Provided by: tcptrack_1.4.2-2build3_amd64 
NAME
tcptrack - Monitor TCP connections on the network
SYNOPSIS
tcptrack [ -dfhvp ] [ -r seconds ] -i interface
[ filter expression ]
DESCRIPTION
tcptrack displays the status of TCP connections that it sees on a given network interface. tcptrack
monitors their state and displays information such as state, source/destination addresses and bandwidth
usage in a sorted, updated list very much like the top(1) command.
The filter expression is a standard pcap filter expression (identical to the expressions used by
tcpdump(8)) which can be used to filter down the characteristics of TCP connections that tcptrack will
see. See tcpdump(8) for more information about the syntax of this expression.
OPTIONS
-d Only track connections that were started after tcptrack was started. Do not try to detect existing
connections.
-f Enable fast average recalculation. TCPTrack will calculate the average speeds of connections by
using a running average. TCPTrack will use more memory and CPU time, but averages will seem closer
to real time and will be updated more than once per second and may be more accurate under heavy
load. The number of times per second that averages will be recalculated in fast mode is a
compile-time setting that defaults to 10 times per second.
-h Display command line help
-i [interface]
Sniff packets from the specified network interface.
-T [pcap file]
Read packets from the specified file instead of sniffing from the network. Useful for testing.
-p Do not put the interface being sniffed into promiscuous mode.
-r [seconds]
Wait this many seconds before removing a closed connection from the display. Defaults to 2
seconds. See also the pause interactive command (below).
-v Display tcptrack version
INTERACTIVE COMMANDS
The following keys may be pressed while tcptrack is running to change runtime options:
p - Pause/unpause display. No new connections will be added to the display, and all currently displayed
connections will remain in the display.
q - Quit tcptrack.
s - Cycle through the sorting options: unsorted, sorted by rate, sorted by total bytes.
The options for pausing and toggling sorting are useful if you're watching a very busy network and want
to look at the display without connections jumping around (due to sorting and new connections being
added) and disappearing (due to being closed for a certain time).
When paused (via the p command) no new connections will be displayed, however tcptrack will still monitor
and track all connections it sees as usual. This option affects the display only, not internals. When you
unpause, the display will be updated with all current information that tcptrack has been gathering all
along.
EXAMPLES
tcptrack requires only one parameter to run: the -i flag followed by an interface name that you want
tcptrack to monitor. This is the most basic way to run tcptrack:
# tcptrack -i eth0
tcptrack can also take a pcap filter expression as an argument. The format of this filter expression is
the same as that of tcpdump(8) and other libpcap-based sniffers. The following example will only show
connections from host 10.45.165.2:
# tcptrack -i eth0 src or dst 10.45.165.2
The next example will only show web traffic (ie, traffic on port 80):
# tcptrack -i eth0 port 80
SEE ALSO
tcpdump(8), pcap(3), http://www.rhythm.cx/~steve/devel/tcptrack
BUGS
When picking up a connection that was already running before tcptrack was started, there is no way
tcptrack can know for sure which end of the connection is the client (ie, which peer started the
connection) and which is the server (ie, which peer was listening). tcptrack makes a crude guess at which
is which by looking at the port numbers; whichever end has the lower port number is considered the server
side. This isn't always accurate of course, but future versions may have better heuristics to figure out
which end is which.
Currently the interface is not very flexible. Display timing settings (such as the refresh interval) can
only be changed by editing the source code (defs.h in particular). See the TODO file included with the
source distribution for further bugs.
tcptrack(1)