tcpick - tcp stream sniffer and connection tracker
] [ -n
] [ -C
[ -e count
[ -i interface
| -r file
[ -X timeout
] [ -F1
]] [ -S
] [ -h
] [ --version
is a textmode sniffer libpcap-based that can track tcp streams and
saves the data captured in different files, each for every connection, or
displays them in the terminal in different formats (hexdump, printable
characters, raw...) Useful for picking files in a passive way. It is useful to
keep track of what users of a network are doing, and is usable with textmode
tools like grep, sed, awk. Happy data hunting :-)
- -i --interface interface
- listen on selected interface, (i.e. ppp0 or
eth0). If option -i is omitted, tcpick is able to select the
first open interface (usually a ethernet card).
- -r --readfile
- reads raw packets from a file written with tcpdump
-w instead of using a network device.
- This is the filter for the capturer engine. You can set it
in the same way of setting the tcpdump(1) filter. Read tcpdump(1)
manpage for other explanations.
- Displays host names instead of ip addresses. Warning: for
every new ip grabbed a dns query will be generated! Use it carefully on
high-traffic network devices!
- -C --colors
- Uses terminal colors: very nice! It should help you to read
the output of tcpick
- -D number --dirs number
- Create directories to store sniffed sessions. When a
directory contains number sessions, a new one will be created.
- -e count
- Exits when count packets have been sniffed
- -E number
- Exit when number sniffed connections are detected as
- -Ef number
- Exit when the first number connections are
detected as "CLOSED"
- -F1 -F2 --filenaming 1|2
- Choose the filenaming system.
-F1 : tcpick_clientip_serverip.side.dat
(side means clnt, serv or both)
- Shows source and destination ip and port; shows tcp flags
- Displays a short help summary
- Don't put the network interface in promiscuous mode.
Note that the interface might be in promiscuous mode for some other
- Suppresses the "status of the connection"
- Add a separator for the payloads displayed.
- Adds timestamp in hour:minutes:seconds:microseconds
- Like -t with date timestamp in
- -T number
- Track number connections. It could be very useful on
a high-traffic network device. If number is not specified, it will
be set to 1.
- -Tf number
- Track only the first number connections; the
following will be discarded. If number is not specified, it will be
set to 1.
- -v verbosity
- Quite useless, yet. Set verbosity level. Actually there are
not really many extra messages to display, this means it is enabled by
default ( -v1). Set verbosity level to 0 to suppress extra
messages ( -v0) except error messages. Set verbosity level to
5 to display debug messages ( -v5). There are not other
- -X timeout
- Connections are considered EXPIRED when there is no
traffic for at least timeout seconds. Default is 600.
- Displays the tcpick version
These options are prefixed by -y
and are useful to display in various
ways the content of the packet sniffed (the data, called payload), once it
arrives at the listening interface. In that way the tcp duplicates will be not
discarded and the packets will not be reordered, but displayed "as
is". If you want a fully acknowledged stream, see the -w
set of options.
- View data in hexadecimal-spaced mode (for the hexdump see
-yx and -yX options.
- Shows data contained in the tcp packets. Non-printable
characters are transformed in dots: " .". Newline
character is preserved. This is the best way, in my opinion to show data
like HTTP requests, IRC communication, SMTP stuff and so on.
- Displays all kind of characters, printable and non
printable. If something binary is transmitted, the effect will probably be
like watching with " cat" at a gzipped file.
- Shows all data after the header in hexadecimal dump of 16
bytes per line.
- Shows all data after the header in hexadecimal and ascii
dump with 16 bytes per line.
- Shows all data after the header, but Unprintable
characters are displayed as hexadecimal values between a "<"
and a ">" symbol.
The prefix for these options is -w
. The TCP stream that has been sniffed
with these options will be written to file named:
With the u
flag of the -w
option (i.e. -wRu
) both client
and server data will be written to a unique file named in that way:
If you use the additional flag b
of the -w
), in the file will be written this banner:
[client|server] offset before:offset after (length of rebuilded
to distinguish between client and server data.
The flow is rebuilded, reordered and the duplicates are dropped. In that way it
is possible to sniff entire files transmitted via ftp without data corruption
(you can see this with md5sum). If no argument is given to -w
will be written like -wR
You can decide to write only client or server
data by setting the flag
(output only client data) and S
(output only server data) to
- This is the preferred option: data will be written without
any changes. Useful for sniffing binary or compressed files.
( -wRC only the client, -wRS only the server)
- Unprintable characters are written like dots.
( -wPC only the client, -wPS only the server)
- Unprintable characters are displayed as hexadecimal
values between a "<" and a ">" symbol.
( -wPC only the client, -wPS only the server)
- The flow is written in hexadecimal-spaced mode.
( -wHC only the client, -wHS only the server)
The prefix for these options is -b
. This set of options is very useful if
you want to redirect the sniffed flow to anoter program with a pipe, and there
should be no data corruption. Of course the most useful is -bR
the data as they are (raw). A very useful feature is the flag C
only client data) and S
(output only server data). I.e.: -bRC
will display only the data from the client in raw mode; in that way you can
put them in a file with a pipe redirection.
The sub-options are quite the same of the -y
set, so you have:
- -bH hex-spaced
- (-bHC only the client, -bHS only the
- -bP unprintable displayed as dots
- (-bPC only the client, -bPS only the
- -bR raw mode
- (-bRC only the client, -bRS only the
- -bU unprintable as <hex>.
- (-bUC only the client, -bUS only the
- -bx hexdump
- (-bxC only the client, -bxS only the
- -bU hexdump + ascii
- (-bXC only the client, -bXS only the
- -PC --pipe client
- This is an alias for -bRC -S -v0 -Tf1 -Ef1. With
this option you are able to track only the first connection ( -T1)
matched by tcpick and data are displayed as raw. Only data from the client
are put on stdout. All messages and banners are suppressed, except error
messages ( -S -v0), so this option is particularly useful to
download an entire fully rebuilded and acknowledged connection.
- -PS --pipe server
- This is an alias for -bRS -S -v0 -Tf1 -Ef1.
- how to display the connection status:
- # tcpick -i eth0 -C
- display the payload and packet headers:
- # tcpick -i eth0 -C -yP -h -a
- display client data only of the first smtp connection:
- # tcpick -i eth0 -C -bCU -T1 "port 25"
- download a file passively:
- # tcpick -i eth0 -wR "port ftp-data"
- log http data in unique files (client and server mixed
- # tcpick -i eth0 "port 80" -wRub
- redirect the first connection to a software:
- # tcpick -i eth0 --pipe client "port 80" |
gzip > http_response.gz
# tcpick -i eth0 --pipe server "port 25" | nc foobar.net
If you have new ideas, patches, feature requests or simply need help, don't
wait! I will be grateful if you send a message to the mailing list (even if
you want to say what you liked most on tcpick).
The tcpick website is at http://tcpick.sf.net
You can find the project page here:
kindly hosted by the sourceforge
Please check AUTHORS
Tcpick is an experimental software, and maybe some bugs are described in the
On some versions of MacOSX Segmentation Fault happens and connections aren't
If you find any other bug, please write to the tcpick mailing list.
Other nice packet/data sniffers:
tcpdump, ngrep, tcptrack, ettercap, ethereal, snort
This program is free software
; you can redistribute it and/or modify it
under the terms of the GNU General Public License
as published by the
Free Software Foundation; either version 2 of the License, or (at you option)
any later version.
This program is distributed in the hope that it will be useful, but WITHOUT
; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
You should have received a copy of the GNU General Public License along with
this program; if not, write to the Free Software Foundation, Inc., 59 Temple
Place - Suite 330, Boston, MA 02111, USA.