This package was last updated in 2004, since then it has changed maintainers
and looks quite different. An incomplete changelog is as follows:
Version 1.3.1 NOV ??
Complete rewrite of the TCP state machine, now handles flows larger
than 4GiB.
Version 1.3.0 SEP 30 2012
Release for end of FY2012, includes bug fixes, better support for
autoconf, DFXML standardizations, and the ability to compile under
mingw for Windows (that was a LOT of work).
Version 1.2.7 May 24 2012 (GIT)
Version 1.2.7 offers two significant features over previous versions
relating to the processing of the -r and the new -R options.
-r file1.pcap - This option specifies a pcap file to be read.
New with version 1.2.7, the -r flag may be
repeated any number of times.
-R file0.pcap - This option, new with version 1.2.7, allows a file
to be specified that was captured in time *before*
the file specified with -r. This option allows TCP
sessions that started in file0.pcap and which
continued into file1.pcap to be properly
started. This option is useful when some external
process makes packet capture files at regular
intervals and then the files are reassembled
later. Typically these files result from tcpdump run
with the -w or -C options.
Version 1.2 March 15 2012 (SVN )
Version 1.2 is the first to include post-processing of TCP connections
integrated directly into the tcpflow program itself. post-processing
is optional and is performed on a per-connection basis when the
connection is closed.
The following post-processing method methods are currently defined.
-FM - Compute the MD5 hash value of every stream on close. Currently
MD5 hashes are only computed for TCP streams that contain
packets transmitted contigiously. -FM processing can happen
even when output is suppressed. The MD5 is written into the
DFXML file.
-AH - Detect Email/HTTP responses and separate headers from
body. This requires that the output files be captured.
If the output file is
208.111.153.175.00080-192.168.001.064.37314,
Then the post-processing will create the files:
208.111.153.175.00080-192.168.001.064.37314-HTTP
208.111.153.175.00080-192.168.001.064.37314-HTTPBODY
If the HTTPBODY was compressed with GZIP, you may get a
third file as well:
208.111.153.175.00080-192.168.001.064.37314-HTTPBODY-GZIP
Additional information about these streams, such as their MD5
hash value, is also written to the DFXML file
Version 1.1.0 19 January 2012 (SVN 8118)
Version 1.1 represents a significant rewrite of tcpflow. All users are
encouraged to upgrade.
Significant changes include:
* Entire code base migrated to C++ ; code generally
improved. tcpflow's original hash table has been replaced with a
tr1::unordered_map which should offer significantly more
scalability.
* tcpflow now automatically expires out old connections. This finally
end the program's memory-hogging problem. (You can disable this
behavior with -P, which makes tcpflow run faster because it never
cleans up after itself. That's fine if you are working with less
than a million connections.)
* Multiple connections with the same (source/destination) are now
detected and stored in different files. This is significant, as the
previous implementation would make a single file 1-2GB in length if
you the same host/port pairs with two different flows. Additional
files have the same filename and a "c0001", "c0002" appended.
* Filenames may now be prefixed with either the ISO8601 time or a Unix
timestamp indicating the time that the connection was first seen.
* tcpflow will now save a DFXML file containing information for each
flow that it reconstructs.
* The following new options are now implemented:
-o outdir --- now works (previously was not implemented)
-X xmfile --- now reports execution results in a DFXML
file. (Version 1.1 will include complete notion in the
XML file of every TCP connection as a DFXML <fileobject>
-Fc --- Every file has the 'cXXXX' postfix, rather than just
the files with duplicate source/destination.
-Ft --- Every file has the <time_t>T prefix.
-FT --- Every file has an ISO8601 time prefix,
e.g. 2012-01-01T09:45:15Z
-mNNNN --- Specifies the minimum number of bytes that need to be
skipped in a TCP connection before a new
-Lname --- use the named semaphore 'name' to prevent multiple
tcpflow processes printing to standard output from
overprinting each other.
-P --- do not prune the tcp connection table.
Other improvements include:
* Support for IPv6
* Support for VLANs
* The default filter which was causing problems under MacOS has been
removed.
Version 1.0.4 November 24, 2011
* Default fitler changed to ""; previous default filter was causing
problems on macs.
Version 1.0.2 September 30, 2011
* IPv6 code added
Version 1.0.0 January 2011
* Updated to support VLANs. VLAN packets are marked by hex 0x8100
following the destination and source mac addresses, followed by the
16-bit VLAN address, followed by 0x0800 marking the beginning of the
traditional IP header.
Version 0.30 October 2007
* Simson Garfinkel <simsong@acm.org> is now the maintainer of this
package
* Modified to set the time of each tcpflow with the time of the first
packet.
* Created a regression test, so "make check" and "make distcheck" now
work.
* Updated to modern autoconf tools.
The patches are a modified version of some enhancements to tcpflow from Debian
Adds the following options:
-e When outputting to the console each flow will be output in alternating
colours.
-C Console print without the packet source and destination details being
printed. Print the contents of packets to stdout as they are received,
without storing any captured data to files (implies -s).
in host, not network format. At least, this is the case for NetBSD. I don't
know what systems out there exist where this is not the case, but Linux is
one possibility.