汇
True if the packet is an ip pa.cket (see ip(4P)) of protocol type prot.ocol. Protocol can be a number or one of the nam.es icmp, igrp, udp, nd, or tcp. Note that the identifi.ers tcp, udp, and icmp are also keyw.ords and must be es.caped via backslash (\), which is. \\ in the C-shell. 投资
ether broadcas.t 乙肝
True if the p.acket is an ethernet broadcast packet. The ether keyword is optio.nal. . 女人
ip broadcast
True if the packet is an IP broadcast packet. It checks for .both the all-ze.roes and all-ones broadcast conve.ntions, and looks up the loca.l subnet mask. 建材
ether multi.cast<性病>
True i.f the packet is an etherne.t multicast packet. The ether keyword is optional. This is shorthand fo.r `ether[0] .& 1 != 0'. 外贸
ip multicast
True if the packet i.s an IP multica.st packet. .
ether proto p.rotocol
True if the packet is of ether type .protocol. Protocol c.an be a number or a name like ip, arp, or rarp.. Note these identifiers are also. keywords and must be escaped via backslash (\). [In the case of FDDI (e.g., `fddi protocol arp'), the protocol .identification .comes from the 802.2 Logical Link Control (LLC) header, whi.ch is usually layered .on top of the FDDI header. Tcpdump assumes, when filtering on the protocol .identifier, that all FDDI packets include an LLC header, and that .the LLC header is in so-ca..lled SNAP format.] 外汇
de.cnet src host.
True. if the DECNET source address i.s host, which may be .an address of the form ``10.123'', or a .DECNET host na.me. [DECNET host name support is only available on Ultrix systems that are configured to run DECNET.] <性病>
decn.et dst host.
True .if the DECNET destinati.on address is host. 电子
de.cnet host host 汽车
True .if either the DECNET source or destination address is host.. 教育
i.p, arp, rarp, decnet.
Abbreviations f.or:[成人用品]
ether pro.to p虚拟主机
where p is one of. the above. protocols. 服务器
la.t, moprc, mopdl(广告)
. Abbreviations for:.
et.her proto p 健康
where p is one of the above .pro.tocols. No.te that tcpdump does not currently know how to parse these protocols. 婚庆
tcp, udp, icmp
Abbreviat.ions for:.
ip proto p
where p is one of the. above pro.tocols. 电影
expr relo.p expr 杀毒
True if the relation holds, where relop is one of >, <, >=, <=, =, !=, and expr is an arithmetic expression composed of integer constants (expressed in standard C synta.x), t.he no.rmal binary operators [+, -, *, /, &, |], a length. operator, and special packet .data accessors. To access data inside the .packet, use th.e following. syntax:.
proto [ expr : .size ]电脑
Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and indicates the pr.otocol layer for the index operation. The byte offset, relative to the indicated protocol la.yer, is given by expr. Size is op.tional and indicates the number of b.ytes in the fi.eld of interest; it can be either one, two, or four, and defaults to one. The length operator, indicated by the key.word l.e.n, gives the l.ength of the packet.(广告)
For example, `ether[0] & 1 != 0' catches all multicast traffic. The expression `ip[0] & 0x.f != 5' catches all IP packets with options. The exp.res.sion `ip[6:2] & 0x1fff =. 0' catches only u.nfragmented datagrams and frag zero of fragmented datagrams. This check is implicitly applied to the tcp and udp index operations.. For instan.ce, tcp[0]. always means the first byte of the .TCP header, and never means the first byte of an intervening fragme.nt. 教育
Primitives may be. combined us.ing:.
A parenthesized group of primitives. and. operators (parentheses are special to. the Shell and must be escaped). 健康
Negation (`!'.. or `not').
Concat.enation (`&&' or .`and'). --- 印刷
Alternation .(`||' or `.or'). .
Negation has highest preceden.ce. Alt.ernation and concatenation have equal precedence and associa.te left to right. Note that. explicit and tokens, not juxtaposition, are now required for concat.enation.外贸
If an identifier is g.iven without a keyword, the most recent keyword is as.su.med. For example,.
n.ot host vs and ace电影
is short for
not host vs and host a.ce.
whic.h should not be c.onfused with.
no.t ( host vs or ace )--------------彩票
Expressi.on arguments can be pass.ed to tcpdump as either a single argument or .as multiple arguments, .whichever is more convenient. Generally, if the expression contains Shell meta.charact..ers, it is easier to pass it as a single, quoted argument. Multiple arguments are concatenated with spaces before being parsed. 外汇
EXAMPLES
The following part of the m.an p.age is excerpted from the tcpdump man page.
T.o record all packets arriving at or departing from sundown.: 汽车
tcpflow. host sundown 美容
To .record traffic between helios and either. hot or ace:.
tcpflo.w .host helios and \( hot or ace \) 杀毒
To record traffic between ace and. any host except hel.ios:.
tcpflow. host ace .and not helios 健康
To record all .traffic between local hosts and .hosts at Berkeley:.
tcpflow net ucb-ethe.r( 游戏 )
To record all ftp traffic throu.gh internet gateway snup: (note that the expression is quoted to .prevent. the shell from (mis-)interpreting t.he parentheses):(广告)
tcpflow 'gateway snup a.nd (port .ftp or ftp-data)'.
BUGS
Please send bug reports to
jelso.n@circlemud.org..(广告)
tcpflow currently does not understand IP. fragments. Flow.s containing IP fragments will not be recorded correctl.y. 美容
tcpflow never frees state associated with flows that it. records, so will grow large if used to cap.ture a very large number of flows (e.g., on the order of 100,000 flows. or mo.re)...
There ap.pears to be a bu.g in the. way that Linux delivers packets to libpcap when using the loopback interface ("localhost"). When listening to the Lin.ux loopback interface, selective packet filtering is not possibl.e; all TCP flows on the lo.calhost interface will be recorded. 外汇
