Running a network trace on the command line using tcpflow

 
Published on 2012-09-04 by John Collins.

Network trace tools like Wireshark are amazing for debugging request/response cycles between your clients and your web servers, allowing you to inspect each request and response in detail. However, usually in a production environment you will not have a window environment to run Wireshark, instead you will just have a command line interface. You can use tcpdump (which comes with most versions of Linux by default) to generate a .pcap file that you can then inspect offline with Wireshark on a machine that does have a window environment installed on, however this process is not real-time and is a little cumbersome.

The tcpflow tool is usually not installed by default, however it should be available in most Linux repositories for easy install. For example on CentOS/RHEL/Fedora, the following command will install it for you:

root$ yum install tcpflow

If it is not available in a repository you have configured, you can download an .rpn file from here:

http://pkgs.repoforge.org/tcpflow/

For example to install it on 64bit CentOS 6:

root$ yum install --nogpgcheck http://pkgs.repoforge.org/tcpflow/tcpflow-0.21-1.2.el6.rf.x86_64.rpm

Once installed, you can then run the following command to get a live trace tailed to your command line, replacing the list of HTTP verns to suit your needs:

root$ tcpflow -p -c -i eth0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'

You will also need to ensure that if your network card is not named eth0, then place the correct name after the -i flag instead.

Sample output:

root$ tcpflow -p -c -i eth0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'
tcpflow[31437]: listening on eth0
GET / HTTP/1.1
Host: www.techleader.pro
GET //alpha/css/alpha.css HTTP/1.1
Host: www.techleader.pro
GET //config/css/overrides.css HTTP/1.1
Host: www.techleader.pro
GET /lib/luminous/style/luminous.css HTTP/1.1
Host: www.techleader.pro
GET /lib/luminous/style/luminous_light.css HTTP/1.1
Host: www.techleader.pro
GET //alpha/lib/jquery/jquery-1.5.1.min.js HTTP/1.1
Host: www.techleader.pro
GET /images/bookshelf.png HTTP/1.1
Host: www.techleader.pro
GET /alpha/images/icons/feed.png HTTP/1.1
Host: www.techleader.pro
GET /alpha/images/icons/twitter.png HTTP/1.1
Host: www.techleader.pro
GET /alpha/images/icons/page_go.png HTTP/1.1
Host: www.techleader.pro
GET /favicon.ico HTTP/1.1
Host: www.techleader.pro
GET /search/q/digest HTTP/1.1
Host: www.techleader.pro
GET /search/q/test HTTP/1.1
Host: www.techleader.pro
...

Once you are finished with the trace, press ctrl-c to exit.


Updated 2022 : note that the above post was originally published in 2012, but is left here for archival purposes. The steps above have not been tested recently, so may be outdated.