XIP(8) XIP(8)
Friday 12, 1999
NAME
xip - displays ip packets using X window.
SYNOPSIS
xip [-cf xip_conf_file] [-i dev] [-s snaplen] [-p] [-t to_ms] [-O] [-r
tcpdump_fname] [-c count] [-n] [-B] [-F] [-h] [-v] [-dm] [-dmv]
expression
DESCRIPTION
Xip is a protocol analyzer and tester. It's a kind of graphical
tcpdump(8) with possibility of changing packet values and resending
them. It could be also designed by term "human ip stack".
Graphical representation of a packet is intended to have a complete
view at a glance. Note that it is also customizable (e.g ability to
change colors and fonts).
GUI is composed of a big scrolled drawing area called "packet box".
All packets captured with libpcap(3) are displayed here first using a
mini-representation (unless -B is activated). They can then be
magnified by mouse button 3.
Once packet is magnified, you can do actions by clicking on links with
mouse buttons 1 or 2. If you click with mouse button 2, a new window
is created as result of operation. These actions can be changing
fields values, checksuming packets, extracting patterns, saving,
loading packets and so on. If you click on mouse button 3, it popups a
contextual menu which operates on pattern pointed by mouse.
By default, xip acts like tcpdump(8) (same options, etc.).
Options
The options to xip are:
-cf xip_conf_file
Defines configuration file. See detailed section.
-i dev Defines device (or interface) used to capture packets.
-s snaplen Defines snap length as in tcpdump(8).
-p Does not set interface dev in promiscuous mode.
-t to_ms See tcpdump(8).
-O Does not optimize bpf programs. See tcpdump(8).
-r tcpdump_fname
Reads a tcpdump(8) file (.dmp).
- 1 - Formatted: November 1, 2025
XIP(8) XIP(8)
Friday 12, 1999
-c cnt Reads only cnt bytes from tcpdump_fname.
-n Does not convert addresses (for example, host addresses
and port numbers) to names. Note: This option is
limited to standard internet features.
-B Displays big packets.
-F Forces pcap stuff to fork. This is intended to use by
systems which don't have a kernel bpf filter. Because
pcap handler is called each time a packet arrives, it
leads X server crazy. This solution works but pushes
this problem away.
-h This option shows a short usage.
-v This option produces more output of program. This is a
debug option.
-dm This option causes all the memory allocations done by
program to be registered and checked. This is a debug
option. Must be compiled with DEBUG_MALLOC.
-dmv This option causes all the memory allocations done by
program to be printed out stderr. This must be combined
with -dm. This is a debug option. Must be compiled with
DEBUG_MALLOC.
expression is a bpf program. See tcpdump(8).
RESOURCES
binEditorPath is path of a binary editor (e.g emacs(1) or beav(1)).
Default value is emacs. Use M-x hexl-mode.
<pattern>Color defines color of <pattern>. There is one resource per
pattern.
defaultColorName
is default color used when no pattern specific color is
provided.
bodyColorName is color specified in BODY tag of each packet.
bodyBackgroundName
is background (bit|pix)map used in BODY tag of each
packet. It can be internal:xipicon.xbm, either
internal:gray.xbm or any xbm or xpm files (if compiled
with libXpm(3)). Note that extension of file is
important for resolver.
- 2 - Formatted: November 1, 2025
XIP(8) XIP(8)
Friday 12, 1999
controlsColorName
is background color of the controls part of packet.
pktHelpOffset defines pixel offset of packet help.
pinMode if True, packet help is sticky.
helpMode if False, disables packet help.
scrollMode lets last packet always visible by scrolling "packet
box".
smoothScrollMode
scrolls smoothScrollOffset pixels by smoothScrollOfset
pixels.
smoothScrollLimit
starts smooth-scrolling when scroll space is less than
this value. This allows scrolling to be fast if "packet
box" viewport has to move from top to bottom by
subsequently dividing scroll space by two and to be
smooth when we have reached this limit.
smoothScrollOffset
see smoothScrollMode.
ACTIONS
XipPopupPktMenu()
Popups sub-pattern specific menus.
XipApplyMethodToPkt(new_window,xip_method)
Applies xip_method to packet. If new_window is "True",
then result of action is a new packet.
XIP_METHODS
delete() Deletes packet.
set(pattern[idx].field)|set(pattern[idx].field,value)
Sets specified field to value or ask for a value.
extract(pattern[idx])|extract()
Extracts specified pattern or duplicates packet.
extract_to_pkt_box(pattern[idx])|extract_to_pkt_box()
Extracts specified pattern or duplicates packet to
"packet box".
trunc(pattern[idx])
Truncates packet to specified pattern.
- 3 - Formatted: November 1, 2025
XIP(8) XIP(8)
Friday 12, 1999
save()|save(file)
Saves packet to file or ask for a file name.
load()|load(file)
Loads packet from file or ask for a file name.
sum() Checksums packet.
adapt_len() Adapts various length to current lengths.
cut(fine)|cut(fine,pattern[index])
Cuts packet to cut buffer. If fine, cuts whitout sub-
patterns.
paste(fine)|paste(fine,pattern[index])
Pastes cut buffer to packet. If fine, replaces pattern
by cut buffer.
edit() Calls an external editor (see binEditorPath resource).
reply() Make a possible reply for packet. E.g swaps ip.src and
ip.dst, increments ip.id, ...
custom(path,arg1,arg2,...,argn)
Calls an external binary which modifies packet. Note:
Xip launches process reassigning stdin and stdout to
packet input and packet output respectively in using
".pkb" format.
opts()|opts(True|False)
Show opts or switch.
CONFIGURATION FILE
Syntax
Configuration file is a set of variables definitions in the form var =
value.
Spaces, tabs and returns are ignored but it is possible to backslash
them. It is also possible to specify a string containing spaces in
quoting with the " character. The sequences \n, \r and \t are also
recognized.
Comments are specified with traditional # and are valid up to end of
line. Empty lines are also ignored.
Variables
tmpl_bufsiz = [0[xX]]nnnnn (number)
is size of buffer used to compute template strings.
Default value is 16 * BUFSIZ.
- 4 - Formatted: November 1, 2025
XIP(8) XIP(8)
Friday 12, 1999
html_bufsiz = number
is size of final HTML buffer. Default value is 16 *
BUFSIZ.
htmlize_bufsiz = number
is size of buffer used to transform packet field values
to an HTML form. Default value is 16 * BUFSIZ.
pat_data_bytes_per_line = number
is number of bytes displayed per line by "data"
pattern.
pat_udp_perform_sum = [true|false]
tells udp pattern to perform checksum or not.
pat_udp_guess_mode = [true|false]
tells udp pattern to guess it's sub-patterns according
its source port or destination port.
pat_verb_level = [all|nbstuff|pkt]
is a debug feature. E.g pat_msg and typ_msg prints
respectively messages relative to their class.
ghost_ip = A.B.C.D
is default ip address of ip-stack. Packets are sent
using this address.
ghost_ether = xx[:-]xx[:-]xx[:-]xx[:-]xx[:-]xx
is default ethernet address of ip-stack used for arp
replies.
plugins = plugin_path1;plugin_path2;...;plugin_pathn
defines the pathes of all the plugins.
pat_base = number
sets base used when printing numbers. Default is 10.
nbgethost_timeout = number
sets maximum timeout allowed when resolving hostnames
or ip addresses.
etheraddr_dec_walk = [true|false]
if true, prints ethernet addresses with a "-" instead
of a ":".
pat_pad_nbytes = number
defines number of bytes of pattern "pad". It is used
mainly as a debug feature to unalign packets (and test
implementations).
- 5 - Formatted: November 1, 2025
XIP(8) XIP(8)
Friday 12, 1999
pat_pad_sub_pat = pat
defines layer that pattern "pad" should deserve.
Default is "ether".
xip_do_opts = [true|false]
tells xip to manage options. Note that it is also
configurable at packet level.
ENVIRONMENT
The following variables involves progress of program. All of them are
debug variables.
XMG_VERB_LEVEL debugs Xmg part.
PAT_VERB_LEVEL debugs patterns part. See configuration variable
pat_verb_level.
XIP_VERB_LEVEL debugs xip part.
FILES
${HOME}/.xiprc is loaded and saved automatically.
Xip.ad or Xip is a resource file. Try xrdb -merge Xip.ad.
.pkt files describe packets in a portable and readable manner.
.pkc files describe packets collections.
.pkb files describe packets in a portable and binary manner (not
readable). This format is not mainly intended to be
used in files but mostly in network or pipe streams.
.dmp files are tcpdump files.
SIGNALS
SIGINT Controls flow from controling terminal.
Sometimes, flow of packets is so fast we can't do
anything on GUI as XWindow is busy. In such cases we
use SIGINT as an emergency option.
STATUS
A value of 0 means that everything was allright. A value of 1 means
that there was an error.
SEE ALSO
libpcap(3), tcpdump(8).
AUTHOR
Martin Gall (mgall@capmedia.fr)
- 6 - Formatted: November 1, 2025
