Overview

What is it?

tcpkill is a command line utility installed as part of the Dsniff suite.

tcpkill will kill TCP connections by spoofing the TCP hangup request, which interferes with the connection.

To a victim, the end result is an infuriating mix of a network connection that appears connected and working when diagnosed, but that cannot keep any TCP connections alive.

How to use it?

To run tcpkill, you need a network card that can be operated in promiscuous mode (i.e., not Mac or Windows).

You provide three arguments:

• the network interface to listen on
• the degree of brute force to use in killing a connection (1-9, default is 3). use higher numbers for faster connections, to inject more forged RST packets and get the timing right
• a tcpdump filter expression to select connections to kill

Examples

A few examples of tcpdump filter expressions that are useful:

• Blocking all traffic from/to a particular website (host), such as example.com
• Blocking all traffic from/to a particular IP address on the network, such as 192.168.0.101
• Blocking traffic on a particular port, like 8000

To block all traffic to/from a particular website (using the -9 hammer):

tcpkill -i eth0 -9 host example.com and host example2.com

To block all network traffic to a local IP address 192.168.0.101 (using the -9 hammer):

tcpkill -i eth0 -9 192.168.0.101

To block all network traffic on a particular port:

tcpkill −9 port 6346

To block all traffic going to/from 192.168.0.101 except traffic coming from 192.168.0.202:

tcpkill ip host 192.168.0.101 and not 192.168.0.202

Links

Code

Official version: https://monkey.org/~dugsong/dsniff/

Patched C version: https://github.com/chartbeat/tcpkill

Python version: https://github.com/Kkevsterrr/tcpkiller

• ethernet only, no 802.11 headers