tcpick

Capture traffic on a specific interface, port and host:

$ sudo tcpick [[-i|--interface]] [interface] [[-C|--colors]] -h [host] -p [port]

$ sudo tcpick [[-i|--interface]] [eth0] [[-C|--colors]] -h [192.168.1.100] -p [80]

$ tcpick --help

tcpick [options] [filter expression]

-i
    Specify the network interface for live packet capture (e.g., eth0, wlan0).

-r
    Read packets from a specified pcap-format dump file instead of live capture.

-C
    Set the maximum capture size (in bytes) for each TCP stream before truncating.

-x
    Display reassembled data in hexadecimal format (raw byte dump).

-d
    Set the data display mode. Common modes include 'c' (client data), 's' (server data), 'b' (both), 'h' (hexadecimal, similar to -x).

-F
    Output the reassembled session data to a specified file rather than standard output.

-E
    Extract files (e.g., HTTP objects, FTP transfers) found within the TCP streams into the specified directory.

-A
    Automatically detect and extract HTTP and FTP files found within sessions. This implies -E and uses a default directory if none is specified.

-a
    Use absolute TCP sequence numbers in the output, which can be useful for debugging low-level TCP issues.

-v
    Enable verbose output, displaying more details about packet processing and session state.

-h
    Display the help message and exit.

tcpick is a command-line tool designed for tracking and reassembling TCP streams from live network traffic or from pre-recorded pcap files. Unlike simpler packet sniffers, tcpick focuses on reconstructing the entire conversation between two endpoints, displaying the data exchanged by client and server in a human-readable format. It can show TCP flags, sequence numbers, and even automatically extract files (like HTTP objects or FTP transfers) from the captured sessions, making it invaluable for network debugging, security analysis, and forensic investigations where understanding application-layer data flow is crucial. It leverages the libpcap library for packet capture and filtering.

tcpick requires root privileges or appropriate capabilities to capture packets live from network interfaces.
While effective for TCP stream reassembly, it is not as feature-rich or actively developed as general-purpose network analyzers like Wireshark/Tshark.
Reassembly can be incomplete if packets are lost or if the capture starts mid-session.
Performance can be an issue on high-traffic networks due to its in-memory reassembly.

tcpick supports the same powerful packet filtering syntax as tcpdump, based on the libpcap library. This allows users to narrow down the captured traffic to specific hosts, ports, protocols, or a combination (e.g., host 192.168.1.1 and port 80 or tcp port 22). This is crucial for focusing analysis on relevant sessions.

The command can operate in two primary modes:
1. Live Capture: Using the -i option to monitor network traffic in real-time.
2. Offline Analysis: Using the -r option to process packets from a previously saved pcap file. This allows for retrospective analysis without affecting network performance.

tcpick emerged as a specialized tool to complement basic packet capture utilities like tcpdump, focusing specifically on the complex task of TCP stream reassembly. Its development aimed to provide a deeper insight into the application-layer data exchanged within TCP sessions, which tcpdump did not natively offer in a user-friendly way. While its core functionality remains highly valuable for specific use cases, its active development might have slowed down compared to more comprehensive network analysis suites.

tcpdump(1), wireshark(1), tshark(1), ngrep(1), pcap(3)