I have achieved sniffing IP packets. I use the following code.
def print_summary(pkt):
print("SRC:", pkt[scapy.IP].src, "\t\tDEST:", pkt[scapy.IP].dst)
scapy.sniff( iface=interface, filter="ip", prn=print_summary)
If I try to ping a domain name say 'youtube.com' or open it using a web browser, how can I show the domain name using the above print_summary function. I have tried searching for what filters to use for dns but found nothing.
Okay, I get it now. What I did was to remove the filter argument altogether from the sniff() method.
scapy.sniff( iface=interface, prn=print_summary)
Then in the print_summary() function, I filtered according to the layer each packet had (IP or DNS).
def print_summary(pkt):
if scapy.IP in pkt:
print("SRC:", pkt[scapy.IP].src, "\t\tDEST:", pkt[scapy.IP].dst)
if scapy.DNS in pkt:
print("Domain:", pkt.[scapy.DNS].qd.qname.decode("utf-8"))
decode("utf-8") because the qname is a utf encoded byte string.
Related
I am using Scapy sniff function to track incoming traffic on local interface. I would like to isolate and print just specific packets. In order to do so, I have to match values in specific fields of TCP/UDP/IP headers. Is there detailed document that explains usage of Scapy sniff filters? How can I set filter to refer to some packet filed value?
For example, I would need filter that shows just and only SYN+ACK packets. For some reason this is not working as expected:
sniff(iface="Intel(R) Ethernet Connection (4) I219-LM",
filter="ip src x.x.x.x and tcp-syn !=0 and tcp-rst !=1",
prn=lambda x: x.summary)
The filter is written in standard BPF syntax, as documented here https://www.wireshark.org/docs/man-pages/pcap-filter.html
For your use case (only SYN-ACK packets), I think it would be something like this:
filter = "host x.x.x.x and (tcp[tcpflags] & (tcp-syn|tcp-ack)) == (tcp-syn|tcp-ack)"
sniff(iface="Intel(R) Ethernet Connection (4) I219-LM",
filter=filter, prn=lambda x: x.summary)
I am trying to filter packets of a particular website in Python (using Scapy). I have a list of possible IPs (used for load balancing) of the website. I want to filter packets for all those IPs. How can I do that?
For a single IP, I am using the following code:
bpf_filter = "ip and host " + addr
sniff(timeout=10, prn=pkt_callback, store=0)
Since you're using cBPF (classic BPF), the only way to filter a set of IP addresses is to list them all:
bpf_filter = "ip and ("
for addr in addresses[:-1]:
bpf_filter = "%shost %s or " % (bpf_filter, addr)
bpf_filter = "%shost %s)" % (bpf_filter, addresses[-1])
Which, for a set of IP addresses [10.0.0.1, 10.0.0.2, 10.0.0.3], will return:
ip and (host 10.0.0.1 or host 10.0.0.2 or host 10.0.0.3)
Note: You need at least one IP address in your set for the above to work.
Why is this a limitation of cBPF?
The filter expression you give Scapy is then compiled to BPF bytecode. BPF bytecode disallows backward jumps (and therefore loops). This restriction is a simple way to ensure the filter will eventually halt when executed in the kernel.
If backward jumps were allowed, you could write some smarter lookup through your set of IP addresses. You could for example store them in a hash table and check the packet against the hash table in O(1). This is actually possible with eBPF, which, as far as I know, isn't supported by Scapy yet.
I'm working on python, how can I receive a website address? I have tried but it doesn't work.
I have this:
import socket
socket.gethostbyname(name)
but nothing happens.
The gethostbyname(hostname) method translates a host name to an IPv4 address format. The IPv4 address is returned as a string.
So the argument for this method has to be a host name like "www.python.org". Assign a hostname for the 'name' variable in string format in your code.
Ex. name = "www.python.org"
Hope this helps!
I've been trying to figure out how to add an alias and IP address with a port as a response to a DNS query with the alias. I am running a simple DNS server written in Python, specifically https://gist.github.com/andreif/6069838
I've read that the alias and IP are normally pulled from the records or zone files but this server doesn't have any so I am unclear as to where they would be added were I to manually specify the alias and IP with a port. I've tried to manually write my DNS response only to realize that I am not sure where the alias and IP are being retrieved from. Also I'm not sure why but when I query the server with nslookup the server seems to also not pass the alias query because the qn variable seems to only hold the string 'server' and nothing else. The qn variable part is in the example below.
def dns_response(data):
request = DNSRecord.parse(data)
print request
reply = DNSRecord(DNSHeader(id=request.header.id, qr=1, aa=1, ra=1), q=request.q)
qname = request.q.qname
qn = str(qname)
qtype = request.q.qtype
qt = QTYPE[qtype]
TL;DR How do I add an alias and ip address with a port as a reply to an alias DNS query?
Edit: I've fixed the simple DNS program for Python 2.7.12, if you have a problem with it not receiving the QName remove the .strip() on the UDP request. Also make sure your domain name ends with '.' as in test.com. otherwise it will not find a match since it will be comparing "test.com" to "test.com.". Also change all of the reply.add_ns with reply.add_answer since the first function does not exist. If you are not receiving an A as a response for your query add reply.add_answer(RR(rname=qname, rtype=1,rclass=1, ttl=TTL, rdata=rdata)) the key change here is the Response type, rtype=1 indicates that it is an A response as opposed to a SOA or NS response. See www.zytrax.com/books/dns/ch15 for a detailed brake down of the DNS packet.
You can't - a standard DNS A or AAAA record doesn't contain a port number.
I have been toying with a few ideas and would like to use Netbios to do some checks on the network. So after some research decided pysmb's nmb.Netbios was a good place to start.
I have constructed a simple queryName function that I was hoping would return an ip address. But it seems after checking some wireshark pcap dumps it isnt even broadcasting.
Ive found an example in the pysmb docs but that doesnt seem to broadcast either. Below is my test function, any pointers would be appreciated.
from nmb.NetBIOS import NetBIOS
def queryNam(name):
n = NetBIOS(broadcast=True, listen_port=0)
ip = n.queryName(name, timeout=30)
return ip
name = "Computer-Name"
ip = queryNam(name)
print ip
I worked out the issue myself. Initially I wasnt using the correct computername as NetBios Broadcasts seem to broadcast the name in uppercase. I was presenting a lowercase so the system was not responding.
So supplying the value in uppercase resolved the problem. (Even though a hostname check on the client showed an Uppercase followed by lowercase characters.