Welcome to the Office Mac Help Site About | Blog | Links | Glossary | Feedback | Downloads | Help

How to Install and Use TCPflow

TCPflow is a program that captures and stores or displays data transmitted on a TCP/IP network. If you do this, you will have something specific to complain about when you ring the experts. In addition, I have found that sometimes just running TCPflow will clear up the problem I am experiencing.

How to use TCPflow:

  1. Download the Mac OS X version of tcpflow (freeware).
  2. When you install, you will not find a TCPflow window, nor an icon on your dock. tcpflow is designed to work in the background. You will enter a command in the terminal window and results will also show in the terminal window.
  3. To run the test for email, quit all other applications that might be connecting to the internet like your browser, ftp client, twitter client. Set Entourage to work offline.
  4. Copy/paste command in the Terminal or use this script (place the script in this location. "~/Library/Scripts" You might have to create the folder. )
    1. sudo /usr/local/bin/tcpflow -i en0 -c
      
    2. If you have an Exchange Account use this command
  5. Hit enter, it will ask for local admin or root password, enter that and you will see that the trace has started (‘Listening to en0’)
  6. In Entourage, select only one account at a time to test. You will have to select "Connect" to bypass the work offline.
    1. Try to reproduce the issue.
      1. If you are having problems sending, only send a message.
      2. If you are having problems receiving, only try receive.
    2. Watch the traffic in the window of the Terminal as you either send or receive in Entourage. You should see what is failing.
    3. See example of traffic below
  7. You can stop the trace in Terminal by doing a Control+C
  8. Optional: Save as a text file, go to File : Save text as, give it a name, save it on desktop.this can be used by your ISP to help troubleshoot your problem. Note this contains your passwords and other sensitive info.

If you have an Exchange account, use this command...

sudo /usr/local/bin/tcpflow -i en0 -c host servername

(where 'servername' is the NetBIOS name of the Exchange Server, the same name which you are using in Entourage's Exchange Account Settings, under 'Account Settings' tab, keep in mind that it's better to connect to the mailbox server on back-end as 'Exchange' virtual directory on it does not require SSL and thus we can take useful trace)


Another application you might want to try is EavesDrop.

Learn more about usingTCPflow here. Also see Marc Liyanage's short version on using TCPflow.


There are interesting options you can use to have a better "signal to noise" ratio through these commands (people usually get completely lost in the amount of data the get through these commands).

You can restrict the "sniffing" to a specific server or a specific protocol

Eg: to get traffic for your mail.mac.com server through your Ethernet connection, use:

sudo tcpflow -c -i en0 host mail.mac.com

Similarely, this command will get all data going through POP over the Ethernet connection:

sudo tcpflow -c -i en0 tcp port 110

You can also redirect the result to a file:

sudo tcpflow -c -i en0 host mail.mac.com > ~/Desktop/tcpflow-result.txt


Example of traffic between Entourage and ISP

In this example, my account in Entourage was showing 54 messages but was stuck trying to download. The log from tcpflow indicated it was the first message. RETR 1 shows it was retrying to download message 1. I used my webmail to view and delete the oldest message then Entourage was able to download all messages on the server.

Last login: Fri Feb  2 16:56:27 on ttyp1
sudo /usr/local/bin/tcpflow -i en0 -c
Welcome to Darwin!
diane-ross-power-mac-g4:~ diane$ sudo /usr/local/bin/tcpflow -i en0 -c
/usr/local/bin/tcpflow[1979]: listening on en0
206.018.177.080.00110-192.168.001.103.59370: +OK (alnrpxc16) Maillennium POP3/PROXY server #47

192.168.001.103.59370-206.018.177.080.00110: USER diane

206.018.177.080.00110-192.168.001.103.59370: +OK

192.168.001.103.59370-206.018.177.080.00110: PASS xxxxxx

206.018.177.080.00110-192.168.001.103.59370: +OK ready

192.168.001.103.59370-206.018.177.080.00110: UIDL

206.018.177.080.00110-192.168.001.103.59370: +OK 54 messages (90334)

1   20070201030722a220048qhve000did
2   20070201092622a21006k3a7e000die
3   20070201095456r2400bv239e000dif
4   20070201111053r11005f68me000dig
edited for brevity
54   20070203002041r2400euc5re000dk2

192.168.001.103.59370-206.018.177.080.00110: LIST

206.018.177.080.00110-192.168.001.103.59370: +OK 54 messages (90334)

1 1437
2 2082
3 1510
4 2204
edited for brevity
54 2621

192.168.001.103.59370-206.018.177.080.00110: RETR 1


The following explains in more detail what you see in a TCPflow report:

192.168.001.104.49513-206.018.177.080.00110: RETR 455

192.168.001.104.49513-206.018.177.080.00110: RETR 455

Lines above are a combination of an IP and Port number, at the end it lists the operation, RETR = Msg retrieval ...

192.168.001.104 = Your IP (Entourage Client Machine), 49513 = The port being used by Entourage to talk to your POP Server

206.018.177.080 = The POP Server you are connecting to using your Entourage, 00110 = Port for POP protocol

RETR = retry