In this episode we'll talk about filtering and dissecting packet traces and streams and introduce diffing. Remember that most tools have very flexible options for a variety of use cases. So check their manpages. Each man page also has multiple examples of how to use each tool.
$ mkdir /tmp/packets
$ cd /tmp/packets
$ cp /path/to/onics/tests/data/packets/sample.xpkt .
$ pcount sample.xpkt
90 total packets and 19082 total bytes.
Well, lets look at the connections or "flows" in the trace. We'll do this by using the 'nftrk' command for "network flow tracker".
Like 'pcount' this utility (and many or most ONICS utilities), this program can run on a live stream or a trace file. We'll run:
$ nftrk -dt sample.xpkt | grep END
and get:
|FLOW END|IP:ca=192.168.0.43,sa=224.0.0.251,proto=2|Start=1565446184.543,
End=1565446184.544,Dur=0.001|SENT:1,60|
...
|FLOW END|IP:ca=192.168.0.7,sa=192.168.0.255,proto=17,cpt=631,spt=631|
Start=1565446184.543,End=1565446184.544,Dur=0.001|SENT:3,660|
'nftrk' tracks flows giving events like the start and end of each flow or connection. We just want a summary of all the connections so we just grep for 'END' (all caps).
We could just as easily have grepped for START, but this way we get the final number of packets sent and received on each connection. If we just want a count of the connections we can do:
$ nftrk -dt sample.xpkt | grep START | wc -l
and that tells us that there are 10 flows in the trace.
$ pflt tcp sample.xpkt tcponly.xpkt
$ pcount tcponly.xpkt
73 total packets and 17184 total bytes.
$ nftrk -dt tcponly.xpkt | grep END | wc -l
2
$ pflt tcp sample.xpkt |
pcount -p |
nftrk -t 2>/tmp/flows > tcponly.xpkt &&
echo -n "Number of flows " &&
grep END /tmp/flows | wc -l &&
rm -f /tmp/flows
$ nftrk -dt /tmp/tcponly.xpkt | grep END
|FLOW END|IP:ca=192.168.0.4,sa=192.168.0.7,proto=6,cpt=38859,spt=22|
Start=1566073862.612,End=1566073862.613,Dur=0.000|C2S:25,4561|S2C:30,5124|
|FLOW END|IP:ca=192.168.0.4,sa=64.233.169.147,proto=6,cpt=35071,spt=80|
Start=1566073862.613,End=1566073862.613,Dur=0.000|C2S:9,704|S2C:9,6795|
Shows that the server ports are 22 and 80 for the two connections. That's SSH and HTTP.
The patterns we can use to filter packets are pretty standard across most of the ONICS tools.
We'll discuss this is more detail in a future podcast. But if you want to see the kinds of fields you can match on go to
$ man onics_proto
$ pxtr 3,6 sample.xpkt pkts-3-to-6.xpkt
$ pxtr "7,{tcp}" sample.xpkt | xpktdump
$ pxtr 1,4 sample.xpkt > not-5-to-10.xpkt
$ pxtr 11,NONE sample.xpkt >> not-5-to-10.xpkt
$ pdiff sample.xpkt not-5-to-10.xpkt | less
$ pdiff -v not-5-to-10.xpkt sample.xpkt | less
it describes the sample.xpkt from the perspective of starting with not-5-to-10.xpkt and inserting a bunch of packets into the middle.
Unless otherwise stated, our shows are released under a Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license.
The HPR Website Design is released to the Public Domain.