Develop Reference

Pyshark - Determine protocol from IPV6

I am trying to obtain the protocol number from an IPV6 packet. Which one fo these fields do I have to use in order to achieve this.
print(cap[36].ipv6.field_names)
['version', 'ip_version', 'tclass', 'tclass_dscp', 'tclass_ecn', 'flow', 'plen', 'nxt', 'hlim', 'src', 'addr', 'src_host', 'host', 'dst', 'dst_host']

I'm unsure if this is the correct answer for your question. If it isn't please let me know and I will rework my answer.
capture = pyshark.FileCapture(pcap_file)
for packet in capture:
if hasattr(packet, 'ipv6') and hasattr(packet, 'tcp'):
source_address = packet.ipv6.src
source_port = packet[packet.transport_layer].srcport
print(f'TCP packet -- Source Address: {source_address} -- Source Port: {source_port}')
destination_address = packet.ipv6.dst
destination_port = packet[packet.transport_layer].dstport
print(f'TCP packet -- Destination Address: {destination_address } -- Destination Port: {destination_port }')
elif hasattr(packet, 'ipv6') and hasattr(packet, 'udp'):
source_address = packet.ipv6.src
source_port = packet[packet.transport_layer].srcport
print(f'UDP packet -- Source Address: {source_address} -- Source Port: {source_port}')
destination_address = packet.ipv6.dst
destination_port = packet[packet.transport_layer].dstport
print(f'UDP packet -- Destination Address: {destination_address} -- Destination Port: {destination_port}')
UPDATE:
I apologize for the delay in my response. Here is an updated answer, which hopefully solves the issue raised by Ron Maupin.
capture = pyshark.FileCapture(pcap_file)
for packet in capture:
if "IPV6" in str(packet.layers):
next_header_info = regex.findall(r'(Next Header:)\s(\w.+)\s(\W\d{0,3}\W)', str(packet.layers[1]))
print(next_header_info)
# Output
[('Next Header:', 'ICMPv6', '(58)')]
[('Next Header:', 'ICMPv6', '(58)')]
[('Next Header:', 'ICMPv6', '(58)')]
[('Next Header:', 'IPv6 Hop-by-Hop Option', '(0)'), ('Next Header:', 'ICMPv6', '(58)')]
[('Next Header:', 'ICMPv6', '(58)')]
[('Next Header:', 'UDP', '(17)')]
...truncated

How to parse DNS Question field with python raw sockets?

I'm trying to parse question field in a DNS packet where I can read domain and DNS response from a DNS server. I can extract a DNS header, but I'm having trouble to parse the question field because the size of the data is unknown.
I follow this example, but the part of extracting the question field is not working.
What I need is someone to show me the way to do it properly.
I have this code where everything is right...
This is my code:
#!/usr/bin/env python3
from socket import *
import struct
import binascii
def ethernet_frame(raw_data):
mac_dest, mac_src, protocol = struct.unpack('! 6s 6s H',
raw_data[:14])
return byte_to_hex_mac(mac_dest), byte_to_hex_mac(mac_src),
htons(protocol), raw_data[14:]
def byte_to_hex_mac(mac_bytes):
addr = binascii.hexlify(mac_bytes).decode("ascii")
return ":".join([addr[i:i+2] for i in range(0,12,2)])
def data_packet_udp(data):
tuple_data_udp = struct.unpack('! H H H H', data[:8])
port_src = tuple_data_udp[0]
port_dest = tuple_data_udp[1]
udp_len = tuple_data_udp[2]
udp_checksum = tuple_data_udp[3]
return port_src, port_dest, udp_len, udp_checksum, data[8:]
def data_packet_ipv4(data):
tuple_data_ipv4 = struct.unpack("!BBHHHBBH4s4s", data[:20])
version = tuple_data_ipv4[0]
header_len = version >> 4
type_service = tuple_data_ipv4[1]
length_total = tuple_data_ipv4[2]
identification = tuple_data_ipv4[3]
offset_fragment = tuple_data_ipv4[4]
ttl = tuple_data_ipv4[5]
protocols = tuple_data_ipv4[6]
checksum_header = tuple_data_ipv4[7]
ip_src = inet_ntoa(tuple_data_ipv4[8])
ip_dest = inet_ntoa(tuple_data_ipv4[9])
length_header_bytes = (version & 15) * 4
return version, header_len, type_service, + \
length_total, identification, offset_fragment, + \
ttl, protocols, checksum_header, ip_src, ip_dest,
data[length_header_bytes:]
def data_packet_dns(data):
tuple_data_dns = struct.unpack('!HHHHHH', data[:12])
identification = tuple_data_dns[0]
flags = tuple_data_dns[1]
number_queries = tuple_data_dns[2]
number_response = tuple_data_dns[3]
number_authority = tuple_data_dns[4]
number_additional = tuple_data_dns[5]
qr = (flags & 32768) != 0
opcode = (flags & 30720 ) >> 11
aa = (flags & 1024) != 0
tc = (flags & 512) != 0
rd = (flags & 256) != 0
ra = (flags & 128) != 0
z = (flags & 112) >> 4
rcode = flags & 15
return identification, flags, number_queries, number_response, + \
number_authority, number_additional, qr, opcode, aa, tc, + \
rd, ra, z, rcode
sock = socket(AF_PACKET, SOCK_RAW, ntohs(0x0003))
while True:
raw_dados, addr = sock.recvfrom(65536)
mac_dest, mac_src, protocol, payload = ethernet_frame(raw_dados)
if protocol == 8:
( version, header_len, type_service,
length_total, identification, offset_fragment,
ttl, protocols, checksum_header,
ip_src, ip_dest, data ) = data_packet_ipv4(payload)
if protocols == 17:
port_src, port_dest, udp_len, udp_checksum, data =
data_packet_udp(data)
print("--------- HEADER UDP ----------")
print("Port Source : {}".format(port_src))
print("Port Dest : {}".format(port_dest))
print("UDP Length : {}".format(udp_len))
print("UDP Checksum : {}\n".format(udp_checksum))
if port_src == 53 or port_dest == 53:
(identification, flags, number_queries, \
number_response,number_authority,number_additional, \
qr, opcode, aa, tc, rd, ra, z, rcode) = data_packet_dns(data)
print("\t--------- HEADER DNS ----------")
print("\tidentification : {}".format(identification))
print("\tFlags : {}".format(flags))
print("\tnumber_queries : {}".format(number_queries))
print("\tnumber_response : {}".format(number_response))
print("\tnumber_authority : {}".format(number_authority))
print("\tnumber_additional : {}".format(number_additional))
print("\tQr : {}".format(qr))
print("\tOpcode : {}".format(opcode))
print("\tAA : {}".format(aa))
print("\tTC : {}".format(tc))
print("\tRD : {}".format(rd))
print("\tRA : {}".format(ra))
print("\tZ : {}".format(z))
print("\tRCODE : {}".format(rcode))

struct.unpack changes program and distorts output?

I've written a function for scapy which helps dissecting a packet. The function receives a raw packet and returns the class needed to dissect the contained data. The function should work, yet it somehow returns the wrong classes. Now I tested something. I just added the line
struct.unpack("!B", packet)
at the beginning of the function, which actually does nothing, but - and that's what's strange to me - somehow this makes the function do what it's supposed to. How can this be? I've tested it multiple times. Without this one line at the beginning of the function it does not work properly, with this line, however, it behaves like it should, although the output seems a bit distorted and I don't know why either.
Output with the line. It's distorted, some lines are at the wrong place and some are even duplicated.
###[ Ethernet ]###
src = 00:30:de:09:c7:76
dst = ff:ff:ff:ff:ff:ff
type = 0x800
src = 00:30:de:09:c7:83
###[ IP ]###
type = 0x800 version = 4L
ihl = 5L
###[ IP ]###
tos = 0x0
version = 4L
len = 52
ihl = 5L
id = 312
tos = 0x0 flags = DF
frag = 0L
len = 52
ttl = 64
id = 91
proto = udp
flags = DF
frag = 0L
ttl = 64
proto = udp
chksum = 0xb52d
chksum = 0xb60b
src = 192.168.1.4
src = 192.168.1.3
dst = 192.168.1.255 dst = 192.168.1.255
\options \
\options \
###[ UDP ]###
###[ UDP ]### sport = 47808
dport = 47808
sport = 47808
len = 32
dport = 47808
chksum = 0x6cec
len = 32
###[ BVLC ]###
chksum = 0x79eb
type = 0x81
###[ BVLC ]###
function = ORIGINAL_BROADCAST_NPDU
type = 0x81
length = 24
function = ORIGINAL_BROADCAST_NPDU###[ NPDU ]###
version = 1
length = 24
control = 32L
###[ NPDU ]###
dnet = 65535
version = 1
dlen = 0 control = 32L
hopCount = 255
dnet = 65535
###[ APDU ]###
dlen = 0
pduType = UNCONFIRMED_SERVICE_REQUEST
hopCount = 255
reserved = None
###[ APDU ]###
serviceChoice= I_AM
pduType = UNCONFIRMED_SERVICE_REQUEST
\tagsField \
reserved = None
|###[ Raw ]###
serviceChoice= I_AM
| load = '\xc4\x02\t\xc7\x83"\x01\xe0\x91\x00!\xde'
\tagsField \
|###[ Raw ]###
| load = '\xc4\x02\t\xc7v"\x01\xe0\x91\x00!\xde'
Without the line the output looks like this, but the data is actually wrong. The Raw layer should actually be an APDU layer.
###[ Ethernet ]###
dst = ff:ff:ff:ff:ff:ff
src = 00:30:de:09:c7:83
type = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 52
id = 105
flags = DF
frag = 0L
ttl = 64
proto = udp
chksum = 0xb5fd
src = 192.168.1.3
dst = 192.168.1.255
\options \
###[ UDP ]###
sport = 47808
dport = 47808
len = 32
chksum = 0x6cec
###[ BVLC ]###
type = 0x81
function = ORIGINAL_BROADCAST_NPDU
length = 24
###[ NPDU ]###
version = 1
control = 32L
dnet = 65535
dlen = 0
hopCount = 255
###[ Raw ]###
load = '\x10\x00\xc4\x02\t\xc7\x83"\x01\xe0\x91\x00!\xde'
The function looks like this
def guessBACnetTagClass(packet, **kargs):
""" Returns the correct BACnetTag Class needed to dissect
the current tag
#type packet: binary string
#param packet: the current packet
#type cls: class
#return cls: the correct class for dissection
"""
struct.unpack("!B", packet) # <------ with this line it works
# Convert main tag Byte to binary format
tagByteBinary = "{0:08b}".format(int(struct.unpack("!B", packet[0])[0]))
# Extract information from main tag Byte
tagNumber = int(tagByteBinary[0:4], 2)
tagClass = BACnetTagClass.revDict()[int(tagByteBinary[4:5], 2)]
lengthValueType = int(tagByteBinary[5:8], 2)
# Tag is Application Tag
if tagClass == BACnetTagClass.APPLICATION:
clsName = BACnetApplicationTagClasses[tagNumber]
cls = globals()[clsName]
print cls
return cls(packet, **kargs)
# Tag is Context Specific Tag
if tagClass == BACnetTagClass.CONTEXT_SPECIFIC:
if lengthValueType == BACnetConstructedLVT.OPENING_TAG:
cls = BACnetTag_Opening
if lengthValueType == BACnetConstructedLVT.CLOSING_TAG:
cls = BACnetTag_Closing
# Check if a class was selected
if cls is not None:
print cls
return cls(packet, **kargs)
Does this make any sense? How can executing this one function change output this much?

Fragmented TCP message in Python

I have an application which read live SIP Packets and decode information in real time.
when packet is small UDP/TCP is able to get the information, but when packet is large, it arrives in different segments:
The following is an extract from Wireshark:
3 Reassembled TCP Segments (3331 bytes): #1(1448), #3(1448), #5(435)
Frame: 1, payload: 0-1447 (1448 bytes)
Frame: 3, payload: 1448-2895 (1448 bytes)
Frame: 5, payload: 2896-3330 (435 bytes)
Segment count: 3
Reassembled TCP length: 3331
My application believes there is a new SIP Packet for each fragment and fails to decode info.
How can I do this? I need to read the packet, assemble all sip message if fragmented and pass the info to my control module. This is my current code:
s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
while (True):
packet = s.recvfrom(65565)
#packet string from tuple
packet = packet[0]
#parse ethernet header
eth_length = 14
eth_header = packet[:eth_length]
eth = unpack('!6s6sH' , eth_header)
eth_protocol = socket.ntohs(eth[2])
if eth_protocol == 8 :
#Parse IP header
#take first 20 characters for the ip header
ip_header = packet[eth_length:20+eth_length]
#now unpack them :)
iph = unpack('!BBHHHBBH4s4s' , ip_header)
version_ihl = iph[0]
version = version_ihl >> 4
ihl = version_ihl & 0xF
iph_length = ihl * 4
ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8]);
d_addr = socket.inet_ntoa(iph[9]);
#TCP protocol
if protocol == 6 :
t = iph_length + eth_length
tcp_header = packet[t:t+20]
#now unpack them :)
tcph = unpack('!HHLLBBHHH' , tcp_header)
source_port = tcph[0]
dest_port = tcph[1]
sequence = tcph[2]
acknowledgement = tcph[3]
doff_reserved = tcph[4]
tcph_length = doff_reserved >> 4
if dest_port == sipLocatorConfig.SIP_PORT:
print
logging.info("------------------------------------------------------SIP Packet detected------------------------------------------------------")
h_size = eth_length + iph_length + tcph_length * 4
data_size = len(packet) - h_size
#get data from the packet
data = packet[h_size:]
ipInfo = {}
ipInfo['protocol'] = protocol
ipInfo['s_addr'] = str(s_addr)
ipInfo['source_port'] = source_port
ipInfo['d_addr'] = str(d_addr)
ipInfo['dest_port'] = dest_port
processSipPacket(data,ipInfo)

I believe this is what I wrote bufsock for:
http://stromberg.dnsalias.org/~strombrg/bufsock.html
It allows you to say "give me all the data until the next null" or "give me the next 64 bytes" and similar things. It deals intelligently with fragmented and aggregated packets.
Unlike many such tools, it does not require that you have bufsock at both the producer and the consumer - you can use it fine on one end and not the other. It is a little bit like stdio for sockets, in python.
It works on CPython 2.x, CPython 3.x, Pypy, Pypy3 (which is still beta at this time) and Jython.

PySNMP can not recognize response

i am using the following simple script:
from pysnmp.entity.rfc3413.oneliner import cmdgen
errorIndication, errorStatus, errorIndex, \
varBindTable = cmdgen.CommandGenerator().bulkCmd(
cmdgen.CommunityData('test-agent', 'public'),
cmdgen.UdpTransportTarget(('IP.IP.IP.IP', 161)),
0,
1,
(1,3,6,1,2,1,4,24,4,1,2,169,254)
)
if errorIndication:
print errorIndication
else:
if errorStatus:
print '%s at %s\n' % (
errorStatus.prettyPrint(),
errorIndex and varBindTable[-1][int(errorIndex)-1] or '?'
)
else:
for varBindTableRow in varBindTable:
for name, val in varBindTableRow:
print '%s = %s' % (name.prettyPrint(), val.prettyPrint())
Using snmpwalk from command line to this device returns expected result. But
script returns No SNMP response received before timeout. If i omit this OID then everything works fine.
So the problem is in this OID
Here tcpdump stats:
/usr/sbin/tcpdump -nn -vv -s0 -A host HOST and udp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:15:31.494920 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 77) IP.IP.IP.IP.47911 > IP.IP.IP.IP.161: [bad udp cksum 4b7d!] { SNMPv2c { GetBulk(34) R=8993731 N=0 M=1 .1.3.6.1.2.1.4.24.4.1.2.169.254 } }
E..M..#.#.I..]<..]</.'...9.S0/.....public."....;.......0.0...+..........).~..
12:15:31.495666 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 98) IP.IP.IP.IP.161 > IP.IP.IP.IP.47911: [udp sum ok] { SNMPv2c { GetResponse(55) R=8993731 .1.3.6.1.2.1.4.24.4.1.2.169.254.0.0.0.0.255.255.0.0.0.0.0=[inetaddr len!=4]0.0.255.255.0.0.0.0 } }
E..b..#.#.I..]</.]<....'.N.\0D.....public.7....;.......0)0'..+..........).~.............#.........
12:15:32.500226 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 77) IP.IP.IP.IP.47911 > IP.IP.IP.IP.161: [bad udp cksum 4b7d!] { SNMPv2c { GetBulk(34) R=8993731 N=0 M=1 .1.3.6.1.2.1.4.24.4.1.2.169.254 } }
E..M..#.#.I..]<..]</.'...9.S0/.....public."....;.......0.0...+..........).~..
12:15:32.500624 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 98) IP.IP.IP.IP.161 > IP.IP.IP.IP.47911: [udp sum ok] { SNMPv2c { GetResponse(55) R=8993731 .1.3.6.1.2.1.4.24.4.1.2.169.254.0.0.0.0.255.255.0.0.0.0.0=[inetaddr len!=4]0.0.255.255.0.0.0.0 } }
E..b..#.#.I..]</.]<....'.N.\0D.....public.7....;.......0)0'..+..........).~.............#.........
As we can see, device returns response .1.3.6.1.2.1.4.24.4.1.2.169.254.0.0.0.0.255.255.0.0.0.0.0=[inetaddr len!=4]0.0.255.255.0.0.0.0, but nothing happens and pysnmp just continue to try the value of this OID again and again.. snmpwalk recognizes this response as IP ADDRESS 0.0.255.255
Can you guys help me? Thanks in advance and sorry my english.

Your SNMP Agent seems to produce broken SNMP messages. While IPv4 address is four-octets long, your Agent reports eight-octets value.
As per SNMP RFCs, pysnmp drops malformed SNMP messages and retries original request a few times in hope to get correct response.
To make pysnmp working with specifically malformed IP address values you could patch its IpAddress class at runtime to make it taking just the four leading octets from a possibly longer initializer:
>>> def ipAddressPrettyIn(self, value):
... return origIpAddressPrettyIn(self, value[:4])
...
>>> origIpAddressPrettyIn = v2c.IpAddress.prettyIn
>>> v2c.IpAddress.prettyIn = ipAddressPrettyIn
>>>
>>> msg, rest = decoder.decode(wholeMsg, asn1Spec=v2c.Message())
>>> print msg.prettyPrint()
Message:
version='version-2'
community=public
data=PDUs:
response=ResponsePDU:
request-id=6564368
error-status='noError'
error-index=0
variable-bindings=VarBindList:
VarBind:
name=1.3.6.1.2.1.4.24.4.1.2.169.254.0.0.0.0.255.255.0.0.0.0.0
=_BindValue:
value=ObjectSyntax:
application-wide=ApplicationSyntax:
ipAddress-value=0.0.255.255