Site Map - skip to main content

Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes every weekday Monday through Friday.
This page was generated by The HPR Robot at

hpr2882 :: ONICS Part 1: Basic Commands

In this episode I review some basic commands for manipulating packet captures

<< First, < Previous, , Latest >>

Thumbnail of Gabriel Evenfire
Hosted by Gabriel Evenfire on 2019-08-20 is flagged as Clean and is released under a CC-BY-SA license.
networking, command-line, tools. 2.
The show is available on the Internet Archive at:

Listen in ogg, spx, or mp3 format. Play now:

Duration: 00:22:44


This series will try and explain the basics of networking to the listener as well as introduce more detailed topics.


  • It's been about 6 years since I talked about my project ONICS in HPR 1350
  • ONICS stands for Open Network Inpection Command Suite
  • I created ONICS as because I thought it would be neat to have a suite of tools that could manipulate packets on the command line in a way similar to how tools lik sed, awk, grep, cut, and so forth manipulate text.


  • Not currently maintained in any package distributions
  • Maintainers who are interested in doing so are welcome
  • Install by source
    $ git clone
    $ cd catlib
    $ make
    $ cd ..
    $ git clone
    $ cd onics
    $ ./configure
    $ make
    $ make test
    $ sudo make install
    $ make veryclean
  • Can always uninstall cleanly from the source directory
    $ make uninstall
  • Alternate to installation is to stop at 'make test' and then add to 'onics/bin' and 'onics/scripts' to your path.


  • Manpages are available in onics/doc directory if you aren't installing locally. They are quite extensive.

  • If installed locally, starting with:

    $ man onics

XPKT Format

  • PCAP format is outdated and not very extensible

    • I want to be able to annotate with interface IDs, flow IDs, packet numbers, classification info, header offsets, etc...
  • First and foremost, the file header prevents just cating files together.

    • it makes merging live streams more difficult
    • pcapng improves things but still has global file header

First Programs

  • Let's first capture in the traditional way
    $ sudo tcpdump -i eth0 -c 5 -w file1.pcap
  • First program is to capture packets from the wire:
    $ sudo pktin eth0 > file2.xpkt
  • If not running as root
    $ sudo chown myname file1.pcap file2.xpkt
  • Let's dump them:
    $ tcpdump -r file1.pcap
    $ xpktdump file2.xpkt
  • Now lets convert the PCAP to XPKT
    $ pc2xpkt file1.pcap file1.xpkt
    $ pc2xpkt file1.pcap > file1.xpkt
    $ pc2xpkt < file1.pcap > file1.xpkt
    $ cat file1.pcap | pc2xpkt > file1.xpkt
  • Now we can dump file1 using xpktdump:
    $ xpktdump file1.xpkt

Something we can't do w/ tcpdump

  • Lets now merge them one after another
    $ cat file1.xpkt file2.xpkt > merged.xpkt
    $ xpktdump merged.xpkt
  • Of course there's a simpler way
    $ cat file1.xpkt file2.xpkt | xpktdump

Convert back to pcap:

  • Let's convert file2 to PCAP
    $ xpkt2pc file2.xpkt file2.pcap
    $ xpkt2pc < file2.xpkt > file2.pcap
    $ xpkt2pc file2.xpkt > file2.pcap
    $ cat file2.xpkt | xpkt2pc > file2.pcap
  • Let's look at the stream using tcpdump:
    $ tcpdump -r file2.pcap
  • If we didn't want to actually store as a PCAP
    $ xpkt2pc file2.xpkt | tcpdump -r -
  • Let's concatenate and dump using tcpdump
    $ cat file1.xpkt file2.xpkt | xpkt2pc | tcpdump -r | less

Sending packets:

    $ sudo tcpdump -i eth0  # in one terminal
    $ sudo pktout -i eth0 file1.xpkt
    $ sudo pktout -i eth0 < file1.xpkt
    $ cat file1.xpkt | sudo pktout -i eth0


  • XPKT is a versatile, extensible, self-contained packet trace format
  • ONICS' most basic tools are pktin, pktout, pc2xpkt and xpkt2pc
  • We've demonstrated how the ONICS design supports leveraging the power of the UNIX command line for packets
  • This is only the VERY beginning. ONICS has over 20 binaries and 30 scripts for manipulating packets.


Subscribe to the comments RSS feed.

Comment #1 posted on 2019-08-22 13:56:32 by Dave Morriss

Great project and excellent show

I installed ONICS after your first show about it but didn't use it much. I haven't had a great need to do network monitoring or troubleshooting in the interim.

I reinstalled after this show and followed along with your examples and found them very helpful. The capabilities of ONICS seem very impressive. I'm looking forward to hearing more!


Comment #2 posted on 2019-08-25 13:41:10 by Gabriel Evenfire

Good to hear

Thanks for the feedback Dave, and glad that this installation went more smoothly than the last one. Next episode is in and I've scripted about half of the one to follow.

Leave Comment

Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.

Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).

Provide feedback
Your Name/Handle:
Anti Spam Question: What does the letter P in HPR stand for?
Are you a spammer?
What is the HOST_ID for the host of this show?
What does HPR mean to you?