lunar (1) tcptrack.1.gz

Provided by: tcptrack_1.4.3-1_amd64 bug

NAME

       tcptrack - Monitor TCP connections on the network

SYNOPSIS

       tcptrack [ -dfhvp ] [ -r seconds ] -i interface
        [ filter expression ]

DESCRIPTION

       tcptrack displays the status of TCP connections that it sees on a given network interface.
       tcptrack monitors their state and displays information such as  state,  source/destination
       addresses and bandwidth usage in a sorted, updated list very much like the top(1) command.

       The  filter  expression is a standard pcap filter expression (identical to the expressions
       used by tcpdump(8))  which  can  be  used  to  filter  down  the  characteristics  of  TCP
       connections  that  tcptrack will see. See tcpdump(8) for more information about the syntax
       of this expression.

OPTIONS

       -d     Only track connections that were started after tcptrack was started. Do not try  to
              detect existing connections.

       -f     Enable  fast  average  recalculation. TCPTrack will calculate the average speeds of
              connections by using a running average. TCPTrack will use more memory and CPU time,
              but  averages  will seem closer to real time and will be updated more than once per
              second and may be more accurate under heavy load.  The number of times  per  second
              that  averages  will  be  recalculated  in fast mode is a compile-time setting that
              defaults to 10 times per second.

       -h     Display command line help

       -i [interface]
              Sniff packets from the specified network interface.

       -T [pcap file]
              Read packets from the specified file instead of sniffing from the network.   Useful
              for testing.

       -p     Do not put the interface being sniffed into promiscuous mode.

       -r [seconds]
              Wait  this  many  seconds  before  removing  a  closed connection from the display.
              Defaults to 2 seconds. See also the pause interactive command (below).

       -v     Display tcptrack version

INTERACTIVE COMMANDS

       The following keys may be pressed while tcptrack is running to change runtime options:

       p - Pause/unpause display. No new connections will  be  added  to  the  display,  and  all
       currently displayed connections will remain in the display.

       q - Quit tcptrack.

       s - Cycle through the sorting options: unsorted, sorted by rate, sorted by total bytes.

       The  options  for  pausing  and toggling sorting are useful if you're watching a very busy
       network and want to look at the display without connections jumping around (due to sorting
       and  new  connections  being  added)  and  disappearing (due to being closed for a certain
       time).

       When paused (via the p command) no new connections will  be  displayed,  however  tcptrack
       will  still  monitor  and  track all connections it sees as usual. This option affects the
       display only, not internals. When you unpause,  the  display  will  be  updated  with  all
       current information that tcptrack has been gathering all along.

EXAMPLES

       tcptrack  requires  only  one  parameter to run: the -i flag followed by an interface name
       that you want tcptrack to monitor. This is the most basic way to run tcptrack:

       # tcptrack -i eth0

       tcptrack can also take a pcap filter expression as an argument. The format of this  filter
       expression  is  the  same  as  that  of  tcpdump(8)  and other libpcap-based sniffers. The
       following example will only show connections from host 10.45.165.2:

       # tcptrack -i eth0 src or dst 10.45.165.2

       The next example will only show web traffic (ie, traffic on port 80):

       # tcptrack -i eth0 port 80

SEE ALSO

       tcpdump(8), pcap(3), http://www.rhythm.cx/~steve/devel/tcptrack

BUGS

       When picking up a connection that was already running before tcptrack was  started,  there
       is  no way tcptrack can know for sure which end of the connection is the client (ie, which
       peer started the connection) and which is the  server  (ie,  which  peer  was  listening).
       tcptrack  makes  a crude guess at which is which by looking at the port numbers; whichever
       end has the lower port number is considered the server side. This isn't always accurate of
       course, but future versions may have better heuristics to figure out which end is which.

       Currently the interface is not very flexible. Display timing settings (such as the refresh
       interval) can only be changed by editing the source code (defs.h in particular).  See  the
       TODO file included with the source distribution for further bugs.

                                                                                      tcptrack(1)