Sniffing on IOU

Some of you might already know IOU, it’s Cisco IOS compiled on Unix. It allows emulating routers and switches.

One IOU process is one device. Communication between devices occurs through netio sockets, located in /tmp. Until now there wasn’t any tool for sniffing on these connections. Now there is one.


As I said, communication is done through sockets in /tmp.

IOU communication

Every IOU instance creates it’s socket and binds on it, then it can receive data on that socket. Every other IOU which wants to send data to other instance just sends it to corresponding socket using sendto() syscall.

Man in the middle

Thanks to this architecture it’s possible to attach between IOU instances and do actual sniffing.

IOU sniffing


“100_real” is original “100″ socket, just renamed. In Unix one can rename a file which is opened and process continues reading/writing from/to it as if it was never renamed. So receiving remains unaffected.

What happened with sending? Well, IOUsniffer creates a new socket for every IOU instance, named like original socket. Every other IOU instance always sends data to 100, 101, … sockets. Then IOUsniffer reads data from 100 and writes it to 100_real and to PCAP file.

IOU doesn’t know about these socket games, so it doesn’t need to be modified.

IOU high-level


Project is hosted on github. There is also a much detailed README.

You are, of course, very welcome to use it or enhance it in any way you see fit!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>