Skip to main content
Version: Next


Loads bytes from a TCP or TLS connection.



tcp [-c|--connect] [-o|--listen-once]
[--tls] [--certfile] [--keyfile] <endpoint>


tcp [-l|--listen] [-o|--listen-once]
[--tls] [--certfile] [--keyfile] <endpoint>


The tcp connector supports TCP or TLS connections. The loader reads blocks of bytes from the socket, and the saver writes them to the socket.

The loader defaults to creating a socket in listening mode. Use --connect if the loader should initiate the connection instead. The saver defaults to creating a socket in connect mode. Use --listen if the saver should instead listen on a socket.

When you have a socket in listening mode, use to accept connections on all interfaces. Both saver and loader also have a --listen-once option that will stop the pipeline after the first connection terminated. The nics operator lists all all available interfaces.

One connection at at time

A single pipeline can accept at most one TCP connection at a time. If another client attempts to connect to the same listening socket, it will time out. The reason for this behavior is that the downstream operator (typically a parser) may exhibit undefined behavior if it receives data from multiple sockets.


The address of the remote endpoint to connect to when using --connect, and the bind address when using --listen.

-c,--connect (Loader)

Connect to <endpoint> instead of listening at it.

-l,--listen (Saver)

Listen at <endpoint> instead of connecting to it.


When listening to a socket, only process a single connection instead of looping over all connecting clients forever.

Requires a loader or saver with --listen.


Wrap the connection into a TLS secured stream.


Path to a .pem file containing the TLS certificate for the server.

Ignored unless --tls is also specified.


Path to a .pem file containing the private key for the certificate.

Ignored unless --tls is also specified.


Read raw bytes by connecting to a TCP endpoint:

load tcp://

Test this locally by spinning up a local server with socat:

echo foo | socat TCP-LISTEN:8000 stdout

Listen on localhost and wait for incoming TLS connections:

load tcp:// --tls --certfile key_and_cert.pem --keyfile key_and_cert.pem -k

The above example uses a self-signed certificate that can be generated like this:

openssl req -x509 -newkey rsa:2048 -keyout key_and_cert.pem -out key_and_cert.pem -days 365 -nodes

Test the endpoint locally by issuing a TLS connection:

openssl s_client