ORC Owl Logo 2  

Owl River Company

  Your IP is:

Up More Tips


tcpflow tutorial

The tcpflow tool is a powerful one, in tracking down where a protocol conversation is falling apart. It is a set of 'training wheels' for tcpdump, which is the grand-daddy of the packet sniffers.

tcpflow has reasonable options 'out of the box', and is freely available, GPL'd software. A copy may be found at our FTP site, here (ftp://ftp.owlriver.com/pub/local/ORC/tcpflow/). As of late 2002, the reference site is: http://www.circlemud.org/~jelson/software/tcpflow

tcpflow allows us to log the two sides of an IP conversation into a pair of files, well named to show the IP's and ports involved. We can either view results in real time using 'tail -f ' on the files, or study them afterwards. This permits us to document just where the conversation may be falling apart against a protocol RFC.

There are increasing levels of detail to show debug level options and so on, and an ability to post-process and parse a raw capture from tcpdump -- this is possible because tcpdump and tcpflow may be set to passively and silently monitor and capture a raw conversation, without introducing secondary network traffic 'noise' (dns queries, arp traffic, and the like, which may affect response times) into the trace.

We will start with a healthy test connection to a POP server. This is a simplified example, where we have not specified a specific 'interface' for tcpflow to listen on, instead relying on the defaults. We have noted each item typed by the tester in the process by following it with a red CAPITAL letter.

Hint: If you are using a Unix or Open Source variant, you can also place a hub in-line between the host under test, and the remote server, and sample the packets without disrupting the 'conversation'. We keep a 'road kit' Toshiba Satellite 486/75 with 12 M of RAM and a 400M hard drive ($45 off Ebay), a PC Card NIC, and a slender install of Red Hat 7.1 (takes 283 M) and a utility hub, in the trunk of the car, for just this purpose when travelling to a customer's site.

[herrold@oldnews herrold]$ host bo.epohi.com [ A ] bo.epohi.com is an alias for mail.epohi.com. mail.epohi.com has address [herrold@oldnews herrold]$ mkdir bo.epohi.com-trace [ B ] [herrold@oldnews herrold]$ cd bo.epohi.com-trace [ C ] [herrold@oldnews bo.epohi.com-trace]$ sudo tcpflow host bo.epohi.com [ D ] Password: tcpflow[2233]: listening on eth0 [ E ] ^C tcpflow[2233]: terminating [herrold@oldnews bo.epohi.com-trace]$ Listing 1 - the monitoring console

[herrold@oldnews herrold]$ telnet bo.epohi.com 110 [ F ] Trying Connected to bo.epohi.com. Escape character is '^]'. +OK POP3 bo.epohi.com v2001.78rh server ready user herrold [ G ] +OK User name accepted, password please pass clear-text-password-removed [ H ] +OK Mailbox open, 0 messages list [ I ] +OK Mailbox scan listing follows . quit [ J ] +OK Sayonara Connection closed by foreign host. [herrold@oldnews herrold]$ Listing 2 -- the conversation from the client side

[herrold@oldnews herrold]$ cd bo.epohi.com-trace [ K ] [herrold@oldnews bo.epohi.com-trace]$ ls [ L ] [herrold@oldnews bo.epohi.com-trace]$ cat [ M ] user herrold help pass clear-text-password-removed list quit [herrold@oldnews bo.epohi.com-trace]$ Listing 3 -- the conversation from the client side - as logged by tcpflow

[herrold@oldnews bo.epohi.com-trace]$ cat [ N ] +OK POP3 bo.epohi.com v2001.78rh server ready +OK User name accepted, password please +OK Mailbox open, 0 messages +OK Mailbox scan listing follows . +OK Sayonara [herrold@oldnews bo.epohi.com-trace]$ Listing 4 -- the conversation from the server side - as logged by tcpflow


 Reference Discussion
 A  Look up the IP of the remote host, so we can determine the logfile to examine later in the process
 B  Make a debugging directory, bearing the name of the host under test, to avoid leaving clutter in the home directory
 C  Move into that directory
 D  Using sudo and tcpflow, start the logging process
 E  Once we have authenticated to sudo, tcpflow emits a status message noting that it is listening on a particular interface, and goes to work
We end the process with a ctrl-C

 F  In a second console, we simulate the dialog which the POP protocol uses to communicate. Absent some efficiency or cryptographic need, almost all IEFP RFC protocols use plain old lower 128 character seven-bit ASCII. This makes it possible to readily see what is happening. Here, the remote server responds with the +OK greeting
 G  Having opened a connection on port 110, we greet the remote server by offering a user value
 H  The remote server responds with the +OK, here indicating a valid user name was (or may have been) offered, and awaiting a password. We offer a correct password -- changed in our example from the real one used.
 I  The remote server responds with the +OK, here indicating a valid user authentication has occurred, and awaiting a command. We ask it to enumerate any mail presently held by it, with the list command.
 J  Seeing that the server has shown it has no mail, we end the session with the quit command. The server says goodbye and the connection is broken.

 K  We can view the transaction by moving into the logging directory we set up in step "B".
 L  Then we ls the directory. It shows transcripts of conversations from port "110" on the local server "", toward port "32866" on the remote server ""; and a return conversation from port "32844" on the remote server back to port "110" on the local server.
 M  ... and cat the file starting "" (which is the 'upstream' interface on the workstation the test was conducted from), toward the remote POP server on the POP port, 110.

 N  And of course the reciprocal server site responses are shown when we cat the file starting "".

And so, we see a healthy POP exchange.

We make this available for non-commercial and individual use. Please respect our copyright, and consider contacting us for all your Open Source and *nix design, architect / systems analysis, and administration needs.

See also: tcpdump techniques
rev 020919 RPH

Up More Tips

Back to Top Page
[legal] [ no spam policy ] [ Copyright] © 2008 Owl River Company
All rights reserved.

Last modified: Sun, 22 Sep 2002 22:31:28 -0400