-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.txt
361 lines (232 loc) · 11.2 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
INTRODUCTION
============
ONICS is a command line tool suite along with the code building blocks
for those tools to capture, dissect, manipulate and send network data.
The intent of these tools is to make it possible to manipulate packets
on the command line in a UNIX-shell like fashion the same way one can
manipulate text with programs like sed, awk, cat, tr, etc. In fact,
many of said command line tools and be used with the ONICS tool suite if
done properly. There are currently 22 binary tools and 30 Bourne shell
scripts in the repository.
This tool suite comes with regression tests, examples, complete manpages
and extended libraries to improve programmabilitiy. All binaries are
written in pure ANSI-89 C code. Most have no external dependencies
outside of libc and catlib (see below). The few that do will not be
compiled or installed if their dependencies are not detected. It is
also simple to add support for new protocols and have all the tools in
the suite automatically updated. All scripts are written in pure Bourne
Shell.
See LICENSE.txt for the free/libre open source licensing of this suite.
QUICK START
===========
1) First download both Catlib and ONICS and put the distributions in
the same top level directory. You can find catlib at:
** https://github.com/ctelfer/catlib
** https://gitlab.com/catlib/catlib
Similarly, one can find ONICS at:
** https://github.com/ctelfer/onics
** https://gitlab.com/onics/onics
2) Change to the catlib directory and type:
make
3) Change to the onics directory and type:
./configure
make
make test
4) (optional) To install type:
sudo make install
This will:
* build catlib
* build the tools
* build test programs (under tests/bin)
* run regression tests
* optionally install the programs and manpages in /usr/local
EXAMPLES
========
# Create a TCP packet to go to 10.0.0.1 and send it out on eth0
mktcp "ip.daddr = 10.0.0.1" | pktout eth0
# Capture packets from eth0 and dump them in annotated hex form
pktin eth0 | x2hpkt | less
# Convert a pcap file to xpkt format
pc2xpkt in.pcap out.xpkt
# Extract the packets 3 through 10 from a packet stream
pxtr 3,10 file.xpkt
# Read from an interface using libpcap and dump to an xpkt file
pktin eth0 out.xpkt
# Join two xpkt files into one. (note: you can't do this with pcap
# files, but can with xpkt)
cat XPFILE1 XPFILE2 > XPFILE3
# Send an xpkt file to tcpdump for dissecting (why? to demonstrate tool
# integration)
xpkt2pc XPKTFILE | tcpdump -vvvvs 0 -r -
# Full pipeline of translations:
# pcap -> xpkt -> hexpkt -> xpkt -> pcap -> tcpdump output -> less
pc2xpkt in.pcap | x2hpkt -x | h2xpkt | xpkt2pc | tcpdump -nvXs 0 -r - | less
# Create a packet layer by layer and send out eth0
echo "hello world" | rawpkt | tcpwrap | ipwrap | ethwrap | pktout eth0
#
# Now for some cooler stuff
#
# Read all packets from one interface, toggle their DF bits and send
# them out a different interface.
pktin eth2 |
pml -e '?- ip -? { ip.df = ip.df ^ 1 ; fix_csums(0); }' |
pktout eth3
# Read in the first 5 TCP packets to port 80, drop the rest and
# fragment the ones that get through at an MTU of 777
cat > x.pml <<EOF
var n = 0;
?- not tcp or tcp.dport != 80 or n >= 5 -? { drop; }
{ n = n + 1; }
EOF
pml -f x.pml in.xpkt | ipfrag -m 777 > out.xpkt
# Print an error for every TCP packet that has evil in it.
pcapin -i IFACE1 |
pml -e '
int n = 0;
{ n = n + 1; }
?- tcp and tcp.payload =~ `[eE][vV][iI][lL]` -? {
print "Packet ", n, " is evil\n";
}' >/dev/null
LIST OF TOOLS
=============
Below is a list of the current binary tools in the suite.
* pml - an AWK-like program for packet streams
* pdiff - compares packet streams and print the differences
* nftrk - tracks individual flows in a stream of packets
* pspilt - split a packet stream to multiple streams
* psort - sort the packets in a stream
* ipfrag - fragments IP/IPv6 packets
* ipreasm - reassemble IP/IPv6 packets
* pktin - reads packets from a network interface
* pktout - write packets to a network interface
* x2hpkt - converts XPKTs to “hex packet” format
* h2xpkt - converts “hex packet” packets to XPKT format
* pcapin - reads in pcap files or interfaces through libpcap
* pcapout - dumps packets to a pcap file or to an interface vi libpcap
* nvmas - an assembler for the NetVM that underlies pml and nvmpf
* nvmpf - a pure NetVM packet filter program
* pc2xpkt - convert PCAP files to XPKT without libpcap
* pmerge - interleave packets from a set of streams into one stream
* pktmux - a program to multiplex packets from multiple input streams
* pktdemux - a program to demultiplex packets to different output streams
* pktrel - release packets according to a traffic specification
* rawpkt - convert a file into a packet with no datalink types
* xpkt2pc - convert XPKT files to PCAP without libpcap
There are also various scripts built on the binary tools. All of these
scripts should be in strictly compliant Bourne shell. So they should
work just about everywhere.
* ethwrap - wrap packets in an ethernet frame header
* gre-decap - decapsulate [NV]GRE+IP+Etherent packets
* gre-encap - encapsulate packets in [NV]GRE+IP+Etherent headers
* ipwrap - wrap packets in an IPv4 header
* ip6wrap - wrap packets in an IPv6 header
* icmpwrap - wrap packets in an ICMP header
* icmp6wrap - wrap packets in an ICMPv6 header
* mkarp - create an ARP packet
* mkicmp - create an ICMP packet
* mkicmp6 - create an ICMPv6 packet
* mktcp - create a TCP packet
* mktcp6 - create a TCP in IPv6 packet
* mkudp - create a UDP packet
* mkudp6 - create a UDP in IPv6 packet
* pcount - count the packets in a stream
* peseq - embed a sequence number into various fields in a packet stream
* pflt - select packets from a stream that match a pattern
* phead - extract the first N packets from a packet stream
* ppop - pop the outermost protocol(s) from each packet in a packet stream
* preverse - reverse the packets in a stream
* ptail - extract the last N packets from a packet stream
* pxseq - extract a sequence number from embedded fields in a packet stream
* pxtr - extract a range of packets from a stream
* tcpsess - generate a partial or complete TCP stream from data files
* tcpwrap - wrap packets in a TCP header
* udpwrap - wrap packets in a UDP header
* vxlan-decap - decapsulate VXLAN+UDP+IP+Etherent packets
* vxlan-encap - encapsulate packets in VXLAN+UDP+IP+Etherent headers
* xpktdump - dump a stream of packets in readable format with pagination
* xtsscale - scale the timestamps for a stream of packets
PHILOSOPHY
==========
The tools in the suite and their underlying components were designed
with several principles in mind.
* Self-contained -- The intent is to ultimately have these tools only
require a compliant C compiler to build.
* Pluggable -- One should be able to plug new tools in without changing
the existing ones.
* Protocol agnostic -- The tools should be able to adapt to
new protocols without changing the main tool code.
* Simple -- Each tool should do a few things well and no more.
* Small, bounded resource footprint -- Each tool should be able to
function well in low memory/CPU environments.
DIRECTORIES
===========
* bin/ - target directory where the binaries get built
* doc/ - contains the documentation (man pages)
* lemon/ - contains the public-domain lemon parser generator
* lib/ - contains libraries to be installed in the system
* scripts/ - contains Bourne shell scripts for the tool suite
* src/ - source code for all binaries
* tests/ - contains various unit tests for the tools
ADVANCED BUILDING
=================
The configure script has a few options that you can pass it. These
include:
--debug Build using debug flags. Useful if you want to run
under GDB for example.
--dlsym Build so that the ONICS tools will search
$INSTALL_PREFIX/lib/onics/protocols for protocol
libraries to load dynamically at runtime.
--no-dlsym Ensure that the tools will NOT be compiled with
dynamic protocol loading as per (--dlsym). This
is the default.
--catlib=/path/to/catlib
Provide the path to the catlib root directory
explicitly.
When running 'make', the Makefiles will use the environment or make
variable 'INSTALL_PREFIX' for the root of the tree where ONICS files
will go when installed in the system. This defaults to /usr/local.
COMPONENTS
==========
There are several notable pieces of infrastructure that the ONICS tools
tend to rely on.
* XPKT -- an external packet format. This is a PCAP replacement that
offers extensibility and the easy ability to cut and paste
packets from a stream of XPKT-formatted packets.
* NetVM -- a 64-bit stack based virtual machine augmented for packet
processing. This VM uses segmented memory regions and a
read-only code store. In certain configurations programs can be
verified to have bounded runtime and stack space requirements.
* PML -- Packet Manipulation Language. An langauge in the flavor of
AWK for manipulating packets in a pattern/action style. The
language is not as powerful as, say, Python, Ruby or even Lua.
But it does operate with fixed memory requirements and treats
packets as first-class data objects making manipulating them and
their protocols intuitive.
* ProtoParse -- a protocol-neutral set API for creating network
protocol disectors and namespaces. These APIs allow the tools
in the suite to function without specific understanding of the
protocols they interpret.
CATLIB
======
One quick note about Catlib. Catlib is a library of useful (to me
anyways) C code for various common and not-so-common data structures and
algorithms. I built it up over the years, tore it apart, rebuilt it,
used it for my thesis, and reworked it as my programming tastes changed.
Its current incarnation focuses heavily on making individual modules as
independent of one another (and external APIs) as possible. So one
could, for example, extract only one or two files to get a functioning
AVL tree implementation that works without the rest of the library or
even a functioning Standard C library. I freely confess that some of
the code in that library I wrote simply to prove that I could implement
it myself without needing someone else's code.
One last quick note about "lemon". The lemon parser generator is a
public domain parser generator that D. Richard Hipp wrote as part of
sqlite. I like it better than bison for a variety of reasons and use it
to generate the PML parser. It is self-contained (two C files) and,
being public domain, it can go directly in this project. But I am by no
means claiming credit for writing this code: that accolade goes to Dr.
Hipp and if he is reading this: you have my many thanks!
MORE SAMPLES
============
See tests/data/pml/*.pml for more PML code examples.
There are also examples in the manpages for the above programs and scripts.