wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


addons:tcpick:start

Tcpick

Stop! Since tcpick are not maintained upstream any more, IPFire drops this addon with Core Update 112

Tcpick is a libpcap based textmode sniffer. Hereby is it possible to track, reassemble and also to reorder TCP streams. It is possible to use different display methods like e.g. hexdump or hexdump+ascii and some others, furthermore a color mode gives a better overview of the displayed streams. Tcpick can be used over the console but can also save the captured flows into a file. Additionally Tcpicks output are also usable with tools like grep, awk or sed.

Warning: Packet sniffers must parse many types of packets and usually require root privileges to run. This means they tend to be complex and have a large attack surface. “tcpick” has not been updated since 2005 so many years have passed since it was last patched. It may be vulnerable to denial of service attacks or worse, arbitrary code execution on your IPFire system. At least one un-pactched vulnerability is known.

Installation

You can install this addon like any other with Pakfire or by using the shell with:

pakfire install tcpick

How does it works

Tcpick can display the connection state (SYN-SENT, SYN-RECEIVED and so on). By usage of the option “-i” Tcpick can listen on different interfaces, so it is possible to use the well known IPFire terms for the interfaces like “green0”, “red0” et cetera. It is also possible to display the payload and/or the header informations and some more. Some examples can be found below under “Additional links” on the Tcpick homepage.

Examples

For a simplified output use the following command over the console of IPFire or use an ssh-connection for a remote shell:

Connection status

tcpick -i red0 -C

and a browser request to IPFires forum should give a similar output back:

Starting tcpick 0.2.1 at 2012-07-06 12:58 CEST
Timeout for connections is 600
tcpick: listening on red0
1      SYN-SENT       192.168.98.2:48430 > 178.63.73.246:http
1      SYN-RECEIVED   192.168.98.2:48430 > 178.63.73.246:http
1      ESTABLISHED    192.168.98.2:48430 > 178.63.73.246:http
2      SYN-SENT       192.168.98.2:48431 > 178.63.73.246:http
3      SYN-SENT       192.168.98.2:48432 > 178.63.73.246:http
2      SYN-RECEIVED   192.168.98.2:48431 > 178.63.73.246:http
2      ESTABLISHED    192.168.98.2:48431 > 178.63.73.246:http
3      SYN-RECEIVED   192.168.98.2:48432 > 178.63.73.246:http
3      ESTABLISHED    192.168.98.2:48432 > 178.63.73.246:http
3      FIN-WAIT-1     192.168.98.2:48432 > 178.63.73.246:http
1      FIN-WAIT-1     192.168.98.2:48430 > 178.63.73.246:http
2      FIN-WAIT-1     192.168.98.2:48431 > 178.63.73.246:http
3      TIME-WAIT      192.168.98.2:48432 > 178.63.73.246:http
1      TIME-WAIT      192.168.98.2:48430 > 178.63.73.246:http
2      TIME-WAIT      192.168.98.2:48431 > 178.63.73.246:http
3      CLOSED         192.168.98.2:48432 > 178.63.73.246:http
1      CLOSED         192.168.98.2:48430 > 178.63.73.246:http
2      CLOSED         192.168.98.2:48431 > 178.63.73.246:http

This shows the current connection status, whereby

  • -i = Defines the interface where tcpick should listen on, IPFire specific notations are possible.
  • -C = Option shows the output in color.

Search for keywords

As above shortly explained, you can use also grep, awk or sed to extract special infos from the stream. An example with e.g. grep could look like this:

tcpick -i green0 -C -a | grep 'ESTABLISHED'

Example output:

1      ESTABLISHED    192.168.7.2:57915 > ipfire-server.local:snpp
2      ESTABLISHED    192.168.7.2:57916 > ipfire-server.local:snpp

This command filters by the usage of grep only 'ESTABLISHED' connections.

Or if you are interessted in the 'GET' outout you can use the same as above, but with the appropriate search word

tcpick -i red0 -yP | grep GET

and so on, Example output:

GET /firewall/ipfw-1.html HTTP/1.1
GET /rsc/maceis.css HTTP/1.1
GET /rsc/images/ipfwerror.png HTTP/1.1
GET /rsc/images/bg/bg.gif HTTP/1.1
GET /rsc/images/bg/maceis.gif HTTP/1.1
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.1
GET / HTTP/1.1
Access-Control-Allow-Methods: GET
GET / HTTP/1.1
Access-Control-Allow-Methods: GET

Search for specified ports

If you want to filter a specific port, let´s say e.g. for 222 TCP on the green0 interface, the following command can serve an example for this:

tcpick -i green0 -C "port 222"

which could bring a similar output like this

-> tcpick -i green0 -C "port 222"
Starting tcpick 0.2.1 at 2015-08-31 13:03 CEST
Timeout for connections is 600
tcpick: listening on green0
setting filter: "port 222"
1      SYN-SENT       192.168.7.2:58034 > 192.168.7.8:rsh-spx
1      SYN-RECEIVED   192.168.7.2:58034 > 192.168.7.8:rsh-spx
1      ESTABLISHED    192.168.7.2:58034 > 192.168.7.8:rsh-spx

Investigate the payload and packet headers

To bring up the payload and the packet headers, the following command can may serve an example for you:

tcpick -i red0 -C -yP -h -a

this could deliver an output like this (example with an Git connection)

'......"3.....curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1.../ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....none,zlib@openssh.com....none,zlib@openssh.com.................
git.ipfire.org:ssh A > 192.168.123.20:43612 (0)
192.168.123.20:43612 AP > git.ipfire.org:ssh (48)
...,..... 

whereby:

  • -i = Defines the listening interface.
  • -C = With color for better overview.
  • -yP = Activates an 'printable payload'.
  • -h = Activates the 'header' output.
  • -a = Activates the 'name resolution'.

Unprintable characters are shown in here with dots.

Search for a specific host

If you want to search for specific host, may this command example can delivers an idea for you:

tcpick -i green0 -yP "host 192.168.7.2"

where you can get an equal output to this:

-> tcpick -i green0 -yP "host 192.168.7.2"
Starting tcpick 0.2.1 at 2015-08-31 13:21 CEST
Timeout for connections is 600
tcpick: listening on green0
setting filter: "host 192.168.7.2"
...@S.#U	....Q..Oy..s.U.....R..G....&4.....l.7.O,..{...%9...e,.Y....}4.FK...
...`.F.........v.\|....[............/z|....ohQ.2..e.B...'..t.O.H`%H.W...#...-j.2....``......G.t......kw..E^.
.....Lf.,..j.N.t..T....w.5/.@...~.`.........,g.udj]#...I....(..".Jg....G'.....!.{
.'...$.'d.....2......yj0.m.....	*?.o.\........R>..ft.d....
..........jn.... .s.a....~.... w.p..f....y....a..dO.....|.\K2._V...W.uw.=...P.(B	........A`&..?o:..;.R.O.D......q..".%..w..w..
....E.o.uDI.zw.gxAl....Y.O....9d
.T.....C....
......_l.2.?N..z.$.A.....]._.$^...Z......D
...H..y....Y....7.. M3X..VD.R.*.J./.)FD....R*...^&.@?.j/;...E..9'...X]1A.V..........@.......M..t........@..~=...tn........d>..X..	....w...Kb..J5C...H,....a...t..
. m@....O.y......P@<.B$;_......C"=S.I..o.d....F..-.......l...........v..e.......RA....dU.=J+....xQ.._.?^%.s...#x.u.>N3.}).k.gi;X....aW.....G......}e	 b.......:.....B`~.p].........)...&....w...m.<..D#..
.s......Uz......U^hS...".My/L.q.;H..y{.6...z..xL..&g...._DS.....O[e1.G.du.v..jB.zp... ....>....e1..[\PJ.8.P...h..Q..t.;..7...[x+.
... .....`....%`..iA.bSSD.*...i......}eG...0MM...t....-}....[B...X...Z...l.6,-}.Pt>..\B........K....y.[w......=`..J`49.....rI..Hr..IiQ.~2.Eg.7...;...v0...,.._.P..A.C......,m..nC,.mK.3l..N......7AX32..m_.e.w.0.....Mf5~30_.C.V....2.p.'$....^^..A.A.5K....p..\-..........M.....o.1.>.........=E.B.o.U@.Y..
...@...3Q.....[......6&$NX...!Oy.2...L..	E(.....KBQ.y.k..g......e...K.R.]m	..O..K]8C...kY..u..*.&L....k.m...Q..	...H...{zf.....W.y>..r#.+.R*E.E'..:..!H..\...?..1.....A.@A.}.}`..q.0.s..f.....r.[.|.....<I*.".......U....e...a.<...b...7tt..._S=...3...O..^..... 	.O.\9..zAV....cY.[..-`.Z..f.:)...c...mr...s./.................k.....
GET http://www.noah.org/wiki/Packet_sniffing HTTP/1.1
Host: www.noah.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Authorization: Basic dW1tZFVnZ5U6bmViZWxlYmVu
DNT: 1
Connection: keep-alive
 
...`g.....4..Y..NN..@.H......KSp.s.)..}.r...w..]#l...g.W".........^_.....>'..	.<.......X.Y.b
|.).....*M%3..~.%...^.lfS...~OR..!F...C..238R.u.z..M.?...D.......<Gg.x.~`.J.{E...$rs..Qg.....2.ES.+.k.w.......xWx.[6...Do.L[..ZM...i....,....w..r..])
W....k*_.sx .n.F.E.U..m9..K.,2m.4.7|.!`'...-U[.{E5<.M.$/..`..i...V.6<..A..T	........Gz........?..J..fu....X.zC_...q...e..
... [.H.BI.dNJ.R..	.vjJ....=..9!..h..y{Z..I...7...E<.<..n...a.L....k.........X.....4Z..%<..]/.DQ.4V..^..)_.<...&V..r.tbZ...V....S.Ah..........D..I..D{..H.0..I*.G .>|.......B..6>....s..z.+.....E...........hR.Y..T&Fro.....<..j.qa.n..Mq..&E.6..!W.....Gdm.{E :o...t.:|Z.vg...Wa..8.....R....%;;.v$.MLG!...>..N..V^yVok..ou...:.3....../........?..F........w.}.P....0p....sU......X..@.'...G%...".%..q..mk.....t..W.#/..7..jP....77..m..: @.C.-. !.*..uk..u.%.c..e......H	..=...|....-..C...a...]s....A}([oQ.Jek..{W.#...4...gD..b..../.(L1#.(...
....WV..R6..U..(..k..'....X<;....7;8(.'....b....7m<..`Y..*.v.yV....fK.C.|....{Q......?..:.....,.8...w.+.x...c8..b..%.........:.....vg-.Z[tWoc\Qt...O.............N-.....TD..4n..7.......v...~ ...F.24...,3..........^...X/.SZ.Z.5.../.J:t0)
^C
38 packets captured
0 tcp sessions detected

Command options

This section should give an may uncomplete overview of Tcpicks command options.

Options Action Commands
Basic options
-i Activates Tcpick on the defined interface (IPFire definitions are possible) –interface interface
-C Acticates color ouput for better overview –colors
-t Shows timestamp in human readable format (hour:minutes:seconds:microseconds)
-td Like '-t' but with day-month-year format
-T [number] Tracks only a defined number of connections. If no number is set, Tcpick uses 1
“filter” Means the syntax to filter for specific results. Usage is the same like in tcpdump
-r [file] Could read raw packets from a file, extracted e.g. from tcpdump. –readfile
-a Makes a host name resolution instead of IP addresses. Every new IP will causes a DNS query (attention cause of possible high amount of traffic)
-e [count] Tcpick quits after an defined count number of packets which has been sniffed.
-E [number] Tcpick quits if a defined number of connections has been detected as 'CLOSED'.
-Ef [number] Tcpick quits if the first defined number of connections are detected as 'CLOSED'.
-p Prevent promicouse mode.
-h Displays source, destination, IP and port and shows TCP flags as letters.
Data collection
-yH Delivers sniffed data in hexadecimal-spaced mode (for hexdump see -xy -yx).
-yP Displays TCP packets data. Non printable data are shown as dots ‘.'. Good way to check HHTP requests, Mail or IRC communication.
-yR Shows all kind of characters. Like watching 'cat' on a gizzped file ;-) .
-yx Collects all data after the header in hexadecimal dump of 16 bytes per line.
-yX Like '-yx' but also in ASCII dump.
-yU Like '-yx(X)' but unprintable characters are printed in hexadecimal between “<” and “>”.

There are a lot of useful options more, some of them can be overviewed on Tcpicks homepage .


addons/tcpick/start.txt · Last modified: 2018/10/07 03:05 by Jon