Running a network trace on the command line using tcpflow

 
Published on 2012-09-04 by John Collins. Socials: YouTube - X - Spotify - Amazon Music - Apple Podcast

Network trace tools like Wireshark are amazing for debugging request/response cycles between your clients and your web servers, allowing you to inspect each request and response in detail. However, usually in a production environment you will not have a window environment to run Wireshark, instead you will just have a command line interface. You can use tcpdump (which comes with most versions of Linux by default) to generate a .pcap file that you can then inspect offline with Wireshark on a machine that does have a window environment installed on, however this process is not real-time and is a little cumbersome.

The tcpflow tool is usually not installed by default, however it should be available in most Linux repositories for easy install. For example on CentOS/RHEL/Fedora, the following command will install it for you:

root$ yum install tcpflow

If it is not available in a repository you have configured, you can download an .rpn file from here:

http://pkgs.repoforge.org/tcpflow/

For example to install it on 64bit CentOS 6:

root$ yum install --nogpgcheck http://pkgs.repoforge.org/tcpflow/tcpflow-0.21-1.2.el6.rf.x86_64.rpm

Once installed, you can then run the following command to get a live trace tailed to your command line, replacing the list of HTTP verns to suit your needs:

root$ tcpflow -p -c -i eth0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'

You will also need to ensure that if your network card is not named eth0, then place the correct name after the -i flag instead.

Sample output:

root$ tcpflow -p -c -i eth0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'
tcpflow[31437]: listening on eth0
GET / HTTP/1.1
Host: www.techleader.pro
GET //alpha/css/alpha.css HTTP/1.1
Host: www.techleader.pro
GET //config/css/overrides.css HTTP/1.1
Host: www.techleader.pro
GET /lib/luminous/style/luminous.css HTTP/1.1
Host: www.techleader.pro
GET /lib/luminous/style/luminous_light.css HTTP/1.1
Host: www.techleader.pro
GET //alpha/lib/jquery/jquery-1.5.1.min.js HTTP/1.1
Host: www.techleader.pro
GET /images/bookshelf.png HTTP/1.1
Host: www.techleader.pro
GET /alpha/images/icons/feed.png HTTP/1.1
Host: www.techleader.pro
GET /alpha/images/icons/twitter.png HTTP/1.1
Host: www.techleader.pro
GET /alpha/images/icons/page_go.png HTTP/1.1
Host: www.techleader.pro
GET /favicon.ico HTTP/1.1
Host: www.techleader.pro
GET /search/q/digest HTTP/1.1
Host: www.techleader.pro
GET /search/q/test HTTP/1.1
Host: www.techleader.pro
...

Once you are finished with the trace, press ctrl-c to exit.

Updated 2022 : note that the above post was originally published in 2012, but is left here for archival purposes. The steps above have not been tested recently, so may be outdated.

LATEST POSTS
The three main modes of managementOnline refugees are fleeing to Bluesky (TLP 2024w46)DEI training is a waste of time (TLP 2024w45)