hpr2882 :: ONICS Part 1: Basic Commands
In this episode I review some basic commands for manipulating packet captures
Hosted by Gabriel Evenfire on Tuesday 2019-08-20 is flagged as Clean and is released under a CC-BY-SA license.
Tags: networking, command-line, tools.
Listen in ogg, spx, or mp3 format. | Comments (2)
Part of the series: Networking
This series will try and explain the basics of networking to the listener as well as introduce more detailed topics.
- It's been about 6 years since I talked about my project ONICS in HPR 1350
- ONICS stands for Open Network Inpection Command Suite
- I created ONICS as because I thought it would be neat to have a suite of tools that could manipulate packets on the command line in a way similar to how tools lik sed, awk, grep, cut, and so forth manipulate text.
- Not currently maintained in any package distributions
- Maintainers who are interested in doing so are welcome
- Install by source
$ git clone https://gitlab.com/catlib/catlib $ cd catlib $ make $ cd .. $ git clone https://gitlab.com/onics/onics $ cd onics $ ./configure $ make $ make test $ sudo make install $ make veryclean
- Can always uninstall cleanly from the source directory
$ make uninstall
- Alternate to installation is to stop at 'make test' and then add to 'onics/bin' and 'onics/scripts' to your path.
Manpages are available in onics/doc directory if you aren't installing locally. They are quite extensive.
If installed locally, starting with:
$ man onics
PCAP format is outdated and not very extensible
- I want to be able to annotate with interface IDs, flow IDs, packet numbers, classification info, header offsets, etc...
First and foremost, the file header prevents just
cating files together.
- it makes merging live streams more difficult
- pcapng improves things but still has global file header
- Let's first capture in the traditional way
$ sudo tcpdump -i eth0 -c 5 -w file1.pcap
- First program is to capture packets from the wire:
$ sudo pktin eth0 > file2.xpkt
- If not running as root
$ sudo chown myname file1.pcap file2.xpkt
- Let's dump them:
$ tcpdump -r file1.pcap $ xpktdump file2.xpkt
- Now lets convert the PCAP to XPKT
$ pc2xpkt file1.pcap file1.xpkt or $ pc2xpkt file1.pcap > file1.xpkt or $ pc2xpkt < file1.pcap > file1.xpkt or $ cat file1.pcap | pc2xpkt > file1.xpkt
- Now we can dump file1 using xpktdump:
$ xpktdump file1.xpkt
Something we can't do w/ tcpdump
- Lets now merge them one after another
$ cat file1.xpkt file2.xpkt > merged.xpkt $ xpktdump merged.xpkt
- Of course there's a simpler way
$ cat file1.xpkt file2.xpkt | xpktdump
Convert back to pcap:
- Let's convert file2 to PCAP
$ xpkt2pc file2.xpkt file2.pcap or $ xpkt2pc < file2.xpkt > file2.pcap or $ xpkt2pc file2.xpkt > file2.pcap or $ cat file2.xpkt | xpkt2pc > file2.pcap
- Let's look at the stream using tcpdump:
$ tcpdump -r file2.pcap
- If we didn't want to actually store as a PCAP
$ xpkt2pc file2.xpkt | tcpdump -r -
- Let's concatenate and dump using tcpdump
$ cat file1.xpkt file2.xpkt | xpkt2pc | tcpdump -r | less
$ sudo tcpdump -i eth0 # in one terminal $ sudo pktout -i eth0 file1.xpkt or $ sudo pktout -i eth0 < file1.xpkt or $ cat file1.xpkt | sudo pktout -i eth0
- XPKT is a versatile, extensible, self-contained packet trace format
- ONICS' most basic tools are pktin, pktout, pc2xpkt and xpkt2pc
- We've demonstrated how the ONICS design supports leveraging the power of the UNIX command line for packets
- This is only the VERY beginning. ONICS has over 20 binaries and 30 scripts for manipulating packets.
Automatically generated using whisper
<< First, < Previous, Next >, Latest >>
whisper --model tiny --language en hpr2882.wav