Develop Reference

Values ​assigned in the Scapy parameters

How can I find out what number is assigned to a specific value in any parameter in the IP Protocol or any other Protocol?
If I set a value:
a=IP(proto=73)
I get:
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
**proto= rspf**
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
If I set another value:
a=IP(proto=12)
I get:
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= pup
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
and so on.
Some number is assigned to a value in some parameter of the package. At the moment, I'm listing every number from 1 to 100 to see what's hidden there, but it's a very long and painful process.
How to see which numbers are assigned to values?
Thanks.

scapy loads the protocol list from your system
definition of the proto field in scapy:
https://github.com/secdev/scapy/blob/master/scapy/layers/inet.py#L466
it is define as:
ByteEnumField("proto", 0, IP_PROTOS),
definition of IP_PROTOS:
https://github.com/secdev/scapy/blob/bfd9c52af61978ac872d3c0bf5eef81168d88ca9/scapy/data.py#L476
for win:
IP_PROTOS = load_protocols(os.environ["SystemRoot"] + "\\system32\\drivers\\etc\\protocol") # noqa: E501
for linux:
IP_PROTOS = load_protocols("/etc/protocols")
now, I have linux system, so for me it looks like that:
cat /etc/protocols
# Internet (IP) protocols
#
# Updated from http://www.iana.org/assignments/protocol-numbers and other
# sources.
# New protocols will be added on request if they have been officially
# assigned by IANA and are not historical.
# If you need a huge list of used numbers please install the nmap package.
ip 0 IP # internet protocol, pseudo protocol number
hopopt 0 HOPOPT # IPv6 Hop-by-Hop Option [RFC1883]
icmp 1 ICMP # internet control message protocol
igmp 2 IGMP # Internet Group Management
ggp 3 GGP # gateway-gateway protocol
ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
st 5 ST # ST datagram mode
tcp 6 TCP # transmission control protocol
egp 8 EGP # exterior gateway protocol
igp 9 IGP # any private interior gateway (Cisco)
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # user datagram protocol
hmp 20 HMP # host monitoring protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
iso-tp4 29 ISO-TP4 # ISO Transport Protocol class 4 [RFC905]
dccp 33 DCCP # Datagram Congestion Control Prot. [RFC4340]
xtp 36 XTP # Xpress Transfer Protocol
ddp 37 DDP # Datagram Delivery Protocol
idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport
ipv6 41 IPv6 # Internet Protocol, version 6
ipv6-route 43 IPv6-Route # Routing Header for IPv6
ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
idrp 45 IDRP # Inter-Domain Routing Protocol
rsvp 46 RSVP # Reservation Protocol
gre 47 GRE # General Routing Encapsulation
esp 50 IPSEC-ESP # Encap Security Payload [RFC2406]
ah 51 IPSEC-AH # Authentication Header [RFC2402]
skip 57 SKIP # SKIP
ipv6-icmp 58 IPv6-ICMP # ICMP for IPv6
ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6
ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
rspf 73 RSPF CPHB # Radio Shortest Path First (officially CPHB)
vmtp 81 VMTP # Versatile Message Transport
eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco)
ospf 89 OSPFIGP # Open Shortest Path First IGP
ax.25 93 AX.25 # AX.25 frames
ipip 94 IPIP # IP-within-IP Encapsulation Protocol
etherip 97 ETHERIP # Ethernet-within-IP Encapsulation [RFC3378]
encap 98 ENCAP # Yet Another IP encapsulation [RFC1241]
# 99 # any private encryption scheme
pim 103 PIM # Protocol Independent Multicast
ipcomp 108 IPCOMP # IP Payload Compression Protocol
vrrp 112 VRRP # Virtual Router Redundancy Protocol [RFC5798]
l2tp 115 L2TP # Layer Two Tunneling Protocol [RFC2661]
isis 124 ISIS # IS-IS over IPv4
sctp 132 SCTP # Stream Control Transmission Protocol
fc 133 FC # Fibre Channel
mobility-header 135 Mobility-Header # Mobility Support for IPv6 [RFC3775]
udplite 136 UDPLite # UDP-Lite [RFC3828]
mpls-in-ip 137 MPLS-in-IP # MPLS-in-IP [RFC4023]
manet 138 # MANET Protocols [RFC5498]
hip 139 HIP # Host Identity Protocol
shim6 140 Shim6 # Shim6 Protocol [RFC5533]
wesp 141 WESP # Wrapped Encapsulating Security Payload
rohc 142 ROHC # Robust Header Compression
Those protocol are well defined and standard, I am expecting a windows system to have very similar list.
that somewhat matches that one: https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

Setting up BGP Layer Using Scapy

I am trying to use Scapy to send packets that have a BGP layer
I am currently stuck on a rudimentary part of this problem because I am unable to set up the BGP layer. I followed the instructions to set up the regular IP and TCP Layer.
Eg:
>>a=IP(src="192.168.1.1",dst="192.168.1.2")/TCP(sport=179,dport=50)
But the problem arises when I do this:
>>a=a/BGP()
NameError: name BGP is not defined
I have seen the BGP implementations in the contrib file from Scapy Github (https://github.com/secdev/scapy/blob/9201f1cf1318edd5768d7e2ee968b7fba0a24c5e/scapy/contrib/bgp.py) so I think Scapy does support BGP implementations
I am new to networking so I was wondering if you could help me set up the BGP layer
Thanks for taking the time to read this!

We want a BGP Layer using scapy. As BGP travels over TCP. So we must have a established (3 way handshake) tcp socket. And TCP travels over IP. Thus we can represent full packet in the below format.
packet = IP Layer / TCP Layer / BGP Layer
But BGP itself is divided in two parts, BGP Header and BGP Payload (EG: OPEN, UPDATE, etc ). So the above layer is represented as given below.
packet = IP Layer / TCP Layer / BGP Header / BGP payload
Here BGP Header specifies authentication, length and type of BGP Payload.To represent whole thing in scapy, we can do the following excercise. (I am assuming here that you have an established TCP socket.)
from scapy.layers.inet import IP, TCP
from scapy.contrib.bgp import BGPHeader, BGPUpdate, BGPPathAttr, BGPNLRI_IPv4, BGPPALocalPref
base = IP(src=src_ipv4_addr, dst=dst_ipv4_addr, proto=6, ttl=255) # proto=6 represents that, TCP will be travelling above this layer. This is simple IPV4 communication.
tcp = TCP(sport=established_port, dport=179, seq=current_seq_num, ack=expected_seq_num, flags='PA') # dport=179 means, we are communicating with bgp port of the destination router/ host. sport is a random port over which tcp is established. seq and ack are the sequence number and acknowledgement numbers. flags = PA are the PUSH and ACK flags.
hdr = BGPHeader(type=2, marker=0xffffffffffffffffffffffffffffffff) # type=2 means UPDATE packet will be the BGP Payload, marker field is for authentication. max hex int (all f) are used for no auth.
up = BGPUpdate(path_attr=[BGPPathAttr(type_flags=64, type_code=5, attribute=BGPPALocalPref(local_pref=100))], nlri=BGPNLRI_IPv4(prefix=NLRI_PREFIX)) # update packet consist of path attributes and NLRI (Network layer reachability information), type_code in path attributes is for which type of path attribute it is. [more][3]
packet = base / tcp / hdr / up
packet.show2()
Using the following variable values (for example purpose).
src_ipv4_addr = '10.110.99.2' # eth0
dst_ipv4_addr = '10.110.99.50'
established_port = 1223
expected_seq_num=1000 # ack
current_seq_num=1500 # seq
NLRI_PREFIX = '10.110.99.0/24'
Output will be following.
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 74
id = 1
flags =
frag = 0
ttl = 255
proto = tcp
chksum = 0xe09c
src = 10.110.99.2
dst = 10.110.99.50
\options \
###[ TCP ]###
sport = 1223
dport = bgp
seq = 1500
ack = 1000
dataofs = 5
reserved = 0
flags = PA
window = 8192
chksum = 0x102d
urgptr = 0
options = []
###[ HEADER ]###
marker = 0xffffffffffffffffffffffffffffffff
len = 34
type = UPDATE
###[ UPDATE ]###
withdrawn_routes_len= 0
\withdrawn_routes\
path_attr_len= 7
\path_attr \
|###[ BGPPathAttr ]###
| type_flags= Transitive
| type_code = LOCAL_PREF
| attr_len = 4
| \attribute \
| |###[ LOCAL_PREF ]###
| | local_pref= 100
\nlri \
|###[ IPv4 NLRI ]###
| prefix = 10.110.99.0/24

Just going to try and help here. I have zero experience with BGP type packets, but... I copied the bgp.py file from the link you provided into scapy/layers. Using ls() I found the following:
BGPAuthenticationData : BGP Authentication Data
BGPErrorSubcodes : BGP Error Subcodes
BGPHeader : BGP header
BGPNotification : BGP Notification fields
BGPOpen : BGP Open Header
BGPOptionalParameter : BGP Optional Parameters
BGPPathAttribute : BGP Attribute fields
BGPUpdate : BGP Update fields
I could then use say ls(BGPUpdate) to show this:
withdrawn_len : ShortField = (None)
withdrawn : FieldListField = ([])
tp_len : ShortField = (None)
total_path : PacketListField = ([])
nlri : FieldListField = ([])
and was able to create this packet:
pkt = pkt = IP()/TCP()/BGPUpdate()
pkt.show()
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = None
id = 1
flags =
frag = 0
ttl = 64
proto = tcp
chksum = None
src = 127.0.0.1
dst = 127.0.0.1
\options \
###[ TCP ]###
sport = ftp_data
dport = http
seq = 0
ack = 0
dataofs = None
reserved = 0
flags = S
window = 8192
chksum = None
urgptr = 0
options = {}
###[ BGP Update fields ]###
withdrawn_len= None
withdrawn = []
tp_len = None
\total_path\
nlri = []
I'm not sure what all of the different types of BGP layers/packets are used for or where the Communities Number would be set. Possibly in BGPPathAttribute(type=x). Type 5 is "LOCAL_PREF" which may correspond to Community Values. Try this Link.
pkt = BGPPathAttribute(type=5)
pkt.show()
###[ BGP Attribute fields ]###
flags = Transitive
type = LOCAL_PREF
attr_len = None
value = ''
Anyway, hope that helps a little.
Edit:
Forgot. I also added "bgp" to the load_layers section of scapy/config.py. Line 373. Like this:
load_layers = ["l2", "inet", "dhcp", "dns", "dot11", "gprs", "hsrp", "inet6", "ir", "isakmp", "l2tp",
"mgcp", "mobileip", "netbios", "netflow", "ntp", "ppp", "radius", "rip", "rtp",
"sebek", "skinny", "smb", "snmp", "tftp", "x509", "bluetooth", "dhcp6", "llmnr", "sctp", "vrrp",
"ipsec","bgp"]

scapy 3-way hand shake not work

I want to use scapy to do tcp 3-way hand shake, my code is below:
from scapy.all import *
# VARIABLES
src = sys.argv[1]
dst = sys.argv[2]
sport = random.randint(20000,65535)
dport = int(sys.argv[3])
print src
print dst
print sport
print dport
# SYN
ip=IP(src=src,dst=dst)
SYN=TCP(sport=sport,dport=dport,flags='S',seq=1000)
SYNACK=sr1(ip/SYN)
SYN.show()
SYNACK.show()
# ACK
seq=SYNACK.ack + 1
ack=SYNACK.seq + 1
print seq
print ack
ACK=TCP(sport=sport, dport=dport, flags='A', seq=seq, ack=ack)
sr1(ip/ACK)
ACK.show()
exec command:
python 3WSK.py 10.16.11.21 10.11.157.130 26789
And the SYNACK result is below:
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 44
id = 0
flags = DF
frag = 0L
ttl = 60
proto = tcp
chksum = 0x821a
src = 10.11.157.130
dst = 10.16.11.21
\options \
###[ TCP ]###
sport = 26789
dport = 35067
seq = 1918207620
ack = 1001
dataofs = 6L
reserved = 0L
flags = SA
window = 5840
chksum = 0xd630
urgptr = 0
options = [('MSS', 1460)]
###[ Padding ]###
load = '\x00\x00'
but my tcp server not log any thing.
for test:
I use telnet 10.11.157.130 26789 to connect my tcp server, then my tcp server can log something like: "INFO l.t.TcpServer - in, /10.16.11.21:34906"
So, I`m not sure my scapy code is connect successful or not, I also want to know
how to validate whether tcp connect is work or not. thanks

Check if you see a RST being sent from your os when the SYN+ACK arrives. If so have a look at this answer and drop the RST with iptables:
iptables -A OUTPUT -p tcp --tcp-flags RST RST -s <your_ip> -j DROP
If thats not the case have a look at this gist which works fine for me.

Parse and print from related group of data

Within a file (example data below) there are groups of similar output in which we search for specific text in a line. Within each group of text, if the issuerID and subjectID are both present, print those two items along with the sourceIP and destIP. If not, skip and move on to the next. The code below works, but I am looking to add logic to only print the desired information if the issuerID and subjectID are a match.
Here is the current iteration of the script.
#!/usr/bin/python
import re
sourceIP = 'Source IP:'
destIP = 'Destination IP:'
issuerID = 'Issuer ID:'
subjectID = 'Subject ID:'
for line in open('data.txt', 'r'):
line = line.strip()
if line.startswith(sourceIP):
sourceIPline = line
elif line.startswith(destIP):
destIPline = line
elif line and line.startswith(issuerID):
issuerDomain = re.search("www[\w.com]+", line)
elif line and line.startswith(subjectID):
subjectDomain = re.search("www[\w.net]+", line)
print (sourceIPline)
print (destIPline)
print issuerDomain.group()
print subjectDomain.group()
print
If I run the code with the data-set below which a value doesn't meet meet the criteria, I get an error. I would prefer this group is ignored and move on.
$ ./dparser.py
Source IP: 10.0.0.126
Destination IP: 8.8.8.8
www.domain.com
www.domain.net
Source IP: 10.0.0.126
Destination IP: 8.8.4.4
www.domain2.com
Traceback (most recent call last):
File "./dparser.py", line 22, in <module>
print subjectDomain.group()
AttributeError: 'NoneType' object has no attribute 'group'
Here is a sample data-set with two groups.
-------------------------------
Template ID is 45841
Application Label: 443
Source IP: 10.0.0.126
Destination IP: 8.8.8.8
Source Port: 38946
Dest Port: 443
flowStartTime: 2013-12-30 20:20:21
flowEndTime: 2013-12-30 20:21:37
flowEndReason: 3
Protocol: 6
Octet Total Count: 8497
Rev Octet count: 28802
Packet Total Count: 30
Rev Packet Total Count: 32
TCP Sequence Number: 561150853
Initial TCP Flags: S
Union TCP Flags: APF
Reverse TCP Sequence Number: 4118697381
Reverse Initial TCP Flags: AS
Reverse Union TCP Flags: APF
SSL Server Cipher: 49171
-- X.509 Cert 0 (v.2) ---
Issuer ID: 3 Val: www.domain.com
Subject ID: 3 Val: www.domain.net
Valid Not Before: 131015000000Z
Not Valid After: 140211235959Z
Public Key Length: 0
--- End of Cert 0 ---
-------------------------------
Template ID is 45841
Application Label: 443
Source IP: 10.0.0.126
Destination IP: 8.8.4.4
Source Port: 42529
Dest Port: 443
flowStartTime: 2013-12-30 20:20:22
flowEndTime: 2013-12-30 20:21:37
flowEndReason: 3
Protocol: 6
Octet Total Count: 8341
Rev Octet count: 26678
Packet Total Count: 27
Rev Packet Total Count: 30
TCP Sequence Number: 3052048930
Initial TCP Flags: S
Union TCP Flags: APF
Reverse TCP Sequence Number: 101975511
Reverse Initial TCP Flags: AS
Reverse Union TCP Flags: APF
SSL Server Cipher: 49171
-- X.509 Cert 0 (v.2) ---
Issuer ID: 3 Val: www.domain2.com
Subject ID: 3 Val: Some Subject
Valid Not Before: 130727000000Z
Not Valid After: 140118000000Z
Public Key Length: 0
--- End of Cert 0 ---

You need to validate your regex found something. In this case the second data set does not have a domain but instead says "Some Subject".
You want something like:
if subjectDomain:
print subjectDomain.group()
else:
print line # whatever you want here...
Also, your regex is not defined correctly anyways. The [] symbols make a group of things to check. You really want r'www.\w+.com' otherwise you are allowing 'wwwww' and 'www.w.w'.

increase tcp receive window on linux

Similar to Setting TCP receive window in C and working with tcpdump in Linux and Why changing value of SO_RCVBUF doesn't work?, I'm a unable to increase the initial tcp receive window greater than 5888 on ubuntu linux 2.6.32-45
#!/usr/bin/python
from socket import socket, SOL_SOCKET, SO_RCVBUF, TCP_WINDOW_CLAMP
sock = socket()
sock.setsockopt(SOL_SOCKET, SO_RCVBUF, 65536)
sock.setsockopt(SOL_SOCKET, TCP_WINDOW_CLAMP, 32768)
sock.connect(('google.com', 80))
tcpdump says:
me > google: Flags [S], seq 3758517838, win 5840, options [mss 1460,sackOK,TS val 879735044 ecr 0,nop,wscale 6], length 0
google > me: Flags [S.], seq 597037042, ack 3758517839, win 62392, options [mss 1430,sackOK,TS val 541301157 ecr 879735044,nop,wscale 6], length 0
me > google: Flags [.], ack 1, win 92, options [nop,nop,TS val 879735051 ecr 541301157], length 0
sysctl -a | grep net.*mem says:
net.core.wmem_max = 131071
net.core.rmem_max = 131071
net.core.wmem_default = 112640
net.core.rmem_default = 112640
net.core.optmem_max = 10240
net.ipv4.igmp_max_memberships = 20
net.ipv4.tcp_mem = 77376 103168 154752
net.ipv4.tcp_wmem = 4096 16384 3301376
net.ipv4.tcp_rmem = 4096 87380 3301376
net.ipv4.udp_mem = 77376 103168 154752
net.ipv4.udp_rmem_min = 4096
net.ipv4.udp_wmem_min = 4096
Could there be something else putting a receive window limit on my connection?

That looks like the effects of TCP slow-start. This kernel thread from 2008 offers up a good explanation (I've linked to the last response in the thread):
SO_RCVBUF doesn't change receiver advertised window
If you keep watching the stream, the window size should increase, up to the maximum you set.