Sign up to save your podcasts
Or
Share HPR2882: ONICS Part 1: Basic Commands
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
HPR2882: ONICS Part 1: Basic Commands
Background
It's been about 6 years since I talked about my project ONICS in HPR 1350
ONICS stands for Open Network Inpection Command Suite
I created ONICS as because I thought it would be neat to have a suite of tools that could manipulate packets on the command line in a way similar to how tools lik sed, awk, grep, cut, and so forth manipulate text.
Installing
Not currently maintained in any package distributions
Maintainers who are interested in doing so are welcome
Install by source
$ git clone https://gitlab.com/catlib/catlib
$ cd catlib
$ make
$ cd ..
$ git clone https://gitlab.com/onics/onics
$ cd onics
$ ./configure
$ make
$ make test
$ sudo make install
$ make veryclean
Can always uninstall cleanly from the source directory
$ make uninstall
Alternate to installation is to stop at 'make test' and then add to 'onics/bin' and 'onics/scripts' to your path.
Documentation
Manpages are available in onics/doc directory if you aren't installing locally. They are quite extensive.
If installed locally, starting with:
$ man onics
XPKT Format
PCAP format is outdated and not very extensible
I want to be able to annotate with interface IDs, flow IDs, packet numbers, classification info, header offsets, etc...
First and foremost, the file header prevents just cating files together.
it makes merging live streams more difficult
pcapng improves things but still has global file header
First Programs
Let's first capture in the traditional way
$ sudo tcpdump -i eth0 -c 5 -w file1.pcap
First program is to capture packets from the wire:
$ sudo pktin eth0 > file2.xpkt
If not running as root
$ sudo chown myname file1.pcap file2.xpkt
Let's dump them:
$ tcpdump -r file1.pcap
$ xpktdump file2.xpkt
Now lets convert the PCAP to XPKT
$ pc2xpkt file1.pcap file1.xpkt
or
$ pc2xpkt file1.pcap > file1.xpkt
or
$ pc2xpkt < file1.pcap > file1.xpkt
or
$ cat file1.pcap | pc2xpkt > file1.xpkt
Now we can dump file1 using xpktdump:
$ xpktdump file1.xpkt
Something we can't do w/ tcpdump
Lets now merge them one after another
$ cat file1.xpkt file2.xpkt > merged.xpkt
$ xpktdump merged.xpkt
Of course there's a simpler way
$ cat file1.xpkt file2.xpkt | xpktdump
Convert back to pcap:
Let's convert file2 to PCAP
$ xpkt2pc file2.xpkt file2.pcap
or
$ xpkt2pc < file2.xpkt > file2.pcap
or
$ xpkt2pc file2.xpkt > file2.pcap
or
$ cat file2.xpkt | xpkt2pc > file2.pcap
Let's look at the stream using tcpdump:
$ tcpdump -r file2.pcap
If we didn't want to actually store as a PCAP
$ xpkt2pc file2.xpkt | tcpdump -r -
Let's concatenate and dump using tcpdump
$ cat file1.xpkt file2.xpkt | xpkt2pc | tcpdump -r | less
Sending packets:
$ sudo tcpdump -i eth0 # in one terminal
$ sudo pktout -i eth0 file1.xpkt
or
$ sudo
View all episodes
By Hacker Public Radio
4.2
3434 ratings
Background
It's been about 6 years since I talked about my project ONICS in HPR 1350
ONICS stands for Open Network Inpection Command Suite
I created ONICS as because I thought it would be neat to have a suite of tools that could manipulate packets on the command line in a way similar to how tools lik sed, awk, grep, cut, and so forth manipulate text.
Installing
Not currently maintained in any package distributions
Maintainers who are interested in doing so are welcome
Install by source
$ git clone https://gitlab.com/catlib/catlib
$ cd catlib
$ make
$ cd ..
$ git clone https://gitlab.com/onics/onics
$ cd onics
$ ./configure
$ make
$ make test
$ sudo make install
$ make veryclean
Can always uninstall cleanly from the source directory
$ make uninstall
Alternate to installation is to stop at 'make test' and then add to 'onics/bin' and 'onics/scripts' to your path.
Documentation
Manpages are available in onics/doc directory if you aren't installing locally. They are quite extensive.
If installed locally, starting with:
$ man onics
XPKT Format
PCAP format is outdated and not very extensible
I want to be able to annotate with interface IDs, flow IDs, packet numbers, classification info, header offsets, etc...
First and foremost, the file header prevents just cating files together.
it makes merging live streams more difficult
pcapng improves things but still has global file header
First Programs
Let's first capture in the traditional way
$ sudo tcpdump -i eth0 -c 5 -w file1.pcap
First program is to capture packets from the wire:
$ sudo pktin eth0 > file2.xpkt
If not running as root
$ sudo chown myname file1.pcap file2.xpkt
Let's dump them:
$ tcpdump -r file1.pcap
$ xpktdump file2.xpkt
Now lets convert the PCAP to XPKT
$ pc2xpkt file1.pcap file1.xpkt
or
$ pc2xpkt file1.pcap > file1.xpkt
or
$ pc2xpkt < file1.pcap > file1.xpkt
or
$ cat file1.pcap | pc2xpkt > file1.xpkt
Now we can dump file1 using xpktdump:
$ xpktdump file1.xpkt
Something we can't do w/ tcpdump
Lets now merge them one after another
$ cat file1.xpkt file2.xpkt > merged.xpkt
$ xpktdump merged.xpkt
Of course there's a simpler way
$ cat file1.xpkt file2.xpkt | xpktdump
Convert back to pcap:
Let's convert file2 to PCAP
$ xpkt2pc file2.xpkt file2.pcap
or
$ xpkt2pc < file2.xpkt > file2.pcap
or
$ xpkt2pc file2.xpkt > file2.pcap
or
$ cat file2.xpkt | xpkt2pc > file2.pcap
Let's look at the stream using tcpdump:
$ tcpdump -r file2.pcap
If we didn't want to actually store as a PCAP
$ xpkt2pc file2.xpkt | tcpdump -r -
Let's concatenate and dump using tcpdump
$ cat file1.xpkt file2.xpkt | xpkt2pc | tcpdump -r | less
Sending packets:
$ sudo tcpdump -i eth0 # in one terminal
$ sudo pktout -i eth0 file1.xpkt
or
$ sudo
More shows like Hacker Public Radio
View all
The Infinite Monkey Cage
1,952 Listeners
Click Here
418 Listeners
Hacker And The Fed
168 Listeners