Building Tcpick

The WebTap application relies on a customized variant of the tcpick packet sniffer. In this section I will give detailed instruction on how to build the modified tcpick. If you cannot follow the instructions or you think that anything needs to be pointed out more clearly, then please give me a hint: chris (at) jwall . org.


In order to build tcpick, you need to get the source and have a development environment installed (that is c-compiler, libc-headers, etc.). Most important you need to have the libpcap library and its headers available on your systems.

  1. Preparing your environment
    As tcpick relies on the packet-capture library libpcap you need to have this available on your systems. As you are going to compile tcpick we also need to have the library's header files available. On Debian or Ubuntu systems, these can quickly by installed using apt-get:
      sudo apt-get install libpcap0.7 libpcap0.7-dev
    This will install the library itself (libpcap0.7) as well as the header files (libpcap0.7-dev).
  2. Getting the Source

    The source of tcpick is available from its sourceforge site. For the impatient, I have a direct link available:

    Simple download the source using your favorite leecher:

  3. Patching the Source

    Before tcpick can be built, we need to apply the patch, that is required for use with WebTap. The patch is available here: tcpick.patch.gz. Simple right-click-and-safe the URL or again use your leecher:


    Now we are ready to untar the source and apply the patch. In case you downloaded all the stuff into your current working directory, you can simply get along by issuing

             gunzip tcpick.patch.gz
             tar xzvf tcpick-0.2.1.tar.gz
             cd tcpick-0.2.1
             patch -p1 < ../tcpick.patch
  4. Configuring and Compiling Tcpick
    The last step is to run the configure script and compile tcpick using make:
          make install    # optional
    As for the last make install: this is optional, though recommended. You don't need to install tcpick right now. For trying out the WebTap you may simply start tcpick from its source-directory.

Running tcpick

The patched tcpick now allows for a new sub-option "B" to be issued. For more details on the patch and this option, see the Tcpick Patch page. After you got tcpick build, you can start the WebTap by starting tcpick and piping its output to the tap (all in one line):

    tcpick -i eth0 -n -h -bBR "tcp port 80" | java -jar org.jwall.web.tap-0.4.6.jar \
        -o /path/to/audit-directory