Sniffing & Spoofingtcpsnifferstreamtrackerlibpcapreassembly

tcpick

TCP stream sniffer and connection tracker that uses libpcap to track, reassemble, and reorder TCP streams. It can save captured flows to files or display them in the terminal with various modes like hexdump, ASCII, printable characters, raw, or colorized.

Description

tcpick is a libpcap-based textmode sniffer designed for tracking and analyzing TCP connections on network interfaces. It reassembles TCP streams, reorders packets, and provides flexible output options for displaying or saving network traffic. This tool supports multiple network interface types, including ethernet cards and PPP interfaces, making it versatile for different network environments.

Use cases include real-time monitoring of TCP flows, debugging network issues by inspecting stream contents, and capturing specific traffic matching filters. It displays streams in various formats such as hexdump + ASCII, only printable characters, raw mode, or colorized output, aiding in quick analysis without complex tools.

tcpick is lightweight with an installed size of 88 KB and depends on libc6, libpcap0.8t64, and tcpick packages. For detailed options, refer to the tcpick(1) manpage.

How It Works

tcpick leverages libpcap to capture packets from specified network interfaces. It tracks TCP connections, reassembles out-of-order streams, and reorders packets to reconstruct complete TCP flows. Captured data can be output in terminal display modes (hexdump, ASCII, printable, raw, colorized) or saved to files, with filtering support via libpcap syntax for targeting specific traffic.

Installation

bash

sudo apt install tcpick

Flags

-aEnable automatic mode (inferred from usage)

-nNumeric output (inferred from usage)

-CColorized output mode

-i interfaceSpecify network interface

-yHHexdump display mode

-yPPrintable characters display mode

-yRRaw display mode

-yUHexdump + ASCII display mode

-yxLowercase hex display mode

-yXUppercase hex display mode

-bHHexdump output to file

-bPPrintable to file

-bRRaw to file

-bUHexdump + ASCII to file

-bxLowercase hex to file

-bXUppercase hex to file

-wHHexdump write mode

-wPPrintable write mode

-wRRaw write mode

-wUHexdump + ASCII write mode

-vIncrease verbosity

-SSeparator option

-hDisplay separator

--separatorCustom separator

"filter"libpcap filter expression

-r fileRead from pcap file

--helpShow help

--versionShow version

Examples

Display full usage and options for tcpick

tcpick --help

Sniff TCP streams on ppp0 interface, display printable characters in colorized mode with separator, excluding port 22

tcpick -i ppp0 -yP -C -h "not port 22"

Capture on eth0 and display streams in hexdump mode

tcpick -i eth0 -yH

Colorized output of reassembled streams in hexdump + ASCII mode

tcpick -C -yU

Display raw TCP streams filtered for port 80

tcpick -yR "port 80"

Save printable TCP streams from all interfaces to files

tcpick -i any -bP "tcp"

Process offline pcap file and display printable streams

tcpick -r capture.pcap -yP

Updated 2026-04-16kali.org ↗