tcptrack: Real-Time TCP Connection Monitoring for Network Engineers

Table of Contents#

1. What Is tcptrack?
2. Installing tcptrack
   • Debian/Ubuntu
   • RHEL/CentOS/Rocky Linux
   • macOS
   • Source Compilation
3. Basic Usage: Getting Started
   • Command Structure
   • Interpreting the Output
4. Advanced Features
   • Using Pcap Filters
   • Interactive Sorting
   • Limiting Output
   • Resolving Hostnames
   • Saving Output to a File
5. Common Use Cases
   • Troubleshooting Slow Network Performance
   • Monitoring Web Server Traffic (HTTP/HTTPS)
   • Detecting Suspicious Activity
   • Verifying Firewall/Load Balancer Rules
6. Best Practices
7. Troubleshooting tcptrack
8. Alternatives to tcptrack
9. Conclusion
10. References

1. What Is tcptrack?#

tcptrack is a passive TCP connection monitor that runs on Linux, macOS, and BSD systems. It uses the libpcap library (the same library powering tcpdump) to capture packets from a network interface, then parses them to extract TCP connection details.

Key Features#

• Real-time updates: Connections are added, updated, and removed dynamically as packets flow.
• Human-friendly metrics: Throughput is displayed in kilobytes/second (KB/s) or megabytes/second (MB/s), not raw bytes.
• Interactive interface: Sort connections by source, destination, rate, or total data with a single keystroke.
• Pcap filter support: Narrow down traffic to specific IPs, ports, or protocols (e.g., only HTTP traffic).
• Lightweight: Uses minimal CPU/memory—ideal for production servers.

How It Works#

1. tcptrack attaches to a network interface (e.g., eth0) using libpcap.
2. It captures TCP packets and reconstructs connections using packet headers (source/destination IP/port, sequence numbers).
3. For each connection, it calculates:
   • State: ESTABLISHED, SYN_SENT, FIN_WAIT, etc.
   • Throughput: Transmit (Tx) and receive (Rx) rates (per second).
   • Total data: Cumulative bytes sent/received.
4. It displays this data in a sortable table that updates every second.

2. Installing tcptrack#

tcptrack is available in most Linux package repositories. Below are instructions for popular OSes:

Debian/Ubuntu#

Use apt to install:

sudo apt update
sudo apt install tcptrack

RHEL/CentOS/Rocky Linux#

Enable the EPEL repository (required for tcptrack on RHEL-based systems):

sudo dnf install epel-release
sudo dnf install tcptrack

macOS#

Use Homebrew (the preferred package manager for macOS):

brew install tcptrack

Source Compilation (All OSes)#

If tcptrack isn’t in your package manager, compile it from source:

1. Install dependencies:
   • Linux: sudo apt install libpcap-dev (Debian/Ubuntu) or sudo dnf install libpcap-devel (RHEL/CentOS).
   • macOS: Install Xcode Command Line Tools (xcode-select --install).
2. Download the latest source tarball from SourceForge.
3. Extract and compile:

   tar -xzf tcptrack-1.4.3.tar.gz
   cd tcptrack-1.4.3
   ./configure
   make
   sudo make install

3. Basic Usage: Getting Started#

The core tcptrack command is simple:

sudo tcptrack -i <interface>

Command Structure#

• sudo: Required because packet capture requires root privileges.
• -i <interface>: Specify the network interface to monitor (e.g., eth0, wlan0, en0).
• Optional filters: Add a pcap filter (e.g., port 80) to narrow down traffic.

Example: Monitor All TCP Connections on eth0#

sudo tcptrack -i eth0

Interpreting the Output#

The output is a live table with 6 columns:

Sample Output Line#

ESTABLISHED 192.168.1.50:54321 → 104.21.8.172:443  15.2k/67.8k  2.3M/8.9M

This means:

• A connection is ESTABLISHED between 192.168.1.50:54321 (local laptop) and 104.21.8.172:443 (Cloudflare’s HTTPS server).
• The laptop is sending data at 15.2 KB/s and receiving at 67.8 KB/s.
• Total data transferred: 2.3 MB sent / 8.9 MB received.

4. Advanced Features#

tcptrack’s true power comes from its advanced options. Let’s explore them:

4.1 Using Pcap Filters#

Pcap filters let you focus on specific traffic (e.g., only HTTP, only traffic to a server). The syntax is identical to tcpdump.

Examples#

• Monitor HTTP traffic (port 80):

  sudo tcptrack -i eth0 'port 80'

• Monitor HTTPS traffic (port 443):

  sudo tcptrack -i eth0 'port 443'

• Monitor traffic to/from a specific server (e.g., 192.168.1.100):

  sudo tcptrack -i eth0 'host 192.168.1.100'

• Monitor SSH traffic from outside the local network:

  sudo tcptrack -i eth0 'tcp and port 22 and not src 192.168.1.0/24'

4.2 Interactive Sorting#

While tcptrack is running, use these keys to sort the table:

• s: Sort by source IP/port (ascending/descending).
• d: Sort by destination IP/port.
• r: Sort by combined throughput (Tx + Rx).
• t: Sort by total data transferred (Tx + Rx).
• q: Quit tcptrack.

Example Workflow#

1. Run sudo tcptrack -i eth0.
2. Press r to sort by throughput—this instantly shows you the top bandwidth consumers.
3. Press r again to reverse the sort (descending → ascending).

4.3 Limiting Output#

Use the -l <number> option to limit the number of connections displayed. This is useful on busy interfaces to avoid clutter.

Example: Show Only the Top 10 Connections#

sudo tcptrack -i eth0 -l 10

4.4 Resolving Hostnames#

The -r option resolves IP addresses to hostnames (via DNS). Note: This may slow down output if DNS is unresponsive.

Example#

sudo tcptrack -i eth0 -r 'port 443'

Sample Output (with -r):

ESTABLISHED laptop.local:54321 → edge-star-mini-shv-01-lga3.facebook.com:443  12.3k/56.7k  1.2M/4.5M

4.5 Saving Output to a File#

tcptrack does not have a built-in option to write to a file. To save output, use shell redirection or tee:

Example: Save Output to a File#

sudo tcptrack -i eth0 'port 80' > tcptrack_log.txt

Example: Save Output and View Simultaneously with tee#

sudo tcptrack -i eth0 'port 80' | tee tcptrack_log.txt

Best Practice: Restrict file permissions to prevent unauthorized access (e.g., chmod 600 tcptrack_log.txt).

5. Common Use Cases#

Let’s apply tcptrack to real-world problems:

5.1 Troubleshooting Slow Network Performance#

A user reports slow internet. You suspect a bandwidth hog.

Command: Monitor all traffic except SSH (to avoid cluttering the output):

sudo tcptrack -i eth0 'tcp and not port 22'

Interpretation:

• Sort by throughput (r) to find the top consumer.
• Look for connections with high Rx rates (e.g., a device streaming 4K video at 50 Mbps).
• Example Culprit: A connection to netflix.com:443 with a 45 Mbps Rx rate—ask the user to pause streaming.

5.2 Monitoring Web Server Traffic (HTTP/HTTPS)#

You run a web server at 192.168.1.100 and want to track incoming connections.

Command: Monitor traffic to ports 80 (HTTP) and 443 (HTTPS):

sudo tcptrack -i eth0 'host 192.168.1.100 and (port 80 or port 443)'

Interpretation:

• Track the number of ESTABLISHED connections to gauge server load.
• Look for unexpected sources (e.g., a botnet hitting your server with 100+ connections).
• Example: If you see 50 connections from 1.2.3.4:xxxx to 192.168.1.100:80, you may have a DDoS attack.

5.3 Detecting Suspicious Activity#

You want to find unauthorized RDP connections (port 3389) to your network.

Command:

sudo tcptrack -i eth0 'tcp and port 3389'

Interpretation:

• If you see a connection from 203.0.113.5:xxxx to 192.168.1.20:3389, this is suspicious (RDP from a public IP).
• Take action: Block the IP in your firewall or enable two-factor authentication for RDP.

5.4 Verifying Firewall/Load Balancer Rules#

You just added a firewall rule to block HTTP traffic (port 80) to 192.168.1.100. Verify it works.

Command: Monitor HTTP traffic to the server:

sudo tcptrack -i eth0 'host 192.168.1.100 and port 80'

Interpretation:

• If no connections appear, the firewall rule is working.
• If connections still appear, you made a mistake (e.g., wrong IP/port, rule order).

6. Best Practices#

Follow these rules to use tcptrack effectively and safely:

1. Use Filters Liberally: Avoid capturing all traffic on busy interfaces—this leads to cluttered output and missed packets.
2. Run as Root (But Safely): tcptrack requires root for packet capture, but don’t leave it running unnecessarily.
3. Avoid DNS Resolution on Busy Interfaces: The -r option can slow down tcptrack if DNS is slow. Use it only when needed.
4. Combine with Other Tools: Use tcptrack for real-time monitoring, then tcpdump for deep packet analysis (e.g., tcpdump -i eth0 host 192.168.1.50 -w capture.pcap).
5. Secure Logs: If you save output to a file, restrict permissions (e.g., chmod 600) to prevent data leaks.
6. Test on Non-Production First: Try tcptrack on a test server before using it on production to avoid surprises.

7. Troubleshooting tcptrack#

Common Issues & Solutions#

7.1 "No such device" Error#

Problem: You specified an invalid interface name. Solution: List all interfaces with ip link show (Linux) or ifconfig (macOS) and use the correct name.

7.2 "Permission denied" Error#

Problem: You forgot to use sudo. Solution: Run tcptrack with sudo.

7.3 "No packets captured"#

Problem:

• The interface is idle (no traffic).
• Your filter is too strict (e.g., port 9999 when no traffic uses that port). Solution:
• Test with a broader filter (e.g., tcp).
• Verify the interface is active (e.g., ping 8.8.8.8).

7.4 High CPU Usage#

Problem: tcptrack is capturing too many packets (e.g., on a 10 Gbps interface). Solution:

• Use a more restrictive filter (e.g., host 192.168.1.100 instead of tcp).
• Switch to a lower-level tool like tcpdump with a ring buffer (e.g., tcpdump -i eth0 -C 100 -W 5 -w capture.pcap).

7.5 Missing Connections#

Problem: tcptrack can’t keep up with high packet rates (user-space limitation). Solution:

• Use a more powerful filter.
• Use a tool like iftop (which uses kernel-space filtering) for high-traffic interfaces.

8. Alternatives to tcptrack#

tcptrack is great, but here are other tools for specific use cases:

When to Use What:

• Use tcptrack for quick, real-time TCP connection monitoring.
• Use tcpdump/tshark for deep packet analysis.
• Use iftop for high-traffic interfaces (kernel-space filtering).
• Use ntopng for long-term network analytics.

9. Conclusion#

tcptrack is a swiss army knife for network engineers. Its combination of real-time updates, interactive sorting, and pcap filter support makes it ideal for:

• Troubleshooting slow networks
• Monitoring server traffic
• Detecting security threats
• Verifying firewall rules

Best of all, tcptrack is easy to learn—you can start using it effectively in 5 minutes. The next time you’re stuck with a network problem, give tcptrack a try—you’ll be surprised how much it simplifies your workflow.

10. References#

1. tcptrack Official Source: SourceForge
2. libpcap Documentation: tcpdump.org
3. Debian Package Info: Debian tcptrack
4. EPEL Repository: Fedora Project
5. Homebrew: Homebrew tcptrack
6. TCP State Diagram: RFC 793

Let me know in the comments if you have questions—happy monitoring!