I have following information for each packet I want to generate via Scapy, it is tcpdump output:
1509472682.813373 MAC1 > MAC2, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 64271, offset 0, flags [DF], proto TCP (6), length 60)
IP1.port1 > IP2.port2: Flags [S], cksum 0x4a0b (incorrect -> 0xe5b4), seq 1763588570, win 65535, options [mss 1460,sackOK,TS val 1098453 ecr 0,nop,wscale 6], length 0
I have generated TCP packets as follow, but when I check them via wireshark it seems that the Timestamp option is not set at all and Sack is not set as I have expected.
for r in (("mss","MSS"), ("sackOK","SAck"), ("nop","NOP"), ("TS ", "Timestamps "), ("val", "TSval"), ("ecr", "TSecr"), ("wscale","WScale")):
opt = opt.replace(*r)
opt=opt.split(",")
for op in opt:
op = op.split()
if len(op) == 2:
options.append((op[0],int(op[1])))
elif op[0] == "Timestamps": ## Need some modification, so that Scapy do not ignore it.
options.append((op[0],(int(op[2]),int(op[4]))))
elif op[0] == "SAck": ## How to set SAck option to be SAck Permitted?
options.append((op[0], ''))
else: # NOP
options.append((op[0], ()))
ip = ether/IP(src=ipsrc, dst=ipdst, len=ipLen, tos=frameTos, ttl=frameTtl, offset=frameOffset, id=frameId, flags=frameFlags, proto=protocol.lower())
if ack_n is None:
pkt = ip / TCP(sport=srcport, dport=dstport , flags=frameFlag, seq=int(seq_n), chksum=cksum, window=win, options=options) / secrets.token_bytes(frameLen-54)
else:
pkt = ip / TCP(sport=srcport, dport=dstport , flags=frameFlag, seq=int(seq_n), ack=ack_n, chksum=cksum, window=win, options=options) / secrets.token_bytes(frameLen-54)
pkt.time = frametime
wrpcap(output, pkt, append=True)
Here is what is passed to options field for the packet I have provided its info at the beginning:
[('MSS', 1460), ('SAck', ''), ('Timestamps', (1098453, 0)), ('NOP', ()), ('WScale', 6)]
But when I check the packet via Wireshark the Timestamps option is not set, it seems that Scapy has ignored it, and the SAck option is not set as I have expected.
Here is how this packet options field looks like in Wireshark:
Here is what I have expected it to be:
So the question here are:
How to set timestamps, so that the Scapy does not ignore it?
How to set SAck, so that it is marked as permitted.
Edit 1:
I have solved the problem with SAck, I should pass it as ('SAckOK', '')
Finally I have find what I have set wrong:
As I mentioned in my first edit, to set Selective Acknowledgment Permitted, I should pass option a tuple as ('SAckOK', '').
To set timestamp I should pass option a tuple as ('Timestamp', (1098453, 0)) in the inner tuple the first argument is Val and the second one is Ecr.
Related
I am trying to generate pcap file from a tcpdump output, how can I generate those packets having sequence number as first:last?
Here is what my tcpdump input looks like:
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
1509471560.944080 MAC1 > MAC2, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 23237, offset 0, flags [DF], proto TCP (6), length 60)
IP1.port > IP2.port: Flags [S], cksum 0x6d2f (incorrect -> 0x0b4a), seq 1127096708, win 65535, options [mss 1460,sackOK,TS val 817985 ecr 0,nop,wscale 6], length 0
1509471561.042855 MAC2 > MAC1, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 64, id 3107, offset 0, flags [none], proto TCP (6), length 44)
IP2.port > IP1.port: Flags [S.], cksum 0x85d8 (correct), seq 449984001, ack 1127096709, win 65535, options [mss 1460], length 0
1509471561.044008 MAC1 > MAC2, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 23238, offset 0, flags [DF], proto TCP (6), length 40)
IP1.port > IP2.port: Flags [.], cksum 0x6d1b (incorrect -> 0x9d95), seq 1, ack 1, win 65535, length 0
1509471561.046607 MAC1 > MAC2, ethertype IPv4 (0x0800), length 191: (tos 0x0, ttl 64, id 23239, offset 0, flags [DF], proto TCP (6), length 177)
IP1.port > IP2.port: Flags [P.], cksum 0x6da4 (incorrect -> 0x98df), seq 1:138, ack 1, win 65535, length 137
1509471914.089046 MAC1 > MAC2, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 54304, offset 0, flags [DF], proto UDP (17), length 68)
Following is the code I have prepared to process the TCP packets:
from scapy.all import *
import secrets
def generatePcapfromText(inputtxt,output):
with open (inputtxt,encoding='cp850') as input:
framenum=0
for line in input:
if line[0].isdigit(): # line one
framenum += 1
frametime=float(line[:16])
srcmac= line[18:34]
dstmac= line[38:54]
ethertype = int(line[line.find('(')+1:line.find(')')], 16)
frameLen=int(line[line.find('length')+7:line.find(': (')])
frameTos=int(line[line.find('tos')+4:line.find(', ttl')],16)
frameTtl=int(line[line.find('ttl')+4:line.find(', id')])
frameId=int(line[line.find('id')+3:line.find(', offset')])
frameOffset=line[line.find('offset')+7:line.find(', flags')]
frameFlags=line[line.find('[')+1:line.find(']')]
protocol = line[line.find('proto')+6:line.rfind('(')-1]
ipLen = int(line[line.rfind('length')+6:line.rfind(')')])
if frameFlags == "none":
frameFlags = ""
ether = Ether(dst=dstmac, src=srcmac, type=ethertype)
elif len(line)>5:
if line[5].isdigit(): # line two
srcinfo = line[4:line.find ( '>' )]
dstinfo = line[line.find ( '>' ) + 2:line.find ( ':' )]
ipsrc = srcinfo[:srcinfo.rfind ( '.' )]
ipdst = dstinfo[:dstinfo.rfind ( '.' )]
srcport = int(srcinfo[srcinfo.rfind ( '.' ) + 1:])
dstport = int(dstinfo[dstinfo.rfind ( '.' ) + 1:])
ip = ether/IP(src=ipsrc, dst=ipdst, len=frameLen, tos=frameTos, ttl=frameTtl, id=frameId, flags=frameFlags, proto=protocol.lower())
if protocol == "TCP":
frameFlag = line[line.find ( '[' ) + 1:line.find ( ']' )]
frameFlag=frameFlag.replace(".","A")
cksum = int(line[line.find ( 'cksum' ) + 6:line.find ( '(' )],16)
if ", ack" in line:
seq_n = line[line.find ( ', seq' ) + 6:line.find ( ', ack' )]
ack_n = int(line[line.find ( 'ack' ) + 4:line.find ( ', win' )])
else:
seq_n = line[line.find ( ', seq' ) + 6:line.find ( ', win' )]
ack_n = 0
if "options" in line:
win = int(line[line.find ( 'win' ) + 4:line.find ( ', options' )])
options= line[line.find ( 'options' ) + 8:line.find ( ', length' )]
else:
win = int(line[line.find ( 'win' ) + 4:line.find ( ', length' )])
options="[]"
pktlen = int(line[line.find ( ', length' ) + 9:])
if ":" in seq_n:
# ???
else:
pkt = ip / TCP(sport=srcport, dport=dstport , flags=frameFlag, seq=int(seq_n), ack=ack_n, chksum=cksum, window=win) / secrets.token_hex(pktlen)
pkt.time = frametime
wrpcap(output, pkt, append=True)
As TCP in Scapy need an integer for the sequence number I cannot pass it first:last as the sequence number, so It needs some modification which I am not familiar with as It is my first time working with Scapy. I have mark where this modification should be done via #??? in the code above.
For my purpose it is important that the packets have the same timestamp as the tcpdump input, so I have set the packet timestamp via pkt.time=timestamp.
PS: You can find history behind this question here.
According to the tcpdump manpage
The notation is first:last which means sequence numbers first up to but not including last
The first:last notation doesn't actually exist within the packet, therefore Scapy won't understand it. Tcpdump gives you this additional information based on the analysis of the TCP stream (and possible regrouping of the packets)
You should also note that your sequence numbers are probably relative, which means they don't really mean anything else than the order.
Using the first part of the number as a sequence number will probably be enough for your needs:
seq = int(seq_n.split(":")[0])
I want to send packet over Modbus TCP. I want to use:
But I can not send this way how can I send this packet? (I don't know something will be)
req = struct.pack(
'Something', transaction, identifier, length, unitid, func_code, reg_addr
)
These are my variables:
transaction=0x01
identifier=0x00
length=[0x00,0x06]
unitid=0x01
func_code=0x03
reg_addr=[0x13,0x14,0x15]
At first you can use pymodbus library with very features.
Also struct.pack() not support a list as argument.
0001 0000 0006 11 03 006B 0003 is a standard example of Modbus-TCP packet which contained:
0001: Transaction Identifier
0000: Protocol Identifier
0006: Message Length (6 bytes to follow)
11: The Unit Identifier (17 = 11 hex)
03: The Function Code (read Analog Output Holding Registers)
006B: The Data Address of the first register requested. (40108-40001 = 107 =6B hex)
0003: The total number of registers requested. (read 3 registers 40108 to 40110)
Reference
Thus, you can create a Modbus-TCP packet with the above example:
import struct
transaction = 0x0001
identifier = 0x0000
length = 0x0006
unitid = 0x11
fcode = 0x03 # Holding register fcode.
reg_addr = 0x006B # Register address.
count = 0x0003 # Read three register.
total_pack_string = '0x{:04x}{:04x}{:04x}{:02x}{:02x}{:04x}{:04x}'.format(
transaction, identifier, length, unitid, fcode, reg_addr, count
)
total_pack_hex = hex(int(total_pack_string, 16))
'''Or with using pack method.'''
pack_ = struct.pack(
'>HHHBBHH', transaction, identifier, length, unitid, fcode, reg_addr, count
)
# Then send the pack_ or total_pack_hex using a TCP-Socket.
[NOTE]:
transaction is 2Byte == Short == H
identifier is 2Byte == Short == H
length is 2Byte == Short == H
unitid is 1Byte == B
fcode is 1Byte == B
reg_addr is 2Byte == Short == H
count is 2Byte == Short == H
B is unsigned byte
H is unsigned short
Thus, the format will be like this >HHHBBHH
Using pymodbus equivalent:
from pymodbus.client.sync import ModbusTcpClient
unitid = 0x11
fcode = 0x03 # Holding register fcode.
reg_addr = 0x006B # Register address.
count = 0x0003 # Read three register.
cli = ModbusTcpClient('127.0.0.1', port=502)
if cli.connect():
res = cli.read_holding_registers(reg_addr, count=count, unit=unitid)
if not res.isError():
print(res.registers)
else:
print('There is an error.')
cli.close()
else:
print('Error in connection.')
I have an application which read live SIP Packets and decode information in real time.
when packet is small UDP/TCP is able to get the information, but when packet is large, it arrives in different segments:
The following is an extract from Wireshark:
3 Reassembled TCP Segments (3331 bytes): #1(1448), #3(1448), #5(435)
Frame: 1, payload: 0-1447 (1448 bytes)
Frame: 3, payload: 1448-2895 (1448 bytes)
Frame: 5, payload: 2896-3330 (435 bytes)
Segment count: 3
Reassembled TCP length: 3331
My application believes there is a new SIP Packet for each fragment and fails to decode info.
How can I do this? I need to read the packet, assemble all sip message if fragmented and pass the info to my control module. This is my current code:
s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
while (True):
packet = s.recvfrom(65565)
#packet string from tuple
packet = packet[0]
#parse ethernet header
eth_length = 14
eth_header = packet[:eth_length]
eth = unpack('!6s6sH' , eth_header)
eth_protocol = socket.ntohs(eth[2])
if eth_protocol == 8 :
#Parse IP header
#take first 20 characters for the ip header
ip_header = packet[eth_length:20+eth_length]
#now unpack them :)
iph = unpack('!BBHHHBBH4s4s' , ip_header)
version_ihl = iph[0]
version = version_ihl >> 4
ihl = version_ihl & 0xF
iph_length = ihl * 4
ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8]);
d_addr = socket.inet_ntoa(iph[9]);
#TCP protocol
if protocol == 6 :
t = iph_length + eth_length
tcp_header = packet[t:t+20]
#now unpack them :)
tcph = unpack('!HHLLBBHHH' , tcp_header)
source_port = tcph[0]
dest_port = tcph[1]
sequence = tcph[2]
acknowledgement = tcph[3]
doff_reserved = tcph[4]
tcph_length = doff_reserved >> 4
if dest_port == sipLocatorConfig.SIP_PORT:
print
logging.info("------------------------------------------------------SIP Packet detected------------------------------------------------------")
h_size = eth_length + iph_length + tcph_length * 4
data_size = len(packet) - h_size
#get data from the packet
data = packet[h_size:]
ipInfo = {}
ipInfo['protocol'] = protocol
ipInfo['s_addr'] = str(s_addr)
ipInfo['source_port'] = source_port
ipInfo['d_addr'] = str(d_addr)
ipInfo['dest_port'] = dest_port
processSipPacket(data,ipInfo)
I believe this is what I wrote bufsock for:
http://stromberg.dnsalias.org/~strombrg/bufsock.html
It allows you to say "give me all the data until the next null" or "give me the next 64 bytes" and similar things. It deals intelligently with fragmented and aggregated packets.
Unlike many such tools, it does not require that you have bufsock at both the producer and the consumer - you can use it fine on one end and not the other. It is a little bit like stdio for sockets, in python.
It works on CPython 2.x, CPython 3.x, Pypy, Pypy3 (which is still beta at this time) and Jython.
i am using the following simple script:
from pysnmp.entity.rfc3413.oneliner import cmdgen
errorIndication, errorStatus, errorIndex, \
varBindTable = cmdgen.CommandGenerator().bulkCmd(
cmdgen.CommunityData('test-agent', 'public'),
cmdgen.UdpTransportTarget(('IP.IP.IP.IP', 161)),
0,
1,
(1,3,6,1,2,1,4,24,4,1,2,169,254)
)
if errorIndication:
print errorIndication
else:
if errorStatus:
print '%s at %s\n' % (
errorStatus.prettyPrint(),
errorIndex and varBindTable[-1][int(errorIndex)-1] or '?'
)
else:
for varBindTableRow in varBindTable:
for name, val in varBindTableRow:
print '%s = %s' % (name.prettyPrint(), val.prettyPrint())
Using snmpwalk from command line to this device returns expected result. But
script returns No SNMP response received before timeout. If i omit this OID then everything works fine.
So the problem is in this OID
Here tcpdump stats:
/usr/sbin/tcpdump -nn -vv -s0 -A host HOST and udp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:15:31.494920 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 77) IP.IP.IP.IP.47911 > IP.IP.IP.IP.161: [bad udp cksum 4b7d!] { SNMPv2c { GetBulk(34) R=8993731 N=0 M=1 .1.3.6.1.2.1.4.24.4.1.2.169.254 } }
E..M..#.#.I..]<..]</.'...9.S0/.....public."....;.......0.0...+..........).~..
12:15:31.495666 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 98) IP.IP.IP.IP.161 > IP.IP.IP.IP.47911: [udp sum ok] { SNMPv2c { GetResponse(55) R=8993731 .1.3.6.1.2.1.4.24.4.1.2.169.254.0.0.0.0.255.255.0.0.0.0.0=[inetaddr len!=4]0.0.255.255.0.0.0.0 } }
E..b..#.#.I..]</.]<....'.N.\0D.....public.7....;.......0)0'..+..........).~.............#.........
12:15:32.500226 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 77) IP.IP.IP.IP.47911 > IP.IP.IP.IP.161: [bad udp cksum 4b7d!] { SNMPv2c { GetBulk(34) R=8993731 N=0 M=1 .1.3.6.1.2.1.4.24.4.1.2.169.254 } }
E..M..#.#.I..]<..]</.'...9.S0/.....public."....;.......0.0...+..........).~..
12:15:32.500624 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 98) IP.IP.IP.IP.161 > IP.IP.IP.IP.47911: [udp sum ok] { SNMPv2c { GetResponse(55) R=8993731 .1.3.6.1.2.1.4.24.4.1.2.169.254.0.0.0.0.255.255.0.0.0.0.0=[inetaddr len!=4]0.0.255.255.0.0.0.0 } }
E..b..#.#.I..]</.]<....'.N.\0D.....public.7....;.......0)0'..+..........).~.............#.........
As we can see, device returns response .1.3.6.1.2.1.4.24.4.1.2.169.254.0.0.0.0.255.255.0.0.0.0.0=[inetaddr len!=4]0.0.255.255.0.0.0.0, but nothing happens and pysnmp just continue to try the value of this OID again and again.. snmpwalk recognizes this response as IP ADDRESS 0.0.255.255
Can you guys help me? Thanks in advance and sorry my english.
Your SNMP Agent seems to produce broken SNMP messages. While IPv4 address is four-octets long, your Agent reports eight-octets value.
As per SNMP RFCs, pysnmp drops malformed SNMP messages and retries original request a few times in hope to get correct response.
To make pysnmp working with specifically malformed IP address values you could patch its IpAddress class at runtime to make it taking just the four leading octets from a possibly longer initializer:
>>> def ipAddressPrettyIn(self, value):
... return origIpAddressPrettyIn(self, value[:4])
...
>>> origIpAddressPrettyIn = v2c.IpAddress.prettyIn
>>> v2c.IpAddress.prettyIn = ipAddressPrettyIn
>>>
>>> msg, rest = decoder.decode(wholeMsg, asn1Spec=v2c.Message())
>>> print msg.prettyPrint()
Message:
version='version-2'
community=public
data=PDUs:
response=ResponsePDU:
request-id=6564368
error-status='noError'
error-index=0
variable-bindings=VarBindList:
VarBind:
name=1.3.6.1.2.1.4.24.4.1.2.169.254.0.0.0.0.255.255.0.0.0.0.0
=_BindValue:
value=ObjectSyntax:
application-wide=ApplicationSyntax:
ipAddress-value=0.0.255.255
I'd like to make a very simple text (.txt) file. This python program needs to make a list of multiple ranges of IPs in a subnet, each taking up one line.
Example:
10.10.27.1
10.10.27.5
10.10.27.6
10.10.27.26
10.10.27.27
10.10.27.28
10.10.27.29
10.10.27.51
10.10.27.52
10.10.27.53
10.10.27.54
The subnet mask will essentially always be a /24, so providing mask input is not necessary. The program can even default to only supporting a standard class C.
Also, I'd like to support common ranges for devices that we use. A prompt for say, "Printers?" will include .26 - .30. "Servers?" will include .5 - .7. "DHCP?" prompt always will include .51 - .100 of the subnet. "Abnormal?" will include .100 - .254.
Subnet? 10.10.27.1
Servers? Y
Printers? Y
DHCP? Y
Abnormal? N
Output being:
10.10.27.1
10.10.27.5
10.10.27.6
10.10.27.7
10.10.27.26
10.10.27.27
10.10.27.28
10.10.27.29
10.10.27.30
10.10.27.51 (all the way to .100)
What is the best way to code this?
It looks like a few for loops are all you need:
network = '10.10.27'
for host in xrange(100, 255):
print("{network}.{host}".format(**locals()))
I would keep the script simple, just output all addresses as needed :)
def yesno(question):
output = input(question).lower()
if output == 'y':
return True
elif output == 'n':
return False
else:
print '%r is not a valid response, only "y" and "n" are allowed.' % output
return yesno(question)
addresses = []
subnet = input('Subnet? ')
# Remove the last digit and replace it with a %d for formatting later
subnet, address = subnet.rsplit('.', 1)
subnet += '%d'
addresses.append(int(address))
if yesno('Servers? '):
addresses += range(5, 8)
if yesno('Printers? '):
addresses += range(26, 31)
if yesno('DHCP? '):
addresses += range(51, 101)
if yesno('Abnormal? '):
addresses += range(100, 255)
for address in addresses:
print subnet % address
Here is a quick little script I threw together...
import socket
import sys
ranges = {'servers':(5, 8), 'printers':(26, 31), 'dhcp':(51, 101), 'abnormal':(101, 256)}
subnet = raw_input("Subnet? ")
try:
socket.inet_aton(subnet)
except socket.error:
print "Not a valid subnet"
sys.exit(1)
ip_parts = subnet.split(".")
if len(ip_parts) < 3:
print "Need at least three octets"
sys.exit(1)
ip_parts = ip_parts[:3]
ip = ".".join(ip_parts)
include_groups = []
last_octets = []
servers = raw_input("Servers? ")
printers = raw_input("Printers? ")
dhcp = raw_input("DHCP? ")
abnormal = raw_input("Abnormal? ")
if servers == "Y":
include_groups.append('servers')
if printers == "Y":
include_groups.append('printers')
if dhcp == "Y":
include_groups.append('dhcp')
if abnormal == "Y":
include_groups.append('abnormal')
for group in include_groups:
last_octets.extend([x for x in xrange(ranges[group][0], ranges[group][1])])
print "%s.1" %(ip)
for octet in last_octets:
print "%s.%s" %(ip, octet)