Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  FLOWGREP (8)


flowgrep - TCP stream/UDP/IP payload ’grep’ utility


See Also


flowgrep [-ikVvx] [-a pattern] [-c pattern] [-D num] [-d device] [-E name] [-e string] [-F pattern_file] [-f pattern_file] [-l dir] [-r filename] [-s pattern] [-u username] [filter]


flowgrep is a small tool to look for arbitrary payload content in TCP streams or UDP packets. This search parameter is described as a regular expression using the format described in re_format(7). The -s flag indicates that the pattern should be looked for only in the server’s data stream (sent from the server to the client). These patterns can also be loaded from the pattern_file specified using the -F flag, with each pattern separated by a newline. Newlines are not considered part of a pattern. The -c flag indicates that the pattern should only match data sent by the client to the server. These patterns can also be loaded from the pattern_file specified using the -f flag, with each line containing one pattern to match. These newlines are not considered part of the pattern. The -a flag indicates any matching stream should be matched. For UDP and IP payloads these three flags are equivilent. Multiple expressions can be searched for by successive calls to the appropriate -a , -c or -s flag.

An optional pcap(3) filter can be specified to limit what data to monitor. TCP, UDP, and IP connections are evaluated. Fragments are reassembled according to their parent connection.

flowgrep drops privileges after initialization and runs as the user specified using the -u flag or the user ’nobody’ by default.

If -v is specified, the match is inverted and non-matching flows are logged or killed. The -i flag specifies a case insensitive search.

Packets are captured on the first appropriate device unless the -d flag is specified, in which case device is used to capture packets. The input can also be a filename if -r is used. The filename must be in pcap(3) format.

If the -k option is used, the matching TCP connection will be killed by flowgrep. This is done by sending TCP RST packets to the two participants. TCP connections can be both stored and killed.

If the -l option is given, matched flows will be logged relative to the dir argument. Matched flows or packets are stored in files as the complete payload or reassembled TCP stream payload. The filename is based on the stream data and is logged as ’time-source-sport-dest-dport-proto’, with time as a 32 bit integer for seconds since the UNIX epoch. For protocols other than TCP or UDP, the protocol is listed as ’protoN’ where ’N’ is the protocol number. See protocols(5) for more information about these numbers and name. If the -x argument is given, these filenames will be written to stdout(4) in a format suitable for use with xargs(1) (ie for processing the flows). Flows are written out to the filesystem upon the connection closure.

flowgrep can also use libdistance(3) for fuzzy string matching. Several algorithms are supported, including the Levenshtein algorithm, Damerau method, Hamming distance and the Jaccard distance. One or more strings may be given using the -e flag. If the distance calculated using the algorithms is below the value specified by -D a match has occured. Note that this approach is slow and not well tested at this time.

The -V flag causes flowgrep to print the version information and exit.


To capture all mail traffic over SMTP and log it relative to the local directory:

-i -c "^ *mail +from" -l . tcp port 25

To capture all non-mail traffic on TCP port 25 and log it into the directory suspicious:

-i -a "^ *mail +from" -v -l suspicious tcp port 25

To turn flowgrep into a simple TCP flow recorder:

-a "." -l flow tcp

To kill Blaster worm infection attempts:

-i -c "^ *tftp -i \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} GET msblast.exe" -k tcp port 4444

To stop successful web surfing on your segment:

-s "HTTP/1.1 200 OK" -k tcp port 80

To detect and stop SSH usage on non-SSH ports:

-i -a "ssh-" -k tcp not port 22

To detect non-HTTP use of port 80:

-i -c "^GET *.+HTTP/1.[01]" -c "^POST *.+HTTP/1.[01]"  -c "^PUT *.+HTTP/1.[01]" -l suspicious -v tcp port 80

Detect Viagra spam on TCP port 25:

-E levenshtein -D 5 -e Viagra -l spammers tcp port 25


pcap(3), libdistance(3), re_format(7), tcpkill(8), ngrep(8), tcpflow(8)


Jose Nazario (


Using flowgrep as a IPS to enforce policies against tunnelling (ie using TCP port 80 for SSH access) can be easily fooled if the tunnel wrapper adds basic protocol headers to the connections. Use flowgrep for this purpose with caution.
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.