Saturday, February 2, 2013

Backtrack Forensics: tcpflow

Menu: Forensics -> Network Forensics
Directory: /usr/local/bin/tcpflow
Official Website:
License: GNU GLP v2+

"tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored 'tcpdump' packet flows."

In Backtrack 5 R3 the installed version is 1.2.7, and it has a bug, that will terminate the program as soon as it started, see details here:

So we need to upgrade it:
apt-get install tcpflow
at the time of this writing, the new version is 1.3.0. You can check it with:
tcpflow -V

Let's see an example:
tcpflow -p -i eth0 tcp port http
Here I filter the capture to HTTP ports (80) only, and set the interface not to be in promiscuous mode (-p). I visited "", and it created 6 flows, 3 pairs (1-1 for each direction). It supports the same filtering options as tcpdump.

The flow files actually contains the extracted data from the TCP sessions, so we won't see packet headers, etc...

We can read sessions from a pcap file (-r), specify output directory (-o) other than the default, which is the current, turn on verbose mode (-v), or print the output only to the console (-c) instead of files.
I think it does a pretty good job with extracting content from TCP flows.

The tool can't handle IP fragments, and in that case it happens the reconstruction of a flow will not be correct.

No comments: