tcpflow

This is just a quick little post on tcpflow.

I’ve been using graphite as a a graphing solution for system statistics. I’ve also been using carbon-relay-ng to relay packets from different OpenStack projects to a central graphite server.

However, I’ve been having an issue (and am still having an issue actually) with concatenated packets arriving at the graphite server, despite the fact that the clients aren’t sending them.

In order to troubleshoot this I eventually started running tcpflow because it gave me cleaner output than tcpdump did…at least by default anyways. I’m sure that tcpdump can give me pretty much any output I need, but I liked the symplicity of tcpflow, for example:

[root@stats ~]# tcpflow -c port 2003
tcpflow[11791]: listening on eth0
010.000.000.001.39216-010.000.000.006.02003: debbuild.cputotals.user 0 1360364000
010.000.000.001.39216-010.000.000.006.02003: debbuild.cputotals.nice 0 1360364000
010.000.000.001.39216-010.000.000.006.02003: debbuild.cputotals.sys 0 1360364000
010.000.000.001.39216-010.000.000.006.02003: debbuild.cputotals.wait 0 1360364000
010.000.000.001.39216-010.000.000.006.02003: debbuild.cputotals.idle 99 1360364000
010.000.000.001.39216-010.000.000.006.02003: debbuild.cputotals.irq 0 1360364000
010.000.000.001.39216-010.000.000.006.02003: debbuild.cputotals.soft 0 1360364000
010.000.000.001.39216-010.000.000.006.02003: debbuild.cputotals.steal 0 1360364000
SNIP!

vs.

[root@stats ~]# tcpdump -nnvvXSs 1514 -i eth0 port 2003
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
22:59:32.650673 IP (tos 0x0, ttl 64, id 41032, offset 0, flags [DF], 
proto TCP (6), length 103)
    10.0.0.1.39216 > 10.0.0.6.2003: Flags [P.], cksum 0xab18 (correct), 
    seq 1882211360:1882211411, ack 2847074948, win 115, options 
    [nop,nop,TS val 804219404 ecr 2428141312], length 51
	0x0000:  4500 0067 a048 4000 4006 8642 0a00 0001  E..g.H`.`..B....
	0x0010:  0a00 0006 9930 07d3 7030 4420 a9b2 ea84  .....0..p0D.....
	0x0020:  8018 0073 ab18 0000 0101 080a 2fef 6a0c  ...s......../.j.
	0x0030:  90ba 7f00 636f 6c6c 6563 7464 3031 2d63  ....collectd01-c
	0x0040:  6c69 656e 742d 7465 7374 2e74 6573 742e  lient-test.test.
	0x0050:  6669 7273 7420 2033 3530 3420 3133 3630  first..3504.1360
	0x0060:  3336 3433 3733 0a                        364373.
22:59:32.650750 IP (tos 0x0, ttl 64, id 53955, offset 0, flags [DF], 
proto TCP (6), length 52)
    10.0.0.6.2003 > 10.0.0.1.39216: Flags [.], cksum 0xc56c (correct), 
    seq 2847074948, ack 1882211411, win 501, options [nop,nop,TS val 
    2428143328 ecr 804219404], length 0
	0x0000:  4500 0034 d2c3 4000 4006 53fa 0a00 0006  E..4..`.`.S.....
	0x0010:  0a00 0001 07d3 9930 a9b2 ea84 7030 4453  .......0....p0DS
	0x0020:  8010 01f5 c56c 0000 0101 080a 90ba 86e0  .....l..........
	0x0030:  2fef 6a0c                                /.j.
SNIP!

One thing to note is the -c switch on tcpflow, it means print to the console instead of files in the local directory.

I would love to hear about other uses of tcpflow or ways to alter the output of tcpdump, so please let me know of anything interesting by commenting. :)