1tcpick(8) System Manager's Manual tcpick(8)
2
6 tcpick - tcp stream sniffer and connection tracker
7
9 tcpick [ -a ] [ -n ] [ -C ]
10 [ -e count ]
11 [ -i interface | -r file ]
12 [ -X timeout ]
13 [ -D ] [ -F1 | -F2 ]
14 [ -yH | -yP | -yR | -yU | -yx | -yX ]
15 [ -bH | -bP | -bR | -bU | -bx | -bX ]
16 [ -wH[ub] | -wP[ub] | -wR[ub] | -wU[ub] ]
17 [ -v [ verbosity ]] [ -S ] [ -h ]
18 [ --separator ]
19 [ -T | -Tf [ number ]]
20 [ -E | -Ef [ number ]]
21 [ -Pc | -Ps ]
22 [ "filter" ]
23 [ --help ] [ --version ]
24
27 tcpick is a textmode sniffer libpcap-based that can track tcp streams
28 and saves the data captured in different files, each for every connec‐
29 tion, or displays them in the terminal in different formats (hexdump,
30 printable charachters, raw...) Useful for picking files in a passive
31 way. It is useful to keep track of what users of a network are doing,
32 and is usable with textmode tools like grep, sed, awk. Happy data
33 hunting :-)
34
37 -i --interface interface
38 listen on selected interface, (i.e. ppp0 or eth0). If option -i
39 is omitted, tcpick is able to select the first open interface
40 (usually a ethernet card).
41 -r --readfile
43 reads raw packets from a file written with tcpdump -w instead of
44 using a network device.
45 "filter"
47 This is the filter for the capturer engine. You can set it in
48 the same way of setting the tcpdump(1) filter. Read tcpdump(1)
49 manpage for other explanations.
50 -a Displays host names instead of ip addresses. Warning: for every
52 new ip grabbed a dns query will be generated! Use it carefully
53 on high-traffic network devices!
54 -C --colors
56 Uses terminal colors: very nice! It should help you to read the
57 output of tcpick
58 -D number --dirs number
60 Create directories to store sniffed sessions. When a directory
61 contains number sessions, a new one will be created.
62 -e count
64 Exits when count packets have been sniffed
65 -E number
67 Exit when number sniffed connections are detected as "CLOSED"
68 -Ef number
70 Exit when the first number connections are detected as "CLOSED"
71 -F1 -F2 --filenaming 1|2
73 Choose the filenaming system.
74 -F1 : tcpick_clientip_serverip.side.dat
75 (side means clnt, serv or both)
76 -F2 : tcpick_connectionnumber_clientip_serverip.side.dat
77 -h Shows source and destination ip and port; shows tcp flags as
79 letters.
80 --help Displays a short help summary
82 -p Don't put the network interface in promiscuous mode. Note that
84 the interface might be in promiscuous mode for some other
85 reason.
86 -S Suppresses the "status of the connection" banner.
88 --separator
90 Add a separator for the payloads displayed.
91 -t Adds timestamp in hour:minutes:seconds:microseconds format
93 -td Like -t with date timestamp in day-month-year format
95 -T number
98 Track number connections. It could be very useful on a high-
99 traffic network device. If number is not specified, it will be
100 set to 1.
101 -Tf number
103 Track only the first number connections; the following will be
104 discarded. If number is not specified, it will be set to 1.
105 -v verbosity
107 Quite unuseful, yet. Set verbosity level. Actually there are not
108 really many extra messages to display, this means it is enabled
109 by default (-v1). Set verbosity level to 0 to suppress extra
110 messages (-v0) except error messages. Set verbosity level to 5
111 to display debug messages (-v5). There are not other verbosity
112 levels.
113 -X timeout
115 Connections are considered EXPIRED when there is no traffic for
116 at least timeout seconds. Default is 600.
117 --version
119 Displays the tcpick version
120
123 These options are prefixed by -y and are useful to display in various
124 ways the content of the packet sniffed (the data, called payload), once
125 it arrives at the listening interface. In that way the tcp duplicates
126 will be not discarded and the packets will not be reordered, but dis‐
127 played "as is". If you want a fully acknowledged stream, see the -w and
128 -b set of options.
129 -yH View data in hexadecimal-spaced mode (for the hexdump see -yx
131 and -yX options.
132 -yP Shows data contained in the tcp packets. Non-printable
134 charachters are transformed in dots: ".". Newline character is
135 preserved. This is the best way, in my opinion to show data
136 like HTTP requests, IRC communication, SMTP stuff and so on.
137 -yR Displays all kind of charachters, printable and non printable.
139 If something binary is transmitted, the effect will probably be
140 like watching with "cat" at a gzipped file.
141 -yx Shows all data after the header in hexadecimal dump of 16 bytes
143 per line.
144 -yX Shows all data after the header in hexadecimal and ascii dump
146 with 16 bytes per line.
147 -yU Shows all data after the header, but Unprintable charachters are
149 displayed as hexadecimal values between a "<" and a ">" symbol.
150
153 The prefix for these options is -w. The TCP stream that has been
154 sniffed with these options will be written to file named:
155 client_<ip_client>_<ip_server>_<port_server>.tcpick and
156 server_<ip_client>_<ip_server>_<port_server>.tcpick
157 With the u flag of the -w option (i.e. -wRu) both client and server
158 data will be written to a unique file named in that way:
159 <ip_client>_<ip_server>_<port_server>.tcpick
160 If you use the additional flag b of the -w option (i.e. -wPub), in the
161 file will be written this banner:
162 [client|server] offset before:offset after (lenght of rebuilded seg‐
164 ment)
165 to distinguish between client and server data.
167 The flow is rebuilded, reordered and the duplicates are dropped. In
168 that way it is possible to sniff entire files transmitted via ftp with‐
169 out data corruption (you can see this with md5sum). If no argument is
170 given to -w the data will be written like -wR You can decide to write
171 only client or server data by setting the flag
172 C (output only client data) and S (output only server data) to the -w
173 set.
174 -wR This is the preferred option: data will be written without any
177 changes. Useful for sniffing binary or compressed files.
178 (-wRC only the client, -wRS only the server)
179 -wP Unprintable charachters are written like dots.
181 (-wPC only the client, -wPS only the server)
182 -wU Unprintable charachters are displayed as hexadecimal values
184 between a "<" and a ">" symbol.
185 (-wPC only the client, -wPS only the server)
186 -wH The flow is written in hexadecimal-spaced mode.
188 (-wHC only the client, -wHS only the server)
189
192 The prefix for these options is -b. This set of options is very useful
193 if you want to redirect the sniffed flow to anoter program with a pipe,
194 and there should be no data corruption. Of course the most useful is
195 -bR to show the data as they are (raw). A very useful feature is the
196 flag C (output only client data) and S (output only server data). I.e.:
197 -bRC will display only the data from the client in raw mode; in that
198 way you can put them in a file with a pipe redirection.
199 The sub-options are quite the same of the -y set, so you have:
201 -bH hex-spaced
203 (-bHC only the client, -bHS only the server)
204 -bP unprintable displayed as dots
206 (-bPC only the client, -bPS only the server)
207 -bR raw mode
209 (-bRC only the client, -bRS only the server)
210 -bU unprintable as <hex>.
212 (-bUC only the client, -bUS only the server)
213 -bx hexdump
215 (-bxC only the client, -bxS only the server)
216 -bU hexdump + ascii
218 (-bXC only the client, -bXS only the server)
219 -PC --pipe client
221 This is an alias for -bRC -S -v0 -Tf1 -Ef1. With this option
222 you are able to track only the first connection (-T1) matched by
223 tcpick and data are displayed as raw. Only data from the client
224 are put on stdout. All messages and banners are suppressed,
225 except error messages (-S -v0), so this option is particulary
226 useful to download an entire fully rebuilded and acknowledged
227 connection.
228 -PS --pipe server
230 This is an alias for -bRS -S -v0 -Tf1 -Ef1.
231
234 how to display the connection status:
235 # tcpick -i eth0 -C
236 display the payload and packet headers:
239 # tcpick -i eth0 -C -yP -h -a
240 display client data only of the first smtp connection:
243 # tcpick -i eth0 -C -bCU -T1 "port 25"
244 download a file passively:
247 # tcpick -i eth0 -wR "port ftp-data"
248 log http data in unique files (client and server mixed together):
251 # tcpick -i eth0 "port 80" -wRub
252 redirect the first connection to a software:
255 # tcpick -i eth0 --pipe client "port 80" | gzip >
256 http_response.gz
257 # tcpick -i eth0 --pipe server "port 25" | nc foobar.net 25
258
261 Address: <tcpick-project[a]lists.sourceforge.net>
262 Archive: http://sourceforge.net/mailarchive/forum.php?forum=tcpick-
263 project
264 Subscribe: http://lists.sourceforge.net/lists/listinfo/tcpick-project
265 If you have new ideas, patches, feature requests or simply need help,
266 don't wait! I will be grateful if you send a message to the mailing
267 list (even if you want to say what you liked most on tcpick).
268
271 The tcpick website is at http://tcpick.sf.net.
272 You can find the project page here: http://source‐
273 forge.net/projects/tcpick kindly hosted by the sourceforge team.
274
277 Please check AUTHORS file.
278
281 Tcpick is an experimental software, and maybe some bugs are described
282 in the KNOWN-BUGS file.
283 On some versions of MacOSX Segmentation Fault happens and connections
284 aren't tracked properly.
285 If you find any other bug, please write to the tcpick mailing list.
286
289 Other nice packet/data sniffers:
290 tcpdump, ngrep, tcptrack, ettercap, ethereal, snort
291
294 This program is free software; you can redistribute it and/or modify it
295 under the terms of the GNU General Public License as published by the
296 Free Software Foundation; either version 2 of the License, or (at you
297 option) any later version.
298 This program is distributed in the hope that it will be useful, but
300 WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
301 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
302 Public License for more details.
303 You should have received a copy of the GNU General Public License along
305 with this program; if not, write to the Free Software Foundation, Inc.,
306 59 Temple Place - Suite 330, Boston, MA 02111, USA.
307 tcpick(8)