After asking this, I just wanted to make a simple test. I captured a traffic using tcpdump. Filtered out a TCP ACK packet in Wireshark and exported the filtered packet to sample.pcap.
Now this is pretty much my code for TCP checksum recalculation:
from scapy.all import *
ack_pkt = sniff(offline="sample.pcap", count=1)[0]
print "Original:\t", ack_pkt[TCP].chksum
del ack_pkt[TCP].chksum
print "Deleted:\t", ack_pkt[TCP].chksum
ack_pkt[TCP]=ack_pkt[TCP].__class__(str(ack_pkt[TCP]))
print "Recalculated:\t", ack_pkt[TCP].chksum
The output I'm getting is:
WARNING: No route found for IPv6 destination :: (no default route?)
Original: 30805
Deleted: None
Recalculated: 55452
Is the checksum recalculation process is correct or is there something else to recalculate the checksum? Since scapy is being used widely for a long time, I guess, there is something wrong in my checksum recalculation.
Updated with packet information: (Ethernet header is not shown for a better view.)
To view the packet in hex string:
from binascii import hexlify as hex2
ack_pkt = sniff(offline="sample.pcap", count=1)[0]
print ack_pkt.chksum, ack_pkt[TCP].chksum
print hex2(str(ack_pkt[IP]))
del ack_pkt.chksum
del ack_pkt[TCP].chksum
print ack_pkt.chksum, ack_pkt[TCP].chksum
print hex2(str(ack_pkt[IP]))
ack_pkt=ack_pkt.__class__(str(ack_pkt))
print ack_pkt.chksum, ack_pkt[TCP].chksum
print hex2(str(ack_pkt[IP]))
ack_pkt[TCP].chksum=0
print hex2(str(ack_pkt[IP]))
And the output I get is:
26317 30805
450000345bc840004006*66cd*0e8b864067297c3a0016a2b9f11ddc3fe61e9a8d801000f7*7855*00000101080a47e8a8af0b323857
None None
450000345bc840004006*66cd*0e8b864067297c3a0016a2b9f11ddc3fe61e9a8d801000f7*d89c*00000101080a47e8a8af0b323857
26317 55452
450000345bc840004006*66cd*0e8b864067297c3a0016a2b9f11ddc3fe61e9a8d801000f7*d89c*00000101080a47e8a8af0b323857
450000345bc840004006*66cd*0e8b864067297c3a0016a2b9f11ddc3fe61e9a8d801000f7*0000*00000101080a47e8a8af0b323857
(* is only for marking the checksum bytes.)
Isn't it strange? After deleting the checksum, when I put a ack_pkt.show(), I see both checksum fields are None. But while converting to hex-string, is it been recalculated?
ack_pkt[TCP].chksum=0 with this, the recalculated checksum comes 0 only.
Note:
I've tried with ack_pkt[TCP].show2() and I'm getting the same value as I'm getting above.
1) Did you try to copy a complete packet, not just its TCP part:
ack_pkt=ack_pkt.__class__(str(ack_pkt))
2) Did you try the following approach, explicitly converting the packet to a string and recreating it using the string?
3) If none of the above works, please post the TCP ACK packet you are working with
I tried a manual checksum recalculation both with python and C (with libpcap) by following one's compliment of one's compliment sum and I'm getting the same value as scapy gets for the mentioned packet. So I guess the checksum calculation in linux-kernel is modified somehow.
(It's better to say one guy is wrong rather than saying all other 3 were wrong. :P)
Related
I am using srp1() of Scapy to replay pcap file to a device as follows:
for p in rdpcap(pcapfile):
...
rcv = srp1(p, 'eth0')
print rcv[IP].len
print rcv[TCP].seq
...
When the device sends 1 packet I can get its IP.len and TCP.seq, but when it sends 2 packets, I can get only the information of the first packet while I need the information of the second one.
Where did I go wrong?
Both Scapy's user manual and Scapy's API documentation state that srp1() is a variant of srp() that returns just the first packet that constitutes an answer for the sent packet/s.
Therefore, try using srp() instead of srp1(), as follows:
for p in rdpcap(pcapfile):
...
answers, unanswered = srp(p, 'eth0')
last_request, last_answer = answers[-1]
print last_answer[IP].len
print last_answer[TCP].seq
...
i am new to python. I have some experience with Pascal and a little bit with C++.
At the moment i have to program some code for a research project demonstrator.
The setup is as follows:
We have a 868MHz radio master device. i can communicate with this device via a USB port (COM4 at the moment but may change in the future).
The 868MHz master communicates with a slave unit. The slave unit replies with a message that i can read from the USB port.
Until this point everything works good. I request data packages and also receive them.
From the moment of receiving the data packages i have a propblem i seem not
able to solve on myself.
I use Anaconda 32 bit with the Spyder editor
# -*- coding: utf-8 -*-
"""
Created on Thu May 7 13:35:59 2015
#author: roland
"""
import serial
portnr = 3 #Serial Port Number 0=Com1, 3=Com4
portbaud = 38400 #Baud rate
tiout = 0.1 #Timout in seconds
i = 1
wrword = ([0x02,0x04,0x00,0x00,0x00,0x02,0x71,0xF8])
try:
ser = serial.Serial(portnr, portbaud, timeout=tiout) # open port
except:
ser.close() # close port
ser = serial.Serial(portnr, portbaud, timeout=tiout) # open port
print(ser.name) # check which port was really used
while (i < 100):
ser.write(wrword)
seread = ser.readline()
print(seread)
i = i+1
sere = seread.split()
try:
readdat = str(sere[0])
except:
print("Index Error")
retlen = len(readdat)
print(retlen)
readdat = readdat[2:retlen-1]
print(readdat)
ser.close() # close port
The variable wrword is my request to the 868MHz radio master.
The Format is as follows:
0x02 Address of the unit
0x04 Command to send information from a certain register range
0x00 0x00 Address of first Register (Start address 0 is valid!)
0x00 0x02 Information how much registers are to be sent (in this case Registers 0 and 1 shall be transmitted to the Radio master)
0x71 0xF8 Checksum of the command sentence.
The program sends the command sequence successful to the master unit and the slave unit answers. Each time the command is send an answer is expected. Nevertheless it may happen that now correct answer is given thats why the
try command is in use.
I know i use ser.readline() but this is sufficient for the application.
I receive a list as answer from the USB Port.
The data look as follows:
b'\x02\x04\x04\x12\xb6\x12\xa5\xe0\xc1' (This is the Output from print(seread) )
For clarification this answer is correct and must be read as follows:
\x02 Address of the answering unit
\x04 Function that was executed (Read from certain register area)
\x04 Number of Bytes of the answer
\x12 \xb6 Value of first register (2 Byte)
\x12 \xa5 Value of second register (2 Byte)
\xe0 \xc1 Checksum of answer
If the data from the com port had all this Format i might be able to get the data values from the both Registers. But unfortunately the data format is not always the same.
Sometimes i receive answers in the following style:
b'\x02\x04\x04\x12\x8e\x12{\xe1T'
The answer is similar to the example above (different values in the Registers and different checksum) but the Format i receive has changed.
If i use the hex ASCII codes for the symbols obviously not hex values i find a valid answer telegram.
b'\x02\x04\x04\x12\x8e\x12{\xe1T'
becomes
b'\x02\x04\x04\x12\x8e\x12\x7b\xe1\x54'
when i Exchange the ASCII symbols by their hex code by Hand.
So my questions are:
Is it possible to force Python to give me the answer in a defined Format?
If not is it possible to handle the list or the string i can derive from the list in such a way that i get my values in the required format?
Does somebody can give me a hint how to extract my register values from the list and convert the two hex numbers of each register into one integer value for each register (the first value is the high byte, the second the low byte)?
Thanks in advance for your answer(s)
sincerely
Roland
I found a solution.
During a small testpiece of program i stumbled upon the fact that the variable seread contains already the data in a suitable and usable format for me.
I assume that the Spyder Editor causes the format change when displaying byte type objects.
If i Access the single Bytes using seread[i] while i is in range 0 to len(seread)-1 i receive the correct values for the single bytes.
So i can acess my data and calculate my measurement values as required.
Nevertheless thanks to keety for reading my question.
My aim is to sniff a packet from a pcap file, modify the last 4 bytes of the packet and send it. For now, I'm doing like this:
from scapy.all import *
from struct import pack
from struct import unpack
pkt = sniff(offline="my.pcap", count=1)
pkt_hex = str(pkt)
# getting output like '\x00\x04\x00 ... ... \x06j]'
last_4 = unpack('!I',pkt_hex[-4:])[0]
# getting last 4 bytes and converting it to integer
rest = pkt_hex[:-4]
# getting whole packet in string except last 4 bytes
new_pkt = rest + pack('>I',(last_4+1))
# created the whole packet again with last 4 bytes incremented by 1
# the new string is like '\x00\x04\x00 ... ... \x06j^'
Now My problem is I'm unable to convert it back to a layered packet object of Scapy and hence unable to send it using sendp.
PS: I've to recalculate the checksum. But once I'll convert it to a packet object, I can recalculate the checksum following this.
You can rebuild the packet using the class of the original packet, however there are other errors in your program.
The official API documentation on the sniff function states that it returns a list:
sniff(prn=None, lfilter=None, count=0, store=1, offline=None, L2socket=None, timeout=None)
Sniffs packets from the network and return them in a packet list.
Therefore, rather than extracting the packet with pkt_hex = str(pkt), the correct form to extract the packet is pkt_hex = str(pkt[0]).
Once that is done, you are free to alter the packet, update its checksum (as suggested here) and rebuild it using the class of the original packet, as follows (note my comments):
from scapy.all import *
from struct import pack
from struct import unpack
pkts = sniff(offline="my.pcap", count=1)
pkt = pkts[0] # <--- NOTE: correctly extract the packet
del pkt.chksum # <--- NOTE: prepare for checksum recalculation
del pkt[TCP].chksum # <--- NOTE: prepare for TCP checksum recalculation (depends on the transport layer protocol in use)
pkt_hex = str(pkt)
# getting output like '\x00\x04\x00 ... ... \x06j' <--- NOTE: there is no trailing ']'
last_4 = unpack('!I',pkt_hex[-4:])[0]
# getting last 4 bytes and converting it to integer
rest = pkt_hex[:-4]
# getting whole packet in string except last 4 bytes
new_hex_pkt = rest + pack('>I',(last_4+1))
# created the whole packet again with last 4 bytes incremented by 1
# the new string is like '\x00\x04\x00 ... ... \x06k' <--- NOTE: 'j' was incremented to 'k' (rather than ']' to '^')
new_pkt = pkt.__class__(new_hex_pkt) # <--- NOTE: rebuild the packet and recalculate its checksum
sendp(new_pkt) # <--- NOTE: send the new packet
EDIT:
Note that this doesn't preserve the packet's timestamp, which would change to the current time. In order to retain the original timestamp, assign it to new_pkt.time:
new_pkt.time = pkt.time
However, as explained here, even after changing the packet's timestamp and sending it, the updated timestamp won't be reflected in the received packet on the other end since the timestamp is set in the receiving machine as the packet is received.
As you know sometimes we can't know what the size of the data(if there is no Content-Length in http response header).
What is the best way to receive http response data(use socket)?
The follow code can get all the data but it will blocking at buf = sock.recv(1024).
from socket import *
import sys
sock = socket(AF_INET, SOCK_STREAM)
sock.connect(('www.google.com', 80))
index = "GET / HTTP/1.1\r\nHOST:www.google.com\r\nConnection:keep-alive\r\n\r\n"
bdsock.send(index)
data = ""
while True:
buf = bdsock.recv(1024)
if not len(buf):
break
data += buf
I'm assuming you are writing the sender as well.
A classic approach is to prefix any data sent over the wire with the length of the data. On the receive side, you just greedily append all data received to a buffer, then iterate over the buffer each time new data is received.
So if I send 100 bytes of data, I would prefix an int 100 to the beginning of the packet, and then transmit. Then, the receiver knows exactly what it is looking for. IF you want to get fancy, you can use a special endline sequence like \x00\x01\x02 to indicate the proper end of packet. This is an easily implemented form of error checking.
Use a bigger size first, do a couple of tests, then see what is the lenght of those buffers, you will then have an idea about what would the maximum size be. Then just use that number +100 or so just to be sure.
Testing different scenarios will be your best bet on finding your ideal buf size.
It would also help to know what protocol you are using the sockets for, then we would have a better idea and response for you.
Today I got the same question again.
And I found the simple way is use httplib.
r = HTTPResponse(sock)
r.begin()
# now you can use HTTPResponse method to get what you want.
print r.read()
How do I check for the presence of a particular layer in a scapy packet? For example, I need to check the src/dst fields of an IP header, how do I know that a particular packet actually has an IP header (as opposed to IPv6 for instance).
My problem is that when I go to check for an IP header field, I get an error saying that the IP layer doesn't exist. Instead of an IP header, this particular packet had IPv6.
pkt = Ether(packet_string)
if pkt[IP].dst == something:
# do this
My error occurs when I try to reference the IP layer. How do I check for that layers existence before attempting to manipulate it?
Thanks!
You should try the in operator. It returns True or False depending if the layer is present or not in the Packet.
root#u1010:~/scapy# scapy
Welcome to Scapy (2.2.0-dev)
>>> load_contrib("ospf")
>>> pkts=rdpcap("rogue_ospf_hello.pcap")
>>> p=pkts[0]
>>> IP in p
True
>>> UDP in p
False
>>>
root#u1010:~/scapy#
For completion I thought I would also mention the haslayer method.
>>> pkts=rdpcap("rogue_ospf_hello.pcap")
>>> p=pkts[0]
>>> p.haslayer(UDP)
0
>>> p.haslayer(IP)
1
Hope that helps as well.