In this episode I review some basic commands for manipulating packet captures
Hosted by Gabriel Evenfire on 2019-08-20 is flagged as Clean and is released under a CC-BY-SA license.
Tags: networking, command-line, tools.
Listen in ogg,
mp3 format. | Comments (2)
This series will try and explain the basics of networking to the listener as well as introduce more detailed topics.
- It's been about 6 years since I talked about my project ONICS in HPR 1350
- ONICS stands for Open Network Inpection Command Suite
- I created ONICS as because I thought it would be neat to have a suite of tools that could manipulate packets on the command line in a way similar to how tools lik sed, awk, grep, cut, and so forth manipulate text.
- Not currently maintained in any package distributions
- Maintainers who are interested in doing so are welcome
- Install by source
$ git clone https://gitlab.com/catlib/catlib
$ cd catlib
$ cd ..
$ git clone https://gitlab.com/onics/onics
$ cd onics
$ make test
$ sudo make install
$ make veryclean
- Can always uninstall cleanly from the source directory
$ make uninstall
- Alternate to installation is to stop at 'make test' and then add to 'onics/bin' and 'onics/scripts' to your path.
Manpages are available in onics/doc directory if you aren't installing locally. They are quite extensive.
If installed locally, starting with:
$ man onics
PCAP format is outdated and not very extensible
- I want to be able to annotate with interface IDs, flow IDs, packet numbers, classification info, header offsets, etc...
First and foremost, the file header prevents just
cating files together.
- it makes merging live streams more difficult
- pcapng improves things but still has global file header
- Let's first capture in the traditional way
$ sudo tcpdump -i eth0 -c 5 -w file1.pcap
- First program is to capture packets from the wire:
$ sudo pktin eth0 > file2.xpkt
$ sudo chown myname file1.pcap file2.xpkt
$ tcpdump -r file1.pcap
$ xpktdump file2.xpkt
- Now lets convert the PCAP to XPKT
$ pc2xpkt file1.pcap file1.xpkt
$ pc2xpkt file1.pcap > file1.xpkt
$ pc2xpkt < file1.pcap > file1.xpkt
$ cat file1.pcap | pc2xpkt > file1.xpkt
- Now we can dump file1 using xpktdump:
$ xpktdump file1.xpkt
Something we can't do w/ tcpdump
- Lets now merge them one after another
$ cat file1.xpkt file2.xpkt > merged.xpkt
$ xpktdump merged.xpkt
- Of course there's a simpler way
$ cat file1.xpkt file2.xpkt | xpktdump
Convert back to pcap:
- Let's convert file2 to PCAP
$ xpkt2pc file2.xpkt file2.pcap
$ xpkt2pc < file2.xpkt > file2.pcap
$ xpkt2pc file2.xpkt > file2.pcap
$ cat file2.xpkt | xpkt2pc > file2.pcap
- Let's look at the stream using tcpdump:
$ tcpdump -r file2.pcap
- If we didn't want to actually store as a PCAP
$ xpkt2pc file2.xpkt | tcpdump -r -
- Let's concatenate and dump using tcpdump
$ cat file1.xpkt file2.xpkt | xpkt2pc | tcpdump -r | less
$ sudo tcpdump -i eth0 # in one terminal
$ sudo pktout -i eth0 file1.xpkt
$ sudo pktout -i eth0 < file1.xpkt
$ cat file1.xpkt | sudo pktout -i eth0
- XPKT is a versatile, extensible, self-contained packet trace format
- ONICS' most basic tools are pktin, pktout, pc2xpkt and xpkt2pc
- We've demonstrated how the ONICS design supports leveraging the power of the UNIX command line for packets
- This is only the VERY beginning. ONICS has over 20 binaries and 30 scripts for manipulating packets.
Comment #1 posted on 2019-08-22T13:56:32Z by Dave Morriss
Great project and excellent show
I installed ONICS after your first show about it but didn't use it much. I haven't had a great need to do network monitoring or troubleshooting in the interim.
I reinstalled after this show and followed along with your examples and found them very helpful. The capabilities of ONICS seem very impressive. I'm looking forward to hearing more!
Comment #2 posted on 2019-08-25T13:41:10Z by Gabriel Evenfire
Good to hear
Thanks for the feedback Dave, and glad that this installation went more smoothly than the last one. Next episode is in and I've scripted about half of the one to follow.
<< First, < Previous, Next >, Latest >>
Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.
Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).