tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like tcpdump(4) shows a summary of packets seen on the wire, but usually doesn’t store the data that’s actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. tcpflow understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery.

tcpflow stores all captured data in files that have names of the form:

192.168.101.102.02345-010.011.012.013.45103

where the contents of the above file would be data transmitted from host 192.168.101.102 port 2345, to host 10.11.12.13 port 45103.

To get a live activities of tcpflow storing TCP connections data streams just type tcpflow -v on the console.

Other tcpflow options:

To record all packets arriving at or departing from a particular hos (ex, host1) :

tcpflow host host1

To record traffic between host1 and either host2 or host3:

tcpflow host host1 and \( host2 or host3 \)

To record traffic between host1 and any host except host3:

tcpflow host host1 and not host3

To look at more options check out the Man file: http://www.circlemud.org/~jelson/software/tcpflow/tcpflow.1.html

Project Website: http://www.circlemud.org/~jelson/software/tcpflow/