March 21, 2007

tcpflow for MacIntel

I often need to know what requests/responses web and network-aware applications are sending back and forth. For example, is a custom 404 page properly returned with a 404 response code, is a video mime type properly configured, or, just what is that cookie, header, GET or POST value, anyway?

There are lots of tools that can provide this information (for complex web apps, you might want to check out Paros Proxy), but for quick and dirty checks, my longtime fave is tcpflow.

tcpflow is a free unix command line application written by Jeremy Elson and released under the terms of the GPL that traces tcp/ip traffic flowing to and from your computer. You can monitor ethernet, Airport, modem/PPPoE and localhost traffic, restrict stream recording to specific ports or machines, protocols and more, having it print to your Terminal window or file for analysis.

Over the years it has helped diagnose many sticky issues, and I desperately missed it when I moved up to a MacBook Pro. Where previously I had used Mark Liyanage's PPC-only binaries, I couldn't find MacIntel versions elsewhere, and until quite recently hadn't the spare cycles to compile from the source myself (once I got around to it, btw, MacPorts made it fairly pain-free).

I suspect there are others looking for a MacIntel binary, so, in the spirit of Mr. Liyanage, I'm posting my tcpflow .021 installer for MacIntel systems.

This version is strictly for Macs with Intel processors; the installer will refuse to run on anything else. If you are using a PPC Mac and I've managed to pique your interest, Mark Liyanage's tcpflow .021 binaries for OS X.2 and X.3 are still available. IIRC, the Panther version also worked on Tiger.

Mark also has a very helpful tcpflow overview which will explain much to the uninitiated. An online version of the tcpflow man page at the tcpflow author's site lists the nitty-gritty.

Usage is described in the man page; basic operation for tracing http traffic is:

- Ethernet connectivity
sudo /usr/local/bin/tcpflow -c -i en0 port 80

- Airport connectivity
sudo /usr/local/bin/tcpflow -c -i en1 port 80

- Modem/PPPoE connectivity (not tested)
sudo /usr/local/bin/tcpflow -c -i ppp0 port 80

- Localhost (doesn't seem to work -- see comments)
sudo /usr/local/bin/tcpflow -c -i lo0 port 80

CTRL-C terminates the app and returns you to the shell.

Tip: Add /usr/local/bin to your $PATH to run tcpflow from any location. I elected not to attempt to have the installer do this as many of you may not be using the default shell.

Hope some find this useful. You can leave questions or report installer problems in this entry's comments.

Posted by Lewis Francis at March 21, 2007 8:37 PM

Hi, thanks for making this utility -- I've needed this for months!

the localhost feature does not seem to work though. I think there's some kind of loopback interface software that need to be installed, but I don't know how that stuff works.

-i en1 port 80 works great for external site
-i lo0 port80 shows no output for http hits to localhost

Posted by: Grant at June 29, 2007 6:43 PM

Hmm, have to admit I never tried the localhost or the modem options. Looking around I see that this is a known bug with tcpflow .021 on the Free BSD platform and assume that we have the same with the OS X port. Angst.

However, this post suggests that Mark Lyanage's PPC port did work. More angst.

If anyone has a modem, I'd appreciate hearing back if -c -i ppp0 port 80 works.

Posted by: Lewis Francis at June 29, 2007 11:15 PM

Works in Leopard the same way it does in Tiger (with same localhost issue) but appears that we no longer need to use sudo.

Posted by: Lewis Francis at October 28, 2007 2:14 PM

bless you .. thanks .. so much

Posted by: zolo at September 25, 2008 10:29 AM

Looks like Leopard users can use the following to accomplish the same tcp stream analysis:

sudo tcpdump -s 0 -A -i en0 port 80

Switching en0 to lo0 gives you localhost streams.

Posted by: lewis Francis at September 29, 2008 4:20 PM
TrackBack URL for this entry:

Listed below are links to weblogs that reference 'tcpflow for MacIntel' from Information Gift.
Post a comment

Remember personal info?

Voigt-Kampf verification (needed to reduce spam):