SYNOPSIS
tcptrack [ -dfhvp ] [ -r seconds ] -i interface
[ filter expression ]
DESCRIPTION
tcptrack displays the status of TCP connections that it
sees on a given network interface. tcptrack monitors their
state and displays information such as state, source/des-
tination addresses and bandwidth usage in a sorted,
updated list very much like the top(1) command.
The filter expression is a standard pcap filter expression
(identical to the expressions used by tcpdump(8)) which
can be used to filter down the characteristics of TCP con-
nections that tcptrack will see. See tcpdump(8) for more
information about the syntax of this expression.
OPTIONS
-d Only track connections that were started after tcp-
track was started. Do not try to detect existing
connections.
-f Enable fast average recalculation. TCPTrack will
calculate the average speeds of connections by
using a running average. TCPTrack will use more
memory and CPU time, but averages will seem closer
to real time and will be updated more than once per
second and may be more accurate under heavy load.
The number of times per second that averages will
be recalculated in fast mode is a compile-time set-
ting that defaults to 10 times per second.
-h Display command line help
-i [interface]
Sniff packets from the specified network interface.
-p Do not put the interface being sniffed into promis-
cuous mode.
-r [seconds]
Wait this many seconds before removing a closed
connection from the display. Defaults to 2 sec-
onds. See also the pause interactive command
(below).
-v Display tcptrack version
INTERACTIVE COMMANDS
The following keys may be pressed while tcptrack is run-
ning to change runtime options:
When paused (via the p command) no new connections will be
displayed, however tcptrack will still monitor and track
all connections it sees as usual. This option affects the
display only, not internals. When you unpause, the display
will be updated with all current information that tcptrack
has been gathering all along.
EXAMPLES
tcptrack requires only one parameter to run: the -i flag
followed by an interface name that you want tcptrack to
monitor. This is the most basic way to run tcptrack:
# tcptrack -i eth0
tcptrack can also take a pcap filter expression as an
argument. The format of this filter expression is the same
as that of tcpdump(8) and other libpcap-based sniffers.
The following example will only show connections from host
10.45.165.2:
# tcptrack -i eth0 src or dst 10.45.165.2
The next example will only show web traffic (ie, traffic
on port 80):
# tcptrack -i eth0 port 80
SEE ALSO
tcpdump(8), pcap(3),
http://www.rhythm.cx/~steve/devel/tcptrack
BUGS
When picking up a connection that was already running
before tcptrack was started, there is no way tcptrack can
know for sure which end of the connection is the client
(ie, which peer started the connection) and which is the
server (ie, which peer was listening). tcptrack makes a
crude guess at which is which by looking at the port num-
bers; whichever end has the lower port number is consid-
ered the server side. This isn't always accurate of
course, but future versions may have better heuristics to
figure out which end is which.
Currently the interface is not very flexible. Display tim-
ing settings (such as the refresh interval) can only be
changed by editing the source code (defs.h in particular).
See the TODO file included with the source distribution
for further bugs.
Man(1) output converted with
man2html