Man Linux: Main Page and Category List


       tcpick - tcp stream sniffer and connection tracker


       tcpick [ -a ] [ -n ] [ -C ]
              [ -e count ]
              [ -i interface | -r  file ]
              [ -X timeout ]
              [ -D  ] [ -F1 | -F2 ]
              [ -yH | -yP | -yR | -yU | -yx | -yX ]
              [ -bH | -bP | -bR | -bU | -bx | -bX ]
              [ -wH[ub] | -wP[ub] | -wR[ub] | -wU[ub] ]
              [ -v  [ verbosity ]] [ -S ] [ -h ]
              [ --separator ]
              [ -T | -Tf  [ number ]]
              [ -E | -Ef  [ number ]]
              [ -Pc  |  -Ps ]
              [  "filter" ]
              [ --help ] [ --version ]


       tcpick  is  a textmode sniffer libpcap-based that can track tcp streams
       and saves  the  data  captured  in  different  files,  each  for  every
       connection,  or  displays  them  in  the  terminal in different formats
       (hexdump, printable charachters, raw...)  Useful for picking files in a
       passive way.  It is useful to keep track of what users of a network are
       doing, and is usable with textmode tools like grep,  sed,  awk.   Happy
       data hunting :-)


       -i --interface interface
              listen  on selected interface, (i.e. ppp0 or eth0). If option -i
              is omitted, tcpick is able to select the  first  open  interface
              (usually a ethernet card).

       -r --readfile
              reads raw packets from a file written with tcpdump -w instead of
              using a network device.

              This is the filter for the capturer engine. You can  set  it  in
              the  same  way of setting the tcpdump(1) filter. Read tcpdump(1)
              manpage for other explanations.

       -a     Displays host names instead of ip addresses. Warning: for  every
              new  ip  grabbed a dns query will be generated! Use it carefully
              on high-traffic network devices!

       -C --colors
              Uses terminal colors: very nice!  It should help you to read the
              output of tcpick

       -D number --dirs number
              Create  directories to store sniffed sessions.  When a directory
              contains number sessions, a new one will be created.

       -e count
              Exits when count packets have been sniffed

       -E number
              Exit when number sniffed connections are detected as "CLOSED"

       -Ef number
              Exit when the first number connections are detected as "CLOSED"

       -F1 -F2 --filenaming 1|2
              Choose the filenaming system.
               -F1 : tcpick_clientip_serverip.side.dat
              (side means clnt, serv or both)
               -F2 : tcpick_connectionnumber_clientip_serverip.side.dat

       -h     Shows source and destination ip and port;  shows  tcp  flags  as

       --help Displays a short help summary

       -p     Dont  put  the network interface in promiscuous mode. Note that
              the interface might be in  promiscuous  mode   for   some  other

       -S     Suppresses the "status of the connection" banner.

              Add a separator for the payloads displayed.

       -t     Adds timestamp in hour:minutes:seconds:microseconds format

       -td    Like -t with date timestamp in day-month-year format

       -T number
              Track  number  connections.  It  could be very useful on a high-
              traffic network device.  If number is not specified, it will  be
              set to 1.

       -Tf number
              Track  only  the first number connections; the following will be
              discarded. If number is not specified, it will be set to 1.

       -v verbosity
              Quite unuseful, yet. Set verbosity level. Actually there are not
              really  many extra messages to display, this means it is enabled
              by default (-v1).  Set verbosity level to 0  to  suppress  extra
              messages  (-v0) except error messages.  Set verbosity level to 5
              to display debug messages (-v5).  There are not other  verbosity

       -X timeout
              Connections  are considered EXPIRED when there is no traffic for
              at least timeout seconds. Default is 600.

              Displays the tcpick version


       These options are prefixed by -y and are useful to display  in  various
       ways the content of the packet sniffed (the data, called payload), once
       it arrives at the listening interface. In that way the  tcp  duplicates
       will  be  not  discarded  and  the  packets  will not be reordered, but
       displayed "as is". If you want a fully acknowledged stream, see the  -w
       and -b set of options.

       -yH    View  data  in  hexadecimal-spaced mode (for the hexdump see -yx
              and -yX options.

       -yP    Shows  data  contained  in  the   tcp   packets.   Non-printable
              charachters  are  transformed in dots: ".". Newline character is
              preserved.  This is the best way, in my  opinion  to  show  data
              like HTTP requests, IRC communication, SMTP stuff and so on.

       -yR    Displays  all  kind of charachters, printable and non printable.
              If something binary is transmitted, the effect will probably  be
              like watching with "cat" at a gzipped file.

       -yx    Shows  all data after the header in hexadecimal dump of 16 bytes
              per line.

       -yX    Shows all data after the header in hexadecimal  and  ascii  dump
              with 16 bytes per line.

       -yU    Shows all data after the header, but Unprintable charachters are
              displayed as hexadecimal values between a "<" and a ">"  symbol.


       The  prefix  for  these  options  is  -w.  The TCP stream that has been
       sniffed with these options will be written to file named:
       client_<ip_client>_<ip_server>_<port_server>.tcpick and
       With the u flag of the -w option (i.e. -wRu)  both  client  and  server
       data will be written to a unique file named in that way:
       If  you use the additional flag b of the -w option (i.e. -wPub), in the
       file will be written this banner:

       [client|server]  offset  before:offset  after  (lenght   of   rebuilded

       to distinguish between client and server data.
       The  flow  is  rebuilded,  reordered and the duplicates are dropped. In
       that way it is possible to  sniff  entire  files  transmitted  via  ftp
       without data corruption (you can see this with md5sum).  If no argument
       is given to -w the data will be written like  -wR  You  can  decide  to
       write only client or server data by setting the flag
        C  (output only client data) and S (output only server data) to the -w

       -wR    This is the preferred option: data will be written  without  any
              changes. Useful for sniffing binary or compressed files.
              (-wRC only the client, -wRS only the server)

       -wP    Unprintable charachters are written like dots.
              (-wPC only the client, -wPS only the server)

       -wU    Unprintable  charachters  are  displayed  as  hexadecimal values
              between a "<" and a ">" symbol.
              (-wPC only the client, -wPS only the server)

       -wH    The flow is written in hexadecimal-spaced mode.
              (-wHC only the client, -wHS only the server)


       The prefix for these options is -b.  This set of options is very useful
       if you want to redirect the sniffed flow to anoter program with a pipe,
       and there should be no data corruption.  Of course the most  useful  is
       -bR  to  show the data as they are (raw).  A very useful feature is the
       flag C (output only client data) and S (output only server data). I.e.:
       -bRC  will  display  only the data from the client in raw mode; in that
       way you can put them in a file with a pipe redirection.

       The sub-options are quite the same of the -y set, so you have:

        -bH  hex-spaced
              (-bHC only the client, -bHS only the server)

        -bP  unprintable displayed as dots
              (-bPC only the client, -bPS only the server)

        -bR  raw mode
              (-bRC only the client, -bRS only the server)

        -bU  unprintable as <hex>.
              (-bUC only the client, -bUS only the server)

        -bx  hexdump
              (-bxC only the client, -bxS only the server)

        -bU  hexdump + ascii
              (-bXC only the client, -bXS only the server)

        -PC --pipe client
              This is an alias for -bRC -S -v0 -Tf1 -Ef1.   With  this  option
              you are able to track only the first connection (-T1) matched by
              tcpick and data are displayed as raw. Only data from the  client
              are  put  on  stdout.  All  messages and banners are suppressed,
              except error messages (-S -v0), so this  option  is  particulary
              useful  to  download  an entire fully rebuilded and acknowledged

        -PS --pipe server
              This is an alias for -bRS -S -v0 -Tf1 -Ef1.


       how to display the connection status:
               # tcpick -i eth0 -C

       display the payload and packet headers:
               # tcpick -i eth0 -C -yP -h -a

       display client data only of the first smtp connection:
               # tcpick -i eth0 -C -bCU -T1 "port 25"

       download a file passively:
               # tcpick -i eth0 -wR "port ftp-data"

       log http data in unique files (client and server mixed together):
               # tcpick -i eth0 "port 80" -wRub

       redirect the first connection to a software:
               #  tcpick  -i  eth0  --pipe  client  "port   80"   |   gzip   >
               # tcpick -i eth0 --pipe server "port 25" | nc 25


       Address: <tcpick-project[a]>
       If you have new ideas, patches, feature requests or simply  need  help,
       don’t  wait!  I  will  be grateful if you send a message to the mailing
       list (even if you want to say what you liked most on tcpick).


       The tcpick website is at
       You       can       find       the       project       page       here: kindly hosted by the sourceforge


       Please check AUTHORS file.


       Tcpick is an experimental software, and maybe some bugs  are  described
       in the KNOWN-BUGS file.
       On  some  versions of MacOSX Segmentation Fault happens and connections
       aren’t tracked properly.
       If you find any other bug, please write to the tcpick mailing list.


       Other nice packet/data sniffers:
       tcpdump, ngrep, tcptrack, ettercap, ethereal, snort


       This program is free software; you can redistribute it and/or modify it
       under  the  terms of the GNU General Public License as published by the
       Free Software Foundation; either version 2 of the License, or  (at  you
       option) any later version.

       This  program  is  distributed  in the hope that it will be useful, but
       WITHOUT  ANY  WARRANTY;  without   even   the   implied   warranty   of
       General Public License for more details.

       You should have received a copy of the GNU General Public License along
       with this program; if not, write to the Free Software Foundation, Inc.,
       59 Temple Place - Suite 330, Boston, MA  02111, USA.