Sniffing on IOU

Some of you might already know IOU, it’s Cisco IOS compiled on Unix. It allows emulating routers and switches.

One IOU process is one device. Communication between devices occurs through netio sockets, located in /tmp. Until now there wasn’t any tool for sniffing on these connections. Now there is one.


As I said, communication is done through sockets in /tmp.

IOU communication

Every IOU instance creates it’s socket and binds on it, then it can receive data on that socket. Every other IOU which wants to send data to other instance just sends it to corresponding socket using sendto() syscall.

Man in the middle

Thanks to this architecture it’s possible to attach between IOU instances and do actual sniffing.

IOU sniffing


“100_real” is original “100″ socket, just renamed. In Unix one can rename a file which is opened and process continues reading/writing from/to it as if it was never renamed. So receiving remains unaffected.

What happened with sending? Well, IOUsniffer creates a new socket for every IOU instance, named like original socket. Every other IOU instance always sends data to 100, 101, … sockets. Then IOUsniffer reads data from 100 and writes it to 100_real and to PCAP file.

IOU doesn’t know about these socket games, so it doesn’t need to be modified.

IOU high-level


Project is hosted on github. There is also a much detailed README.

You are, of course, very welcome to use it or enhance it in any way you see fit!

13 thoughts on “Sniffing on IOU

  1. Pingback: Sniffing on Cisco IOS on Unix (IOU) Emulator — EtherealMind

  2. Pingback: Sniffing on IOU | Cisco Learning |

  3. I tried to use this one, but every time it stops with the error “instance_add generic error”. And also what does “@temp1″ in NETMAP file mean?

  4. Hi, “@test1″ is name of your machine. Could you please post your entire NETMAP file?

  5. There was only one problem. It’s a hostname. I’ve fixed NETMAP with correct hostname and everything looks Ok.
    Maybe should you describe the “@test1″ value on wiki?

  6. Yes, thank you. In the mean time I fixed it, I assumed you’re using NETMAP without hostnames. If you pull right now it should work even without hostnames.

    • Hi Rodolfo,

      just pull it from git and do a make. You need to have libpcap libraries and headers installed.

      Let me know if this helps, if not then post more detailed description.

  7. Pingback: IOU Web Interface 1.2.2-7 | Route Reflector

  8. Hi,

    I learned about your program, very useful. I also modified it this way :
    – Only sniff packet on link where a DLT is found in the NETMAP
    – format the pcap file as iou_id1-if_major1-if_minor1_iou_id2-if_major2-if_minor2.pcap
    – dynamically check for new DLT in the NETMAP to add sniffer and for deleted DTL to delete sniffer.

    If you are interested in my modification, I provide it to you.

    • Hi Maxime,

      good job, I would be glad if you send it to me. You can send it to my mail ( or just do a pull request on github.


  9. Martin, I’m trying to run it over ubuntu and I’m getting this error, any hint?

    root@ubuntu:/opt/iou/bin# ./iousniff -ddd -n /tmp/iou/lab_1/NETMAP
    NETMAP: /tmp/iou/lab_1/NETMAP
    Netio directory: /tmp/netio0
    Sniffing to: /tmp/iousnVln1Z5
    Flush at write: no
    Debug level: 3
    parser read line: 10:0/0 14:0/0
    parser read line: 11:0/0 14:0/1
    ./iousniff: symbol lookup error: ./iousniff: undefined symbol: pcap_open_dead

  10. Hello, what libpcap version are you using? I have it working with libpcap0.8. Also make sure you have installed libpcap0.8, libpcap0.8-dev and libpcap-dev and I’m using ubuntu too…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>