I would like to send IGMP packets using scapy, specifically IGMP Leave, IGMP Membership report. Is it possible to do so?
UPDATE:
I was able to eventually generate them. Had to do the following:
1) Install scapy v.2.2.0 as it's described here (including minor alteration in setup.py):
scapy's contrib is missing after installing scapy on both windows and fedora
2) You need to use file from contribution package (features not added to the core of scapy):
import scapy.contrib.igmp
igmpPacket = scapy.contrib.igmp.IGMP()
Yes, it is possible to send IGMP packets. After googling a bit, I came up with some useful links that can help you in some direction.
On github there exists a IGMP and IGMPv3 implementation in scapy. Here is an interesting mailing list too. Also, this post has an other interesting stuff related to IGMP.
With this method, you can send out IGMP version 2 (RFC2236) Membership Query message, not IGMP version 3.
Here are complete code and tcpdump:
>>> from scapy.all import *
>>> import scapy.contrib.igmp
>>> p = IP(dst="62.22.14.4")/scapy.contrib.igmp.IGMP()
>>> send(p)
.
Sent 1 packets.
>>>
# tcpdump -ni cplane0 igmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on cplane0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:42:01.045618 IP 44.60.11.3 > 62.22.14.4: igmp query v2 [max resp time 20]
18:42:01.045631 IP 44.60.11.3 > 62.22.14.4: igmp query v2 [max resp time 20]
18:42:01.046470 IP 44.60.11.3 > 62.22.14.4: igmp query v2 [max resp time 20]
18:42:01.046476 IP 44.60.11.3 > 62.22.14.4: igmp query v2 [max resp time 20]
18:42:01.959331 IP 62.22.14.4 > 224.1.1.1: igmp v2 report 224.1.1.1
Update:
Since IGMPv3 is under construction. Here is a way to send IGMP version 3 Membership Query:
>>> from scapy.all import *
>>>
>>> class IGMP3(Packet):
... name = "IGMP3"
... fields_desc = [ ByteField("type", 0x11),
... ByteField("mrtime", 20),
... XShortField("chksum", None),
... IPField("gaddr", "0.0.0.0"),
... IntField("others", 0x0)]
... def post_build(self, p, pay):
... p += pay
... if self.chksum is None:
... ck = checksum(p)
... p = p[:2]+chr(ck>>8)+chr(ck&0xff)+p[4:]
... return p
...
>>> bind_layers( IP, IGMP3, frag=0, proto=2)
>>> p = IP(dst="62.21.20.21")/IGMP3()
>>> send(p)
.
Sent 1 packets.
>>>
# tcpdump -ni cplane0 igmp -v
tcpdump: listening on cplane0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:24:35.013987 IP (tos 0x0, ttl 62, id 1, offset 0, flags [none], proto IGMP (2), length 32)
44.60.11.3 > 62.21.20.21: igmp query v3 [max resp time 2.0s]
17:24:35.014000 IP (tos 0x0, ttl 62, id 1, offset 0, flags [none], proto IGMP (2), length 32)
44.60.11.3 > 62.21.20.21: igmp query v3 [max resp time 2.0s]
17:24:35.014476 IP (tos 0x0, ttl 62, id 1, offset 0, flags [none], proto IGMP (2), length 32)
44.60.11.3 > 62.21.20.21: igmp query v3 [max resp time 2.0s]
17:24:35.014482 IP (tos 0x0, ttl 62, id 1, offset 0, flags [none], proto IGMP (2), length 32)
44.60.11.3 > 62.21.20.21: igmp query v3 [max resp time 2.0s]
17:24:35.218208 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA))
62.21.20.21 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.1.1.1 is_ex, 0 source(s)]
Related
I'm trying to code a packet sniffer that detects the different websites that are visited by the devices connected to my wifi. The problem is that I'm only getting private IPs, here are the counted IPs I get from a 1 hour sniffing :
IPS Number_Of_Values
224.0.0.251 1068
192.168.1.255 387
255.255.255.255 32
224.0.0.22 28
224.0.0.1 28
192.168.1.111 6
192.168.1.115 5
224.0.1.187 2
Here is a part of the sniffer, ethernet_frame is getting mac addresses and proto, ipv4_packet unpacks the IP header and gets the IPs (source and target) and finally get_packets proceeds to the different unpackings:
def ethernet_frame(data):
dest_mac, src_mac, proto = struct.unpack('! 6s 6s H', data[:14])
return get_mac_addr(dest_mac), get_mac_addr(src_mac), socket.htons(proto), data[14:]
def ipv4_packet(data):
version_header_length = data[0]
version = version_header_length >> 4
header_length = (version_header_length & 15) * 4
ttl, proto, src, target = struct.unpack('! 8x B B 2x 4s 4s', data[:20])
return version, header_length, ttl, proto, ipv4(src), ipv4(target), data[header_length:]
def get__packets():
conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3))
while True:
raw_data, addr = conn.recvfrom(65536)
dest_mac, src_mac, eth_proto, data = ethernet_frame(raw_data)
# 8 for ipv4
if eth_proto == 8:
(version, header_length, ttl, proto, src_ip, target_ip, data) = ipv4_packet(data)
Why am I only getting private IPs? How can I get websites IPs? If it's not possible, how to get the http header from a TCP packet in order to get the url?
(I'm coding it on my raspberry pi 4 - Linux)
I have got a simple sniff function set up with scapy which forwards the packet to a handshake function (I have a webserver set up on port 102. However some weird errors have come by, then I decided to print pkt.show(), what I discovered was that some packages DID come through the filter somehow.
My sniff function:
a=sniff(filter="port 102", count=10, prn=handshake)
This packet manages to come through:
###[ Ethernet ]###
dst = 84:8f:69:f5:fe:ac
src = b8:27:eb:92:a3:3b
type = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 44
id = 1
flags =
frag = 0L
ttl = 64
proto = tcp
chksum = 0xe6c6
src = 192.168.137.178
dst = 192.168.137.1
\options \
###[ TCP ]###
sport = iso_tsap
dport = 2426
seq = 605952828
ack = 605952829
dataofs = 6L
reserved = 0L
flags = SA
window = 8192
chksum = 0x5b7c
urgptr = 0
options = [('MSS', 1460)]
As you can see the destination port is 2426, which is definetely not port 102.
Have I done something dumb?
The source port in the enclosed packet is iso_tsap which is 102. If you want to filter by the destination port try the filter "dst port 102". If you need something a bit more sophisticated, here is the syntax of BPF, which is used by scapy.
Similar to Setting TCP receive window in C and working with tcpdump in Linux and Why changing value of SO_RCVBUF doesn't work?, I'm a unable to increase the initial tcp receive window greater than 5888 on ubuntu linux 2.6.32-45
#!/usr/bin/python
from socket import socket, SOL_SOCKET, SO_RCVBUF, TCP_WINDOW_CLAMP
sock = socket()
sock.setsockopt(SOL_SOCKET, SO_RCVBUF, 65536)
sock.setsockopt(SOL_SOCKET, TCP_WINDOW_CLAMP, 32768)
sock.connect(('google.com', 80))
tcpdump says:
me > google: Flags [S], seq 3758517838, win 5840, options [mss 1460,sackOK,TS val 879735044 ecr 0,nop,wscale 6], length 0
google > me: Flags [S.], seq 597037042, ack 3758517839, win 62392, options [mss 1430,sackOK,TS val 541301157 ecr 879735044,nop,wscale 6], length 0
me > google: Flags [.], ack 1, win 92, options [nop,nop,TS val 879735051 ecr 541301157], length 0
sysctl -a | grep net.*mem says:
net.core.wmem_max = 131071
net.core.rmem_max = 131071
net.core.wmem_default = 112640
net.core.rmem_default = 112640
net.core.optmem_max = 10240
net.ipv4.igmp_max_memberships = 20
net.ipv4.tcp_mem = 77376 103168 154752
net.ipv4.tcp_wmem = 4096 16384 3301376
net.ipv4.tcp_rmem = 4096 87380 3301376
net.ipv4.udp_mem = 77376 103168 154752
net.ipv4.udp_rmem_min = 4096
net.ipv4.udp_wmem_min = 4096
Could there be something else putting a receive window limit on my connection?
That looks like the effects of TCP slow-start. This kernel thread from 2008 offers up a good explanation (I've linked to the last response in the thread):
SO_RCVBUF doesn't change receiver advertised window
If you keep watching the stream, the window size should increase, up to the maximum you set.
I'm just trying out zeromq for a project in python. I'm trying to bind the 'client' side and connect the server to the fixed location. I have a simple REQ/REP setup that works fine locally but seems to do nothing over a network. If I reverse the binding, then this also works over the network.
The relevant code is:
def respond(sock):
message = sock.recv()
response = "world"
sock.send(response)
print("Received '{0:s}', sent '{1:s}'.".format(message, response) )
def request(sock):
message = "Hello"
sock.send(message)
response = sock.recv()
print("Sent '{0:s}', recieved '{1:s}'".format(message, response) )
def main():
opts = get_opts()
if opts.client:
sock = CONTEXT.socket(zmq.REQ)
sock.bind("tcp://*:{0:d}".format(opts.port) )
request(sock)
if opts.server:
sock = CONTEXT.socket(zmq.REP)
sock.connect("tcp://{0:s}:{1:d}".format(opts.address, opts.port) )
while True:
respond(sock)
And a (non-)working example is here: https://gist.github.com/4071783
When connecting to a remote address, nothing seems to happen. If I check with tcpdump, I can certainly see activity on the port:
12:20:18.846927 IP server.58387 > client.5555: Flags [.], ack 1, win 3650, options [nop,nop,TS val 718051 ecr 46170252], length 0
12:20:18.847156 IP client.5555 > server.58387: Flags [P.], seq 1:3, ack 1, win 227, options [nop,nop,TS val 46170252 ecr 718051], length 2
12:20:18.847349 IP server.58387 > client.5555: Flags [P.], seq 1:3, ack 1, win 3650, options [nop,nop,TS val 718051 ecr 46170252], length 2
12:20:18.847373 IP client.5555 > server.58387: Flags [.], ack 3, win 227, options [nop,nop,TS val 46170252 ecr 718051], length 0
12:20:18.847553 IP client.5555 > server.58387: Flags [P.], seq 3:16, ack 3, win 227, options [nop,nop,TS val 46170252 ecr 718051], length 13
12:20:18.847645 IP server.58387 > client.5555: Flags [.], ack 3, win 3650, options [nop,nop,TS val 718051 ecr 46170252], length 0
12:20:18.848286 IP server.58387 > client.5555: Flags [.], ack 16, win 3650, options [nop,nop,TS val 718051 ecr 46170252], length 0
But the send() and recv() are still blocked as if waiting for a connection. Does anyone know what this is or could suggest how to debug it?
Can you ping the remote address? 0MQ is just using TCP at this level so if the connect fails, it's because the address you're trying to connect to is not reachable.
I have a raw Python socket initialized like so:
mySocket = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
mySocket.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
My problem is that I can't send any packet from the socket where the protocol field in my IP header is specified as '1' (ICMP). If this field is anything else it'll work just fine, including '17' (UDP) for example. I don't get any errors, the packet just doesn't display in Wireshark, and I can't receive it on my server.
I'm generating the IP header like so:
def getIPHeader(src, dst, proto):
version = 4
IHL = 5
DSCP = 0
ECN = 0
totalLength = 40
identification = 333
flags = 0
fragmentOffset = 0
timeToLive = 128
protocol = proto
headerChecksum = 0
sourceIP = socket.inet_aton(src)
destIP = socket.inet_aton(dst)
options = 0
version_IHL = (version << 4) | IHL
DSCP_ECN = (DSCP << 2) | ECN
flags_fragmentOffset = (flags << 13) | fragmentOffset
# The '!' ensures all arguments are converted to network byte order
header = struct.pack("!BBHHHBBH4s4s", version_IHL, DSCP_ECN, totalLength, identification, flags_fragmentOffset, timeToLive, protocol, headerChecksum, sourceIP, destIP)
return header
And sending like so:
icmpHeader = struct.pack("!bbHHh", 8, 0, 0, 666, 0)
packet = getIPHeader("192.168.2.15", "8.8.8.8", 1) + icmpHeader
mySocket.sendto(packet, ("8.8.8.8", 0))
Sending with UDP protocol set works (obviously malformed):
icmpHeader = struct.pack("!bbHHh", 8, 0, 0, 666, 0)
packet = getIPHeader("192.168.2.15", "8.8.8.8", 17) + icmpHeader
mySocket.sendto(packet, ("8.8.8.8", 0))
The worst part is if I send a ping from the command line, then copy the exact hex from Wireshark of the IP and ICMP data into my code, it STILL doesn't work, like so:
packet = b'\x45\x00\x00\x3c\x24\xad\x00\x00\x80\x01\x43\x4d\xc0\xa8\x02\x0f\x08\x08\x08\x08\x08\x00\x4d\x44\x00\x01\x00\x17\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x61\x62\x63\x64\x65\x66\x67\x68\x69'
mySocket.sendto(packet, ("8.8.8.8", 0))
However, as before, if I change the 10th byte of the hard coded data to '\x11' (17 decimal, UDP), I can then see it in Wireshark (obviously with a malformed UDP section as the rest of the packet is ICMP).
I'm running Windows 10, Python 3.4.1, and my firewall is off. Any ideas?
UPDATE: I've tried this on two different computers, a Windows 8 and a Windows 10 machine, both worked, so it's something to do with my computer, the plot thickens...