Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
FLOWGREP(8)		FreeBSD	System Manager's Manual		   FLOWGREP(8)

     flowgrep -- TCP stream/UDP/IP payload 'grep' utility

     flowgrep [-ikVvx] [-a pattern] [-c	pattern] [-D num] [-d device]
	      [-E name]	[-e string] [-F	pattern_file] [-f pattern_file]
	      [-l dir] [-r filename] [-s pattern] [-u username]	[filter]

     flowgrep is a small tool to look for arbitrary payload content in TCP
     streams or	UDP packets. This search parameter is described	as a regular
     expression	using the format described in re_format(7).  The -s flag indi-
     cates that	the pattern should be looked for only in the server's data
     stream (sent from the server to the client). These	patterns can also be
     loaded from the pattern_file specified using the -F flag, with each pat-
     tern separated by a newline. Newlines are not considered part of a	pat-
     tern. The -c flag indicates that the pattern should only match data sent
     by	the client to the server. These	patterns can also be loaded from the
     pattern_file specified using the -f flag, with each line containing one
     pattern to	match. These newlines are not considered part of the pattern.
     The -a flag indicates any matching	stream should be matched. For UDP and
     IP	payloads these three flags are equivilent. Multiple expressions	can be
     searched for by successive	calls to the appropriate -a, -c	or -s flag.

     An	optional pcap(3) filter	can be specified to limit what data to moni-
     tor. TCP, UDP, and	IP connections are evaluated. Fragments	are reassem-
     bled according to their parent connection.

     flowgrep drops privileges after initialization and	runs as	the user spec-
     ified using the -u	flag or	the user 'nobody' by default.

     If	-v is specified, the match is inverted and non-matching	flows are
     logged or killed. The -i flag specifies a case insensitive	search.

     Packets are captured on the first appropriate device unless the -d	flag
     is	specified, in which case device	is used	to capture packets. The	input
     can also be a filename if -r is used. The filename	must be	in pcap(3)

     If	the -k option is used, the matching TCP	connection will	be killed by
     flowgrep.	This is	done by	sending	TCP RST	packets	to the two partici-
     pants. TCP	connections can	be both	stored and killed.

     If	the -l option is given,	matched	flows will be logged relative to the
     dir argument. Matched flows or packets are	stored in files	as the com-
     plete payload or reassembled TCP stream payload. The filename is based on
     the stream	data and is logged as 'time-source-sport-dest-dport-proto',
     with time as a 32 bit integer for seconds since the UNIX epoch. For pro-
     tocols other than TCP or UDP, the protocol	is listed as 'protoN' where
     'N' is the	protocol number. See protocols(5) for more information about
     these numbers and name. If	the -x argument	is given, these	filenames will
     be	written	to stdout(4) in	a format suitable for use with xargs(1)	(ie
     for processing the	flows).	Flows are written out to the filesystem	upon
     the connection closure.

     flowgrep can also use libdistance(3) for fuzzy string matching. Several
     algorithms	are supported, including the Levenshtein algorithm, Damerau
     method, Hamming distance and the Jaccard distance.	One or more strings
     may be given using	the -e flag. If	the distance calculated	using the al-
     gorithms is below the value specified by -D a match has occured. Note
     that this approach	is slow	and not	well tested at this time.

     The -V flag causes	flowgrep to print the version information and exit.

     To	capture	all mail traffic over SMTP and log it relative to the local

	   flowgrep -i -c "^ *mail +from" -l . tcp port	25

     To	capture	all non-mail traffic on	TCP port 25 and	log it into the	direc-
     tory suspicious:

	   flowgrep -i -a "^ *mail +from" -v -l	suspicious tcp port 25

     To	turn flowgrep into a simple TCP	flow recorder:

	   flowgrep -a "." -l flow tcp

     To	kill Blaster worm infection attempts:

	   flowgrep -i -c "^ *tftp -i \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} GET
	   msblast.exe"	-k tcp port 4444

     To	stop successful	web surfing on your segment:

	   flowgrep -s "HTTP/1.1 200 OK" -k tcp	port 80

     To	detect and stop	SSH usage on non-SSH ports:

	   flowgrep -i -a "ssh-" -k tcp	not port 22

     To	detect non-HTTP	use of port 80:

	   flowgrep -i -c "^GET	*.+HTTP/1.[01]"	-c "^POST *.+HTTP/1.[01]"  -c
	   "^PUT *.+HTTP/1.[01]" -l suspicious -v tcp port 80

     Detect Viagra spam	on TCP port 25:

	   flowgrep -E levenshtein -D 5	-e Viagra -l spammers tcp port 25

     pcap(3), libdistance(3), re_format(7), tcpkill(8),	ngrep(8), tcpflow(8)

     Jose Nazario (

     Using flowgrep as a IPS to	enforce	policies against tunnelling (ie	using
     TCP port 80 for SSH access) can be	easily fooled if the tunnel wrapper
     adds basic	protocol headers to the	connections. Use flowgrep for this
     purpose with caution.

FreeBSD	13.0		       13 December, 2004		  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help