HPR2882: ONICS Part 1: Basic Commands

Background

• It's been about 6 years since I talked about my project ONICS in HPR 1350
• ONICS stands for Open Network Inpection Command Suite
• I created ONICS as because I thought it would be neat to have a suite of tools that could manipulate packets on the command line in a way similar to how tools lik sed, awk, grep, cut, and so forth manipulate text.

Installing

• Not currently maintained in any package distributions
• Maintainers who are interested in doing so are welcome
• Install by source

    $ git clone https://gitlab.com/catlib/catlib
    $ cd catlib
    $ make
    $ cd ..
    $ git clone https://gitlab.com/onics/onics
    $ cd onics
    $ ./configure
    $ make
    $ make test
    $ sudo make install
    $ make veryclean

• Can always uninstall cleanly from the source directory

    $ make uninstall

• Alternate to installation is to stop at 'make test' and then add to 'onics/bin' and 'onics/scripts' to your path.

Documentation

• Manpages are available in onics/doc directory if you aren't installing locally. They are quite extensive.

• If installed locally, starting with:

    $ man onics

XPKT Format

• PCAP format is outdated and not very extensible

  • I want to be able to annotate with interface IDs, flow IDs, packet numbers, classification info, header offsets, etc...

• First and foremost, the file header prevents just cating files together.

  • it makes merging live streams more difficult
  • pcapng improves things but still has global file header

First Programs

• Let's first capture in the traditional way

    $ sudo tcpdump -i eth0 -c 5 -w file1.pcap

• First program is to capture packets from the wire:

    $ sudo pktin eth0 > file2.xpkt

• If not running as root

    $ sudo chown myname file1.pcap file2.xpkt

• Let's dump them:

    $ tcpdump -r file1.pcap
    $ xpktdump file2.xpkt

• Now lets convert the PCAP to XPKT

    $ pc2xpkt file1.pcap file1.xpkt
      or
    $ pc2xpkt file1.pcap > file1.xpkt
      or
    $ pc2xpkt < file1.pcap > file1.xpkt
      or
    $ cat file1.pcap | pc2xpkt > file1.xpkt

• Now we can dump file1 using xpktdump:

    $ xpktdump file1.xpkt

Something we can't do w/ tcpdump

• Lets now merge them one after another

    $ cat file1.xpkt file2.xpkt > merged.xpkt
    $ xpktdump merged.xpkt

• Of course there's a simpler way

    $ cat file1.xpkt file2.xpkt | xpktdump

Convert back to pcap:

• Let's convert file2 to PCAP

    $ xpkt2pc file2.xpkt file2.pcap
      or
    $ xpkt2pc < file2.xpkt > file2.pcap
      or
    $ xpkt2pc file2.xpkt > file2.pcap
      or
    $ cat file2.xpkt | xpkt2pc > file2.pcap

• Let's look at the stream using tcpdump:

    $ tcpdump -r file2.pcap

• If we didn't want to actually store as a PCAP

    $ xpkt2pc file2.xpkt | tcpdump -r -

• Let's concatenate and dump using tcpdump

    $ cat file1.xpkt file2.xpkt | xpkt2pc | tcpdump -r | less

Sending packets:

    $ sudo tcpdump -i eth0  # in one terminal
    $ sudo pktout -i eth0 file1.xpkt
      or
    $ sudo pktout -i eth0 < file1.xpkt
      or
    $ cat file1.xpkt | sudo pktout -i eth0

Summary

• XPKT is a versatile, extensible, self-contained packet trace format
• ONICS' most basic tools are pktin, pktout, pc2xpkt and xpkt2pc
• We've demonstrated how the ONICS design supports leveraging the power of the UNIX command line for packets
• This is only the VERY beginning. ONICS has over 20 binaries and 30 scripts for manipulating packets.

Comments

More Information...