{"id":13490750,"url":"https://github.com/simsong/tcpflow","last_synced_at":"2025-05-14T20:05:42.342Z","repository":{"id":2882766,"uuid":"3889407","full_name":"simsong/tcpflow","owner":"simsong","description":"TCP/IP packet demultiplexer. Download from:","archived":false,"fork":false,"pushed_at":"2024-09-19T01:40:48.000Z","size":52020,"stargazers_count":1680,"open_issues_count":71,"forks_count":237,"subscribers_count":79,"default_branch":"master","last_synced_at":"2024-10-29T15:00:03.133Z","etag":null,"topics":["digital-forensics","forensics","tcp-protocol","tcpip"],"latest_commit_sha":null,"homepage":"http://downloads.digitalcorpora.org/downloads/tcpflow/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/simsong.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-04-01T00:44:11.000Z","updated_at":"2024-10-18T20:49:00.000Z","dependencies_parsed_at":"2024-01-05T20:45:53.196Z","dependency_job_id":"5e6e5176-358d-4180-95f1-aa2b84dc7108","html_url":"https://github.com/simsong/tcpflow","commit_stats":{"total_commits":680,"total_committers":58,"mean_commits":"11.724137931034482","dds":"0.41764705882352937","last_synced_commit":"b1479db14b1604e00d35c2d39566c54e8b1785d0"},"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simsong%2Ftcpflow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simsong%2Ftcpflow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simsong%2Ftcpflow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simsong%2Ftcpflow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/simsong","download_url":"https://codeload.github.com/simsong/tcpflow/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248202683,"owners_count":21064403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["digital-forensics","forensics","tcp-protocol","tcpip"],"created_at":"2024-07-31T19:00:50.634Z","updated_at":"2025-04-10T10:49:52.015Z","avatar_url":"https://github.com/simsong.png","language":"C++","readme":"TCPFLOW 1.5.0\n=============\nDownloads directory: http://digitalcorpora.org/downloads/tcpflow/\n\nInstallation\n------------\n\nMost common GNU/Linux distributions ship tcpflow in their repositories. So on Debian/Ubuntu/etc you can say\n\n    sudo apt-get install tcpflow\n\nand on Fedora/RedHat/CentOS/etc you can say\n\n    sudo dnf install tcpflow\n\nAnd that's it. If this isn't good-enough for whatever reason, you can build from source:\n\nBuilding from source\n--------------------\n\nTo compile for Linux\n\nBe sure you have the necessary precursors. There are files in the root directory that will do this for you, depending on your host operating system:\n\nCONFIGURE_ARCH_17_8.sh\nCONFIGURE_FEDORA_18.sh\nCONFIGURE_FEDORA_26.sh\nCONFIGURE_UBUNTU_16_04.sh\n\nDepending on your OS, just:\n\n    # sudo bash CONFIGURE_\u003cYOUROS\u003e.sh\n\nOnce you have configured your OS, compile and install with:\n\n    ./configure\n    make\n    sudo make install\n\nIf you want do download the development tree with git, be sure to do a *complete* checkout with `--recursive` and then run `bootstrap.sh`, `configure` and `make`:\n\n    git clone --recursive https://github.com/simsong/tcpflow.git\n    cd tcpflow\n    bash bootstrap.sh\n    ./configure\n    make\n    sudo make install  \n\n\nTo download and compile for Amazon AMI:\n\n    ssh ec2-user@\u003cyour ec2 instance\u003e\n    sudo bash yum -y install git make gcc-c++ automake autoconf boost-devel cairo-devel libpcap-devel openssl-devel zlib-devel\n    git clone --recursive https://github.com/simsong/tcpflow.git\n    sh bootstrap.sh\n\n\nTo Compile for Windows with mingw on Fedora Core:\n    \n    yum -y install mingw64-gcc mingw64-gcc-c++ mingw64-boost mingw64-cairo mingw64-zlib\n    mingw64-configure\n    make\n\nTo use CMake, see detailed instructions: [cmake/README.md](./cmake/README.md)\n\nBuild RPM\n---------\n\nFrom a clean repository as normal user (not root):\n\n    ./bootstrap.sh     # Generates the file ./configure\n    ./configure        # Generates the file tcpflow.spec\n    rpmbuild -bb tcpflow.spec --build-in-place\n\nCheck the specfile and resulted RPM:\n\n    rpmlint tcpflow.spec\n    rpmlint ~/rpmbuild/RPMS/x86_64/tcpflow-....rpm\n\nInstall:\n\n    sudo dnf install ~/rpmbuild/RPMS/x86_64/tcpflow-....rpm\n\n\nIntroduction To tcpflow\n=======================\n\ntcpflow is a program that captures data transmitted as part of TCP\nconnections (flows), and stores the data in a way that is convenient\nfor protocol analysis and debugging.  Each TCP flow is stored in its\nown file. Thus, the typical TCP flow will be stored in two files, one\nfor each direction. tcpflow can also process stored 'tcpdump' packet\nflows.\n\ntcpflow stores all captured data in files that have names of the form:\n\n       [timestampT]sourceip.sourceport-destip.destport[--VLAN][cNNNN]\n\nwhere:\n  timestamp is an optional timestamp of the time that the first packet was seen\n  T is a delimiter that indicates a timestamp was provided\n  sourceip is the source IP address\n  sourceport is the source port\n  destip is the destination ip address\n  destport is the destination port\n  VLAN is the VLAN port\n  c is a delimiter indicating that multiple connections are present\n  NNNN is a connection counter, when there are multiple connections with \n      the same [time]/sourceip/sourceport/destip/destport combination.  \n      Note that connection counting rarely happens when timestamp prefixing is performed.\n\nHERE are some examples:\n\n       128.129.130.131.02345-010.011.012.013.45103\n\n  The contents of the above file would be data transmitted from\n  host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.\n\n       128.129.130.131.02345-010.011.012.013.45103c0005\n\n  The sixth connection from 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.\n\n       1325542703T128.129.130.131.02345-010.011.012.013.45103\n\n  A connection from 128.129.131.131 port 2345, to host 10.11.12.13 port 45103, that started on\n  at 5:19pm (-0500) on January 2, 2012\n  \n       128.129.130.131.02345-010.011.012.013.45103--3\n\n  A connection from 128.129.131.131 port 2345, to host 10.11.12.13\n  port 45103 that was seen on VLAN port 3. \n   \n\nYou can change the template that is used to create filenames with the\n-F and -T options.  If a directory appears in the template the directory will be automatically created.\n\nIf you use the -a option, tcpflow will automatically interpret HTTP responses.\n\n       If the output file is\n          208.111.153.175.00080-192.168.001.064.37314,\n\n       Then the post-processing will create the files:\n          208.111.153.175.00080-192.168.001.064.37314-HTTP\n          208.111.153.175.00080-192.168.001.064.37314-HTTPBODY\n\n       If the HTTPBODY was compressed with GZIP, you may get a \n       third file as well:\n\n          208.111.153.175.00080-192.168.001.064.37314-HTTPBODY-GZIP\n\n       Additional information about these streams, such as their MD5\n       hash value, is also written to the DFXML file\n\n\ntcpflow is similar to 'tcpdump', in that both process packets from the\nwire or from a stored file. But it's different in that it reconstructs\nthe actual data streams and stores each flow in a separate file for\nlater analysis.\n\ntcpflow understands sequence numbers and will correctly reconstruct\ndata streams regardless of retransmissions or out-of-order\ndelivery. However, tcpflow currently does not understand IP fragments; flows\ncontaining IP fragments will not be recorded properly.\n\ntcpflow can output a summary report file in DFXML format. This file\nincludes information about the system on which the tcpflow program was\ncompiled, where it was run, and every TCP flow, including source and\ndestination IP addresses and ports, number of bytes, number of\npackets, and (optionally) the MD5 hash of every bytestream. \n\ntcpflow uses the LBL Packet Capture Library (available at\nftp://ftp.ee.lbl.gov/libpcap.tar.Z) and therefore supports the same\nrich filtering expressions that programs like 'tcpdump' support.  It\nshould compile under most popular versions of UNIX; see the INSTALL\nfile for details.\n\nWhat use is it?\n---------------\n\ntcpflow is a useful tool for understanding network packet flows and\nperforming network forensics. Unlike programs such as WireShark, which\nshow lots of packets or a single TCP connection, tcpflow can show\nhundreds, thousands, or hundreds of thousands of TCP connections in\ncontext. \n\nA common use of tcpflow is to reveal the contents of HTTP\nsessions. Using tcpflow you can reconstruct web pages downloaded over\nHTTP. You can even extract malware delivered as 'drive-by downloads.'\n\nJeremy Elson originally wrote this program to capture the data being\nsent by various programs that use undocumented network protocols in an\nattempt to reverse engineer those protocols.  RealPlayer (and most\nother streaming media players), ICQ, and AOL IM are good examples of\nthis type of application.  It was later used for HTTP protocol\nanalysis.\n\nSimson Garfinkel founded Sandstorm Enterprises in 1998. Sandstorm\ncreated a program similar to tcpflow called TCPDEMUX and another\nversion of the program called NetIntercept. Those programs are\ncommercial. After Simson left Sandstorm he had need for a tcp flow\nreassembling program. He found tcpflow and took over its maintenance.\n\nBugs\n----\n\nPlease enter bugs on the [github issue tracker](https://github.com/simsong/tcpflow/issues?state=open)\n\ntcpflow currently does not understand IP fragments.  Flows containing\nIP fragments will not be recorded correctly. IP fragmentation is\nincreasingly a rare event, so this does not seem to be a significant problem.\n\nRECOMMENDED CITATION\n====================\nIf you are writing an article about tcpflow, please cite our technical report:\n* Passive TCP Reconstruction and Forensic Analysis with tcpflow, Simson Garfinkel and Michael Shick, Naval Postgraduate School Technical Report NPS-CS-13-003, September 2013. https://calhoun.nps.edu/handle/10945/36026\n\nMAINTAINER\n==========\nSimson L. Garfinkel \u003csimsong@acm.org\u003e\n\nTCPFLOW 1.6 STATUS REPORT\n=========================\nI continue to port bulk_extractor, tcpflow, be13_api and dfxml to modern C++. After surveying the standards I’ve decided to go with C++17 and not C++14, as support for 17 is now widespread. (I probably don’t need 20). I am sticking with autotools, although there seems a strong reason to move to CMake. I am keeping be13_api and dfxml as a modules that are included, python-style, rather than making them stand-alone libraries that are linked against. I’m not 100% sure that’s the correct decision, though.\n\nThe project is taking longer than anticipated because I am also doing a general code refactoring. The main thing that is taking time is figuring out how to detangle all of the C++ objects having to do with parser options and configuration. \n\nGiven that tcpflow and bulk_extractor both use be13_api, my attention has shifted to using tcpflow to get be13_api operational, as it is a simpler program. I’m about three quarters of the way through now. I anticipate having something finished before the end of 2020.\n\n--- Simson Garfinkel, October 18, 2020\n\nACKNOWLEDGEMENTS\n================\nThanks to: \n* Jeffrey Pang, for the radiotap implementation\n* Doug Madory, for the  Wifi parser\n* Jeremy Elson, for the original idea and initial tcp/ip implementation\n\n\n\n","funding_links":[],"categories":["Network","C++","\u003ca id=\"79499aeece9a2a9f64af6f61ee18cbea\"\u003e\u003c/a\u003e浏览嗅探\u0026\u0026流量拦截\u0026\u0026流量分析\u0026\u0026中间人","\u003ca id=\"dd2b52e59921ad730fceac252d99dd77\"\u003e\u003c/a\u003eMultiplexer","C++ (225)"],"sub_categories":["Full Packet Capture / Forensic","\u003ca id=\"99398a5a8aaf99228829dadff48fb6a7\"\u003e\u003c/a\u003e未分类-Network","Protocol Analyzers / Sniffers"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimsong%2Ftcpflow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimsong%2Ftcpflow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimsong%2Ftcpflow/lists"}