oracular (8) tcpick.8.gz

Provided by: tcpick_0.2.1-11build2_amd64 bug

NAME

       tcpick - tcp stream sniffer and connection tracker

SYNOPSIS

       tcpick [ -a ] [ -n ] [ -C ]
              [ -e count ]
              [ -i interface | -r  file ]
              [ -X timeout ]
              [ -D  ] [ -F1 | -F2 ]
              [ -yH | -yP | -yR | -yU | -yx | -yX ]
              [ -bH | -bP | -bR | -bU | -bx | -bX ]
              [ -wH[ub] | -wP[ub] | -wR[ub] | -wU[ub] ]
              [ -v  [ verbosity ]] [ -S ] [ -h ]
              [ --separator ]
              [ -T | -Tf  [ number ]]
              [ -E | -Ef  [ number ]]
              [ -Pc  |  -Ps ]
              [  "filter" ]
              [ --help ] [ --version ]

DESCRIPTION

       tcpick  is  a textmode sniffer libpcap-based that can track tcp streams and saves the data
       captured in different files, each for every connection, or displays them in  the  terminal
       in  different formats (hexdump, printable characters, raw...)  Useful for picking files in
       a passive way.  It is useful to keep track of what users of a network are  doing,  and  is
       usable with textmode tools like grep, sed, awk.  Happy data hunting :-)

BASE OPTIONS

       -i --interface interface
              listen  on selected interface, (i.e. ppp0 or eth0). If option -i is omitted, tcpick
              is able to select the first open interface (usually a ethernet card).

       -r --readfile
              reads raw packets from a file written with tcpdump -w instead of  using  a  network
              device.

        "filter"
              This  is  the  filter  for  the  capturer engine. You can set it in the same way of
              setting the tcpdump(1) filter. Read tcpdump(1) manpage for other explanations.

       -a     Displays host names instead of ip addresses. Warning: for every new  ip  grabbed  a
              dns query will be generated! Use it carefully on high-traffic network devices!

       -C --colors
              Uses terminal colors: very nice!  It should help you to read the output of tcpick

       -D number --dirs number
              Create  directories  to  store  sniffed sessions.  When a directory contains number
              sessions, a new one will be created.

       -e count
              Exits when count packets have been sniffed

       -E number
              Exit when number sniffed connections are detected as "CLOSED"

       -Ef number
              Exit when the first number connections are detected as "CLOSED"

       -F1 -F2 --filenaming 1|2
              Choose the filenaming system.
               -F1 : tcpick_clientip_serverip.side.dat
              (side means clnt, serv or both)
               -F2 : tcpick_connectionnumber_clientip_serverip.side.dat

       -h     Shows source and destination ip and port; shows tcp flags as letters.

       --help Displays a short help summary

       -p     Don't put the network interface in promiscuous mode. Note that the interface  might
              be in  promiscuous  mode  for  some other  reason.

       -S     Suppresses the "status of the connection" banner.

       --separator
              Add a separator for the payloads displayed.

       -t     Adds timestamp in hour:minutes:seconds:microseconds format

       -td    Like -t with date timestamp in day-month-year format

       -T number
              Track number connections. It could be very useful on a high-traffic network device.
              If number is not specified, it will be set to 1.

       -Tf number
              Track only the first number connections; the following will be discarded. If number
              is not specified, it will be set to 1.

       -v verbosity
              Quite  useless,  yet. Set verbosity level. Actually there are not really many extra
              messages to display, this means it is enabled  by  default  (-v1).   Set  verbosity
              level  to  0 to suppress extra messages (-v0) except error messages.  Set verbosity
              level to 5 to display debug messages (-v5).  There are not other verbosity levels.

       -X timeout
              Connections are considered EXPIRED when there is no traffic for  at  least  timeout
              seconds. Default is 600.

       --version
              Displays the tcpick version

DISPLAY THE DATA IN THE TCP PACKETS

       These  options are prefixed by -y and are useful to display in various ways the content of
       the packet sniffed (the data, called payload), once it arrives at the listening interface.
       In  that  way  the  tcp  duplicates  will  be  not  discarded  and the packets will not be
       reordered, but displayed "as is". If you want a fully acknowledged stream, see the -w  and
       -b set of options.

       -yH    View data in hexadecimal-spaced mode (for the hexdump see -yx and -yX options.

       -yP    Shows  data  contained in the tcp packets. Non-printable characters are transformed
              in dots: ".". Newline character is preserved.  This is the best way, in my  opinion
              to show data like HTTP requests, IRC communication, SMTP stuff and so on.

       -yR    Displays  all  kind of characters, printable and non printable. If something binary
              is transmitted, the effect will probably be like watching with "cat" at  a  gzipped
              file.

       -yx    Shows all data after the header in hexadecimal dump of 16 bytes per line.

       -yX    Shows  all  data  after  the header in hexadecimal and ascii dump with 16 bytes per
              line.

       -yU    Shows all data after the  header,  but  Unprintable  characters  are  displayed  as
              hexadecimal values between a "<" and a ">" symbol.

REBUILD AND WRITE THE TCP STREAM TO FILE

       The  prefix  for  these  options  is  -w.  The TCP stream that has been sniffed with these
       options will be written to file named:
       client_<ip_client>_<ip_server>_<port_server>.tcpick and
       server_<ip_client>_<ip_server>_<port_server>.tcpick
       With the u flag of the -w option (i.e. -wRu) both client and server data will  be  written
       to a unique file named in that way:
       <ip_client>_<ip_server>_<port_server>.tcpick
       If  you  use  the  additional  flag  b  of the -w option (i.e. -wPub), in the file will be
       written this banner:

       [client|server] offset before:offset after (length of rebuilded segment)

       to distinguish between client and server data.
       The flow is rebuilded, reordered and the  duplicates  are  dropped.  In  that  way  it  is
       possible  to  sniff  entire files transmitted via ftp without data corruption (you can see
       this with md5sum).  If no argument is given to -w the data will be written  like  -wR  You
       can decide to write only client or server data by setting the flag
        C (output only client data) and S (output only server data) to the -w set.

       -wR    This  is the preferred option: data will be written without any changes. Useful for
              sniffing binary or compressed files.
              (-wRC only the client, -wRS only the server)

       -wP    Unprintable characters are written like dots.
              (-wPC only the client, -wPS only the server)

       -wU    Unprintable characters are displayed as hexadecimal values between a "<" and a  ">"
              symbol.
              (-wPC only the client, -wPS only the server)

       -wH    The flow is written in hexadecimal-spaced mode.
              (-wHC only the client, -wHS only the server)

DISPLAY THE REBUILDED TCP STREAM

       The  prefix  for  these  options is -b.  This set of options is very useful if you want to
       redirect the sniffed flow to anoter program with a pipe,  and  there  should  be  no  data
       corruption.   Of course the most useful is -bR to show the data as they are (raw).  A very
       useful feature is the flag C (output only client data) and S (output  only  server  data).
       I.e.: -bRC will display only the data from the client in raw mode; in that way you can put
       them in a file with a pipe redirection.

       The sub-options are quite the same of the -y set, so you have:

        -bH  hex-spaced
              (-bHC only the client, -bHS only the server)

        -bP  unprintable displayed as dots
              (-bPC only the client, -bPS only the server)

        -bR  raw mode
              (-bRC only the client, -bRS only the server)

        -bU  unprintable as <hex>.
              (-bUC only the client, -bUS only the server)

        -bx  hexdump
              (-bxC only the client, -bxS only the server)

        -bU  hexdump + ascii
              (-bXC only the client, -bXS only the server)

        -PC --pipe client
              This is an alias for -bRC -S -v0 -Tf1 -Ef1.  With this option you are able to track
              only  the  first  connection (-T1) matched by tcpick and data are displayed as raw.
              Only data from the  client  are  put  on  stdout.  All  messages  and  banners  are
              suppressed,  except  error messages (-S -v0), so this option is particularly useful
              to download an entire fully rebuilded and acknowledged connection.

        -PS --pipe server
              This is an alias for -bRS -S -v0 -Tf1 -Ef1.

EXAMPLES

       how to display the connection status:
               # tcpick -i eth0 -C

       display the payload and packet headers:
               # tcpick -i eth0 -C -yP -h -a

       display client data only of the first smtp connection:
               # tcpick -i eth0 -C -bCU -T1 "port 25"

       download a file passively:
               # tcpick -i eth0 -wR "port ftp-data"

       log http data in unique files (client and server mixed together):
               # tcpick -i eth0 "port 80" -wRub

       redirect the first connection to a software:
               # tcpick -i eth0 --pipe client "port 80" | gzip > http_response.gz
               # tcpick -i eth0 --pipe server "port 25" | nc foobar.net 25

MAILING-LIST

       Address: <tcpick-project[a]lists.sourceforge.net>
       Archive: http://sourceforge.net/mailarchive/forum.php?forum=tcpick-project
       Subscribe: http://lists.sourceforge.net/lists/listinfo/tcpick-project
       If you have new ideas, patches, feature requests or simply need help, don't wait!  I  will
       be  grateful  if  you send a message to the mailing list (even if you want to say what you
       liked most on tcpick).

TCPICK WEBSITE

       The tcpick website is at http://tcpick.sf.net.
       You can find the project page here: http://sourceforge.net/projects/tcpick  kindly  hosted
       by the sourceforge team.

AUTHORS

       Please check AUTHORS file.

BUGS

       Tcpick  is  an  experimental software, and maybe some bugs are described in the KNOWN-BUGS
       file.
       On some versions of MacOSX Segmentation  Fault  happens  and  connections  aren't  tracked
       properly.
       If you find any other bug, please write to the tcpick mailing list.

SEE ALSO

       Other nice packet/data sniffers:
       tcpdump, ngrep, tcptrack, ettercap, ethereal, snort

LICENSE

       This program is free software; you can redistribute it and/or modify it under the terms of
       the GNU General Public License as  published  by  the  Free  Software  Foundation;  either
       version 2 of the License, or (at you option) any later version.

       This program is distributed in the hope that it will be useful, but  WITHOUT ANY WARRANTY;
       without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE.
       See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program;
       if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,  Boston,
       MA  02111, USA.

                                                                                        tcpick(8)