tcpflow をインストールしてみる

$ tcpflow -c port 80 -i eth0
tcpflow[18651]: listening on eth0

usage: tcpflow [-achpsv] [-b max_bytes] [-d debug_level] [-f max_fds]
          [-i iface] [-L semlock] [-r file] [-R file] [-o outdir] [-X xmlfile]
          [-m min_bytes] [-F[ct]] [expression]

        -a: do ALL processing (http expansion, create report.xml, etc.)
        -b: max number of bytes per flow to save
        -B: force binary output to console, even with -c or -C
        -c: console print only (don't create files)
        -C: console print only, but without the display of source/dest header
        -d: debug level; default is 1
        -e: output each flow in alternating colors
        -f: maximum number of file descriptors to use
        -h: print this help message
        -i: network interface on which to listen
            (type "ifconfig -a" for a list of interfaces)
        -L semlock - specifies that writes are locked using a named semaphore
        -p: don't use promiscuous mode
        -P: don't purge tcp connections on FIN
        -r: read packets from tcpdump pcap file (may be repeated)
        -R: read packets from tcpdump pcap file TO FINISH CONNECTIONS
        -s: strip non-printable characters (change to '.')
        -v: verbose operation equivalent to -d 10
        -V: print version number and exit
        -o outdir   : specify output directory (default '.')
        -X filename : DFXML output to filename
        -m bytes    : specifies the minimum number of bytes that a stream may
                      skip before starting a new stream (default 1000000).
        -AH : extract HTTP objects and unzip GZIP-compressed HTTP messages
        -Fc : append the connection counter to ALL filenames
        -Ft : prepend the time_t timestamp to ALL filenames
        -FT : prepend the ISO8601 timestamp to ALL filenames
        -FX : Do not output any files (other than report files)
        -FM : Calculate the MD5 for every flow
        -T<template> : specify an arbitrary filename template (default %A.%a-%B.%b%V%v%C%c)
expression: tcpdump-like filtering expression
Filename template format:
  %A - source IP address
  %a - source IP port
  %B - dest IP address
  %b - dest IP port
  %T - Timestamp in ISO8601 format
  %t - Unix time_t
  %V - '--' if VLAN is present
  %v - VLAN number if VLAN is present
  %C - 'c' if connection_count >0
  %c - connection_count if connection_count >0
  %# - always output connection count
  %% - Output a '%'

Default filename template is %A.%a-%B.%b%V%v%C%c