Long time ago i used netfilter_queue to create small program to monitor packets and block unwanted connections. So this program delays new connection by some time (miliseconds) and passing packets to userspace, but delay is perceptible when using firefox.
Next i figured out i can sniff packets and allow on the beginning all new connections to later block unwanted connections without delay. So everything would be fine, but when i switched to wifi network, realized i need to decrypt wifi(wpa2) frame first, and i wonder if it is possible to do it in scapy?
I'm looking something similar to dot11decrypt but in python.
Cant provide library i used before, it was not scapy, because its on another computer i don't have access right now. And i don't remember the name it was like 10 yrs ago. And sniffer was written in python module socket.
EDIT:
Now when i know scapy by itself can't decrypt WPA2 i found that there are tools written in python to crack wpa2 password, so it should be possible to write program to sniff and decrypt WPA2 in python to get IP:PORT from packets.
But whole operation is not that strait forward. Need to know more about WPA2 protocol. Right now i don't have much time to do it but in spare time i will try to write something.
So i dig, and dig, and I'm happy that i didn't stop.
The answer is no, scapy can't decrypt WPA2(802.11).
I had also used decrypt and decode word like they were the same words, my bad. So when i was talking about decode 802.11 i was talking about decrypting WPA2(802.11).
I just deduced reading EagleEye paper, their software uses dot11decrypt and libtins to do that and scapy to analyses data. I didn't have time to read whole paper, but think i understand their logic. Page 3 figure 1 have a nice picture.
I start digging again and their software is on github, pretty nice software.
So that would be all. If I'm wrong correct me.
Related
I'm working on a debug latency problem of websocket.
I am trying to receive some price information from crypto-currency exchange with its websocket interface. The data packets we receive include the timestamp generatee on the exchange server. I log the time when we receive the tick information on our computer (the "client box") and compare the latency between the arrival time and the server generation time. Most of the ticks show a few tens of milliseconds which is more or less fine. But everyday we see a few times the latency becomes several seconds or even more then ten seconds and I would like to figure out where are these large latency come from.
The system is using Python programming language and the websocket module I'm using is websocket-client (https://pypi.org/project/websocket_client/, https://github.com/websocket-client/websocket-client), I tried to add logs inside the module and see if it is due to module processing time but still no luck.
One idea currently in my mind is to use tcpdump to capture the net traffic and record the time the tcp packet arrives my network card. If this time still presents the latency, I will have no way other than move the program to a co-located server. However, I encounters difficult here as the websocket connection is SSL-encrypted. Thus I cannot see the tick generation time packed inside the message.
Does anyone have some solution here ? In particular:
Is there any way to retrieve the private key of SSL from the websocket-client python package from client-end? (I assume the key should be available somewhere local side, otherwise the websocket-client cannot decrypt the data itself. And WireShark should be able to decrypt the message for TSL1.2 protocol)
if it is not easy to do this with websocket-client package, I'm happy to try other websocket lib written by python, C/C++.
Can tcpdump get the timestamp when the TCP data packet sent from server (even in server time)?
Any other advices are highly appreciated as well.
Thanks a lot!
Thanks #Eugène Adell
My tcpdump opened in WireShark is mostly like below
and I can see the TSval in TCP Option - Timestamps
Can these indicate something?
Sorry for probably basic questions, really lack of experience in this area & Thanks again.
EDIT
Can tcpdump get the timestamp when the TCP data packet sent from
server (even in server time)?
Open your capture and see if the packets have the TCP timestamps option (as defined in RFC 1323 but better explained in RFC 7323). If so, the very first SYN packet should already mention it.
Unluckily the meaning of the TSval (Timestamp value in milliseconds) given in these packets is not the real clock and is not always changing like a real clock (it depends on the implementation used by your computers). If the conversation with your server lasts for 60s for example, check if this TSval also moves from 60s, if so maybe can you use this field to track when the packets were sent.
I have an old Raman spectrometer (one of these - http://www.camo.com/downloads/partners/deltanu/Inspector_Raman_Datasheet.pdf) and I'd like to write code, ideally in Python, that can provide it with input parameters, operate it and receive data from it.
The spectrometer connects to a PC via a USB, although it is assigned to a virtual COM port. I currently control it using an .exe file provided by the company that used to sell it, that I believe was produced using LabVIEW.
Is it possible to write my own code to control this sort of hardware? How can I pass parameters and commands to hardware? What information would I need to know to do this?
Although I'm a fairly proficient Python coder, this is a brand new area for me, so any advice on where to start would be super appreciated. I'm open to coding in another language if that would be more appropriate. And let me know if I need to provide any more info.
Cheers, Liam
A google search for the device model name and "programming manual" is usually where I start with something like this. Those keywords hopefully turn up something from the manufacturer that tells you how to do exactly what you're trying to do, and a lot of them include code samples. Unfortunately, with the little information I have on your device, I couldn't find anything. That's going to make it much, much harder.
Everything beyond this point is a guess based on what I've seen before. Typically, if a LabVIEW program interacts with a device over a virtual COM port, the program sends an ASCII command to the device using the protocol defined in the manual, and then receives ASCII data in return. You can try sniffing that data with the NI I/O Trace tool (http://www.ni.com/download/ni-io-trace-14.0.1/4914/en/) while running the manufacturer's application, and then trying to make sense of the flood of data that you see on that port.
It could also be a Modbus device, which may help you figure out the structure of the communication.
In short, this'll be tough without a programming manual, but there is some hope. Good luck!
I've coded a small raw packet syn port scanner to scan a list of ips and find out if they're online. (btw. for Debian in python2.7)
The basic intention was to simply check if some websites are reachable and speed up that process by preceding a raw syn request (port 80) but I stumbled upon something.
Just for fun I started trying to find out how fast I could get with this (fastest as far as i know) check technique and it turns out that despite I'm only sending raw syn packets on one port and listening for responses on that same port (with tcpdump) the connection reliability quite drops starting at about 1500-2000 packets/sec and shortly thereafter almost the entire networking starts blocking on the box.
I thought about it and if I compare this value with e.g. torrent seeding/leeching packets/sec the scan speed is quiet slow.
I have a few ideas why this happens but I'm not a professional and I have no clue how to check if I'm right with my assumptions.
Firstly it could be that the Linux networking has some fancy internal port forwarding stuff running to keep the sending port opened (maybe some sort of feature of iptables?) because the script seems to be able to receive syn-ack even with closed sourceport.
If so, is it possible to prevent or bypass that in some fashion?
Another guess is that the python library is simply too dumb to do real proper raw packet management but that's unlikely because its using internal Linux functions to do that as far as I know.
Does anyone have a clue why that network blocking is happening?
Where's the difference to torrent connections or anything else like that?
Do I have to send the packets in another way or anything?
Months ago I found out that this problem is well known as c10k problem.
It has to do amongst other things with how the kernel allocates and processes tcp connections internally.
The only efficient way to address the issue is to bypass the kernel tcp stack and implement various other low-level things by your own.
All good approaches I know are working with low-level async implementations
There are some good ways to deal with the problem depending on the scale.
For further information i would recommend to search for the c10k problem.
I'm looking for a program to turn my computer into a NAT, preferably written in Python, that I can play with and modify for some research I'm taking part in.
We need to try and monitor a network's traffic and find some data inside the TCP packets, and as a proof-of-concept we want to use Python for its simplicity.
Do you know of anything like this? Would we have to write one from scratch?
Thanks,
Dvorak
Try looking into using the twisted library - you'll have to effectively implement both a client + server side in one, but that shouldn't be too hard.
I have a client and a server, both written in Python 2.7.
Lets say I wanted to make a multiplayer game server (which I don't at the moment but I'm working towards it). I would need to keep the server up to date (and other clients) on my characters whereabouts, correct?
How would I do this with sockets? Send or request information only when it is needed (e.g the character moves, or another players character moves and the server sends the information to other clients) or would I keep a constant socket open to send data real-time of EVERYBODY's movement regardless of if they have actually done something since the last piece of data was sent or not.
I won't struggle coding it, I just need help with the concept of how I would actually do it.
With TCP sockets it is more typical to leave the connections open, given the teardown & rebuild cost.
Eventually when scaling you will do look into NewIO\RawIO.
If you do not, imagine that the game client might take a step & not get confirmation if sending it to the server & other players.
Definitely keep the socket open, but you should consider using something like ZeroMQ which gives you more kinds of sockets to work with.