1tcpick(8)                   System Manager's Manual                  tcpick(8)
2
3
4

NAME

6       tcpick - tcp stream sniffer and connection tracker
7

SYNOPSIS

9       tcpick [ -a ] [ -n ] [ -C ]
10              [ -e count ]
11              [ -i interface | -r  file ]
12              [ -X timeout ]
13              [ -D  ] [ -F1 | -F2 ]
14              [ -yH | -yP | -yR | -yU | -yx | -yX ]
15              [ -bH | -bP | -bR | -bU | -bx | -bX ]
16              [ -wH[ub] | -wP[ub] | -wR[ub] | -wU[ub] ]
17              [ -v  [ verbosity ]] [ -S ] [ -h ]
18              [ --separator ]
19              [ -T | -Tf  [ number ]]
20              [ -E | -Ef  [ number ]]
21              [ -Pc  |  -Ps ]
22              [  "filter" ]
23              [ --help ] [ --version ]
24
25

DESCRIPTION

27       tcpick  is  a textmode sniffer libpcap-based that can track tcp streams
28       and saves the data captured in different files, each for every  connec‐
29       tion,  or  displays them in the terminal in different formats (hexdump,
30       printable charachters, raw...)  Useful for picking files in  a  passive
31       way.   It is useful to keep track of what users of a network are doing,
32       and is usable with textmode tools like  grep,  sed,  awk.   Happy  data
33       hunting :-)
34
35

BASE OPTIONS

37       -i --interface interface
38              listen  on selected interface, (i.e. ppp0 or eth0). If option -i
39              is omitted, tcpick is able to select the  first  open  interface
40              (usually a ethernet card).
41
42       -r --readfile
43              reads raw packets from a file written with tcpdump -w instead of
44              using a network device.
45
46        "filter"
47              This is the filter for the capturer engine. You can  set  it  in
48              the  same  way of setting the tcpdump(1) filter. Read tcpdump(1)
49              manpage for other explanations.
50
51       -a     Displays host names instead of ip addresses. Warning: for  every
52              new  ip  grabbed a dns query will be generated! Use it carefully
53              on high-traffic network devices!
54
55       -C --colors
56              Uses terminal colors: very nice!  It should help you to read the
57              output of tcpick
58
59       -D number --dirs number
60              Create  directories to store sniffed sessions.  When a directory
61              contains number sessions, a new one will be created.
62
63       -e count
64              Exits when count packets have been sniffed
65
66       -E number
67              Exit when number sniffed connections are detected as "CLOSED"
68
69       -Ef number
70              Exit when the first number connections are detected as "CLOSED"
71
72       -F1 -F2 --filenaming 1|2
73              Choose the filenaming system.
74               -F1 : tcpick_clientip_serverip.side.dat
75              (side means clnt, serv or both)
76               -F2 : tcpick_connectionnumber_clientip_serverip.side.dat
77
78       -h     Shows source and destination ip and port;  shows  tcp  flags  as
79              letters.
80
81       --help Displays a short help summary
82
83       -p     Don't  put  the network interface in promiscuous mode. Note that
84              the interface might be in  promiscuous  mode   for   some  other
85              reason.
86
87       -S     Suppresses the "status of the connection" banner.
88
89       --separator
90              Add a separator for the payloads displayed.
91
92       -t     Adds timestamp in hour:minutes:seconds:microseconds format
93
94       -td    Like -t with date timestamp in day-month-year format
95
96
97       -T number
98              Track  number  connections.  It  could be very useful on a high-
99              traffic network device.  If number is not specified, it will  be
100              set to 1.
101
102       -Tf number
103              Track  only  the first number connections; the following will be
104              discarded. If number is not specified, it will be set to 1.
105
106       -v verbosity
107              Quite unuseful, yet. Set verbosity level. Actually there are not
108              really  many extra messages to display, this means it is enabled
109              by default (-v1).  Set verbosity level to 0  to  suppress  extra
110              messages  (-v0) except error messages.  Set verbosity level to 5
111              to display debug messages (-v5).  There are not other  verbosity
112              levels.
113
114       -X timeout
115              Connections  are considered EXPIRED when there is no traffic for
116              at least timeout seconds. Default is 600.
117
118       --version
119              Displays the tcpick version
120
121

DISPLAY THE DATA IN THE TCP PACKETS

123       These options are prefixed by -y and are useful to display  in  various
124       ways the content of the packet sniffed (the data, called payload), once
125       it arrives at the listening interface. In that way the  tcp  duplicates
126       will  be  not discarded and the packets will not be reordered, but dis‐
127       played "as is". If you want a fully acknowledged stream, see the -w and
128       -b set of options.
129
130       -yH    View  data  in  hexadecimal-spaced mode (for the hexdump see -yx
131              and -yX options.
132
133       -yP    Shows  data  contained  in  the   tcp   packets.   Non-printable
134              charachters  are  transformed in dots: ".". Newline character is
135              preserved.  This is the best way, in my  opinion  to  show  data
136              like HTTP requests, IRC communication, SMTP stuff and so on.
137
138       -yR    Displays  all  kind of charachters, printable and non printable.
139              If something binary is transmitted, the effect will probably  be
140              like watching with "cat" at a gzipped file.
141
142       -yx    Shows  all data after the header in hexadecimal dump of 16 bytes
143              per line.
144
145       -yX    Shows all data after the header in hexadecimal  and  ascii  dump
146              with 16 bytes per line.
147
148       -yU    Shows all data after the header, but Unprintable charachters are
149              displayed as hexadecimal values between a "<" and a ">" symbol.
150
151

REBUILD AND WRITE THE TCP STREAM TO FILE

153       The prefix for these options is -w.   The  TCP  stream  that  has  been
154       sniffed with these options will be written to file named:
155       client_<ip_client>_<ip_server>_<port_server>.tcpick and
156       server_<ip_client>_<ip_server>_<port_server>.tcpick
157       With  the  u  flag  of the -w option (i.e. -wRu) both client and server
158       data will be written to a unique file named in that way:
159       <ip_client>_<ip_server>_<port_server>.tcpick
160       If you use the additional flag b of the -w option (i.e. -wPub), in  the
161       file will be written this banner:
162
163       [client|server]  offset  before:offset  after (lenght of rebuilded seg‐
164       ment)
165
166       to distinguish between client and server data.
167       The flow is rebuilded, reordered and the  duplicates  are  dropped.  In
168       that way it is possible to sniff entire files transmitted via ftp with‐
169       out data corruption (you can see this with md5sum).  If no argument  is
170       given  to  -w the data will be written like -wR You can decide to write
171       only client or server data by setting the flag
172        C (output only client data) and S (output only server data) to the  -w
173       set.
174
175
176       -wR    This  is  the preferred option: data will be written without any
177              changes. Useful for sniffing binary or compressed files.
178              (-wRC only the client, -wRS only the server)
179
180       -wP    Unprintable charachters are written like dots.
181              (-wPC only the client, -wPS only the server)
182
183       -wU    Unprintable charachters  are  displayed  as  hexadecimal  values
184              between a "<" and a ">" symbol.
185              (-wPC only the client, -wPS only the server)
186
187       -wH    The flow is written in hexadecimal-spaced mode.
188              (-wHC only the client, -wHS only the server)
189
190

DISPLAY THE REBUILDED TCP STREAM

192       The prefix for these options is -b.  This set of options is very useful
193       if you want to redirect the sniffed flow to anoter program with a pipe,
194       and  there  should be no data corruption.  Of course the most useful is
195       -bR to show the data as they are (raw).  A very useful feature  is  the
196       flag C (output only client data) and S (output only server data). I.e.:
197       -bRC will display only the data from the client in raw  mode;  in  that
198       way you can put them in a file with a pipe redirection.
199
200       The sub-options are quite the same of the -y set, so you have:
201
202        -bH  hex-spaced
203              (-bHC only the client, -bHS only the server)
204
205        -bP  unprintable displayed as dots
206              (-bPC only the client, -bPS only the server)
207
208        -bR  raw mode
209              (-bRC only the client, -bRS only the server)
210
211        -bU  unprintable as <hex>.
212              (-bUC only the client, -bUS only the server)
213
214        -bx  hexdump
215              (-bxC only the client, -bxS only the server)
216
217        -bU  hexdump + ascii
218              (-bXC only the client, -bXS only the server)
219
220        -PC --pipe client
221              This  is  an  alias for -bRC -S -v0 -Tf1 -Ef1.  With this option
222              you are able to track only the first connection (-T1) matched by
223              tcpick  and data are displayed as raw. Only data from the client
224              are put on stdout. All  messages  and  banners  are  suppressed,
225              except  error  messages  (-S -v0), so this option is particulary
226              useful to download an entire fully  rebuilded  and  acknowledged
227              connection.
228
229        -PS --pipe server
230              This is an alias for -bRS -S -v0 -Tf1 -Ef1.
231
232

EXAMPLES

234       how to display the connection status:
235               # tcpick -i eth0 -C
236
237
238       display the payload and packet headers:
239               # tcpick -i eth0 -C -yP -h -a
240
241
242       display client data only of the first smtp connection:
243               # tcpick -i eth0 -C -bCU -T1 "port 25"
244
245
246       download a file passively:
247               # tcpick -i eth0 -wR "port ftp-data"
248
249
250       log http data in unique files (client and server mixed together):
251               # tcpick -i eth0 "port 80" -wRub
252
253
254       redirect the first connection to a software:
255               #   tcpick   -i   eth0   --pipe  client  "port  80"  |  gzip  >
256              http_response.gz
257               # tcpick -i eth0 --pipe server "port 25" | nc foobar.net 25
258
259

MAILING-LIST

261       Address: <tcpick-project[a]lists.sourceforge.net>
262       Archive:     http://sourceforge.net/mailarchive/forum.php?forum=tcpick-
263       project
264       Subscribe: http://lists.sourceforge.net/lists/listinfo/tcpick-project
265       If  you  have new ideas, patches, feature requests or simply need help,
266       don't wait! I will be grateful if you send a  message  to  the  mailing
267       list (even if you want to say what you liked most on tcpick).
268
269

TCPICK WEBSITE

271       The tcpick website is at http://tcpick.sf.net.
272       You    can    find    the    project    page    here:    http://source
273       forge.net/projects/tcpick kindly hosted by the sourceforge team.
274
275

AUTHORS

277       Please check AUTHORS file.
278
279

BUGS

281       Tcpick is an experimental software, and maybe some bugs  are  described
282       in the KNOWN-BUGS file.
283       On  some  versions of MacOSX Segmentation Fault happens and connections
284       aren't tracked properly.
285       If you find any other bug, please write to the tcpick mailing list.
286
287

SEE ALSO

289       Other nice packet/data sniffers:
290       tcpdump, ngrep, tcptrack, ettercap, ethereal, snort
291
292

LICENSE

294       This program is free software; you can redistribute it and/or modify it
295       under  the  terms of the GNU General Public License as published by the
296       Free Software Foundation; either version 2 of the License, or  (at  you
297       option) any later version.
298
299       This  program  is  distributed  in the hope that it will be useful, but
300       WITHOUT ANY  WARRANTY;  without  even  the  implied  warranty  of  MER‐
301       CHANTABILITY  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
302       Public License for more details.
303
304       You should have received a copy of the GNU General Public License along
305       with this program; if not, write to the Free Software Foundation, Inc.,
306       59 Temple Place - Suite 330, Boston, MA  02111, USA.
307
308
309
310                                                                     tcpick(8)
Impressum