From ForensicsWiki
Revision as of 19:41, 13 September 2008 by .FUF (Talk | contribs) (Vulnerabilities)

Jump to: navigation, search
Maintainer: Jeremy Elson
OS: Linux
Genre: Network forensics
License: GPL

tcpflow is a tool that captures data transmitted as part of TCP connections, and stores the data in a way that is convenient for protocol analysis, keyword searching, etc.


tcpflow stores all captured data in files that have names of the form

where the contents of the above file would be data transmitted from host port 2345, to host port 45103.


  • tcpflow does not understand IP fragments;
  • tcpflow does not understand 802.11 headers.


  • tcpflow uses sequence numbers for resizing files, so a reconstruction of the sessions may create 600 megabyte files more or less empty.