hpr2882 :: ONICS Part 1: Basic Commands
In this episode I review some basic commands for manipulating packet captures
Hosted by Gabriel Evenfire on Tuesday, 2019-08-20 is flagged as Clean and is released under a CC-BY-SA license.
networking, command-line, tools.
2.
The show is available on the Internet Archive at: https://archive.org/details/hpr2882
Listen in ogg,
spx,
or mp3 format. Play now:
Duration: 00:22:44
Networking.
This series will try and explain the basics of networking to the listener as well as introduce more detailed topics.
Background
- It's been about 6 years since I talked about my project ONICS in HPR 1350
- ONICS stands for Open Network Inpection Command Suite
- I created ONICS as because I thought it would be neat to have a suite of tools that could manipulate packets on the command line in a way similar to how tools lik sed, awk, grep, cut, and so forth manipulate text.
Installing
- Not currently maintained in any package distributions
- Maintainers who are interested in doing so are welcome
- Install by source
$ git clone https://gitlab.com/catlib/catlib
$ cd catlib
$ make
$ cd ..
$ git clone https://gitlab.com/onics/onics
$ cd onics
$ ./configure
$ make
$ make test
$ sudo make install
$ make veryclean
- Can always uninstall cleanly from the source directory
$ make uninstall
- Alternate to installation is to stop at 'make test' and then add to 'onics/bin' and 'onics/scripts' to your path.
Documentation
Manpages are available in onics/doc directory if you aren't installing locally. They are quite extensive.
If installed locally, starting with:
$ man onics
XPKT Format
PCAP format is outdated and not very extensible
- I want to be able to annotate with interface IDs, flow IDs, packet numbers, classification info, header offsets, etc...
First and foremost, the file header prevents just
cating files together.- it makes merging live streams more difficult
- pcapng improves things but still has global file header
First Programs
- Let's first capture in the traditional way
$ sudo tcpdump -i eth0 -c 5 -w file1.pcap
- First program is to capture packets from the wire:
$ sudo pktin eth0 > file2.xpkt
- If not running as root
$ sudo chown myname file1.pcap file2.xpkt
- Let's dump them:
$ tcpdump -r file1.pcap
$ xpktdump file2.xpkt
- Now lets convert the PCAP to XPKT
$ pc2xpkt file1.pcap file1.xpkt
or
$ pc2xpkt file1.pcap > file1.xpkt
or
$ pc2xpkt < file1.pcap > file1.xpkt
or
$ cat file1.pcap | pc2xpkt > file1.xpkt
- Now we can dump file1 using xpktdump:
$ xpktdump file1.xpkt
Something we can't do w/ tcpdump
- Lets now merge them one after another
$ cat file1.xpkt file2.xpkt > merged.xpkt
$ xpktdump merged.xpkt
- Of course there's a simpler way
$ cat file1.xpkt file2.xpkt | xpktdump
Convert back to pcap:
- Let's convert file2 to PCAP
$ xpkt2pc file2.xpkt file2.pcap
or
$ xpkt2pc < file2.xpkt > file2.pcap
or
$ xpkt2pc file2.xpkt > file2.pcap
or
$ cat file2.xpkt | xpkt2pc > file2.pcap
- Let's look at the stream using tcpdump:
$ tcpdump -r file2.pcap
- If we didn't want to actually store as a PCAP
$ xpkt2pc file2.xpkt | tcpdump -r -
- Let's concatenate and dump using tcpdump
$ cat file1.xpkt file2.xpkt | xpkt2pc | tcpdump -r | less
Sending packets:
$ sudo tcpdump -i eth0 # in one terminal
$ sudo pktout -i eth0 file1.xpkt
or
$ sudo pktout -i eth0 < file1.xpkt
or
$ cat file1.xpkt | sudo pktout -i eth0
Summary
- XPKT is a versatile, extensible, self-contained packet trace format
- ONICS' most basic tools are pktin, pktout, pc2xpkt and xpkt2pc
- We've demonstrated how the ONICS design supports leveraging the power of the UNIX command line for packets
- This is only the VERY beginning. ONICS has over 20 binaries and 30 scripts for manipulating packets.