I am trying to pull data out of data packets that I am recieving from another device. I have isolated the packet I want to pull the data from but cannot figure out how to extract the data that I want. I am using pyshark to get to the packet but this does not allow to me to actually see that data. I can see the data when I am in wireshark. The data I am looking to pull is circled in red. Wireshark
Here is my code in python.
import pyshark
capture=pyshark.LiveCapture(interface='wlan0', display_filter='frame.len>190 and upd.port==1700')
for i in capture:
print(i)
Which displays all of the same information that wireshark does minus the latitude, longitude coordinates.
I would ask for a sample PCAP file, but most people don't want to share real world data. Without a PCAP file, I cannot give you a complete answer, but I can give you one that is 95% there.
This is the way that I would attack your problem:
import pyshark
capture = pyshark.LiveCapture(interface='your_interface')
for raw_packet in capture.sniff_continuously():
# filter only UDP packet that have a frame length greater
# than 190 and that have a port number of 1700.
if hasattr(raw_packet, 'udp') and int(packet.frame_info.cap_len) > 190 and packet[packet.transport_layer].srcport == '1700':
# Get the details for the packets by accessing
# _all_fields and _all_fields.values()
field_names = raw_packet.udp._all_fields
field_values = raw_packet.udp._all_fields.values()
for field_name in field_names:
for field_value in field_values:
# you can add another filter here to get your
# lat & long coordinates
print(f'{field_name} -- {field_value}')
# if you need to access the packet data you need to do this,
# but it might come back in hex, which will need to be decoded.
# if "DATA" in str(packet.layers):
# print(packet.data.data)
Please reach out if you have any issues filtering out the packets that you're looking for. if you can share a sample PCAP, I will tweak my answer.
I have a document and code examples on GitHub named pyshark packet analysis that you might find useful.
Related
Is there an efficient way to get the offset of some field in a packet captured with pyshark?
For example, I need to get the offset of the source IP within the whole packet or within some layer header in the packet. Is it possible?
I was able to solve my issue. Here is a sample code:
import pyshark
packets = pyshark.FileCapture(input_file=pcap_file_dir)
print(int(packets[0].ip.src.pos)) # Prints the offset of source IP
I am trying to simulate a TCP communication between two hosts with scapy.
My problem is, that I can't save the random IP addresses scapy generates for me.
This code
src_IP = RandIP()
print(src_IP)
print(src_IP)
print(src_IP)
gives me an output like this
234.200.98.20
147.3.56.17
135.102.142.49
So every time I access src_IP it has a new value.
Is there a way to save a random IP from scapy? So I could generated 2 IPs at the beginning of my function and use them as source and destination for my TCP communication.
I could generate the IPs myself, but I thought there had to be a more elegant solution to it.
BTW. non of the packets are going to be sent, they will be written into a PCAP file. Therefor I have to create both sides of the communication.
The accepted answer is a hack; it is correct (as in "it works and do what was asked"), but it is not the correct way to do that in Scapy.
The method you are looking for is ._fix(). It will work with any volatile value type.
src_IP = RandIP()._fix()
If you also need for example a random source port, you could do:
src_port = RandShort()._fix()
I found an answer.
RandIP() creates an instance of an object, and every time this object gets accessed, to print or do send a packet or something else, it generates a new IP.
So my solution is to cast it to a string
src_IP = str(RandIP())
print(src_IP)
print(src_IP)
print(src_IP)
And the output is just as intended
232.119.133.38
232.119.133.38
232.119.133.38
When I look at LLMNR Query pocket with Scapy I see that the LLMNR-Query have inside a DNSQR.
When I like to retrieve data from the LLMNR-Query I can with:
pkts[x].sprintf("%LLMNRQuery.qr%")
but I didn’t figure out how to retrieve data from the DNSQR that inside the LLMNR-Query; I tried :
pkts[x].sprintf("%DNSQR.qname%")`
but the unser I get is '??'
I'd be happy to know how to retrieve the DNSQR
Try:
pkts[x].qd.sprintf('%DNSQR.qname%')
Or:
pkts[x].qd.qname
I'm somewhat of a Python novice, but I've taken up a small personal project to teach myself a bit more. Basically, I'm writing a packet sniffer using sockets and impacket. However, where I am getting stuck at is one particular point: combining the output from header and packet into one variable (I was thinking of a dictionary, but it didn't like that...) so that I can simply search out the IP header for one particular partial source IP (i.e., the first two octets). Or would there be a more efficient way of handling this? Any help is appreciated. :-)
EDIT: When I was trying the dictionary, I was doing
ip_dict = { header: packet }
However, the output I get is akin to this:
{<impacket.ImpactPacket.IP instance at 0x02563440>: <impacket.ImpactPacket.Data instance at 0x02563530>}
As opposed to the actual output of said IP header and data.
HOST = socket.gethostbyname(socket.gethostname())
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)
s.bind((HOST, 0))
while True:
# Include IP headers
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
# receive all packages
s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
# receive a packet
packet = s.recvfrom(42028)[0]
# look at IP info
h_decode = ImpactDecoder.IPDecoder()
header = h_decode.decode(packet)
# disabled promiscuous mode
s.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)
decoder = ImpactDecoder.DataDecoder()
packet = decoder.decode(packet)
print header
print packet
time.sleep(1)
Dictionaries are sets of key/value pairs. When you used
ip_dict = { header: packet }
You told it to build a dictionary with the header instance as the key and the packet instance as the value, which is what it did:
{<impacket.ImpactPacket.IP instance at 0x02563440>: <impacket.ImpactPacket.Data instance at 0x02563530>}
If you want something from inside those instances, you have to extract it yourself. For example, although I've never used the impacket library before, the objects seem to have lots of methods living inside them. For example [suppressing the real numbers and data and replacing them with nonsense]:
In [25]: z
Out[25]: <impacket.ImpactPacket.IP instance at 0xb6151fac>
In [26]: z.[here I hit TAB in the IPython interpreter]
z.add_option z.get_ip_offmask z.set_bytes_from_string
z.auto_checksum z.get_ip_p z.set_checksum_from_data
z.calculate_checksum z.get_ip_rf z.set_ip_address
z.child z.get_ip_src z.set_ip_df
z.compute_checksum z.get_ip_sum z.set_ip_dst
z.contains z.get_ip_tos z.set_ip_hl
z.ethertype z.get_ip_ttl z.set_ip_id
z.fragment_by_list z.get_ip_v z.set_ip_len
z.fragment_by_size z.get_long z.set_ip_mf
z.get_buffer_as_string z.get_packet z.set_ip_off
z.get_byte z.get_pseudo_header z.set_ip_offmask
z.get_bytes z.get_size z.set_ip_p
z.get_data_as_string z.get_word z.set_ip_rf
z.get_header_size z.is_BSD z.set_ip_src
z.get_ip_address z.list_as_hex z.set_ip_sum
z.get_ip_df z.load_header z.set_ip_tos
z.get_ip_dst z.normalize_checksum z.set_ip_ttl
z.get_ip_hl z.packet_printable z.set_ip_v
z.get_ip_id z.parent z.set_long
z.get_ip_len z.protocol z.set_parent
z.get_ip_mf z.set_byte z.set_word
z.get_ip_off z.set_bytes
In [26]: z.get_ip_src()
Out[26]: '1.2.3.4' # fake
In [27]: z.get_ip_dst()
Out[27]: '5.6.7.8' # fake
In [29]: z.get_data_as_string()
Out[29]: '\x00abcde' # fake
I have no idea what half of the methods do, or which of them are important, but you can easily build a dictionary out of whatever you like:
In [31]: {(z.get_ip_src(), z.get_ip_dst()): z.get_bytes()}
Out[31]:
{('1.2.3.4',
'5.6.7.8'): array('B', [1,2,3,4,5,6,7,8])} # fake
or combine bits from the IPDecoder and the DataDecoder, whatever. The point is that the issue isn't about Python dictionaries, it's about the impacket library's data structures, and what information you want to extract from them. The docs will probably describe how to get what you need.
I'm forging with Scapy the TTL value in the IP header in some data packet that I captured. Besides the checksum in both IP and transport layer headers, is there anything else I should recompute?
Right now I'm doing:
for p in myPackets:
p[IP].ttl = targetTTL
del(p[IP].chksum)
del(p[IP].payload.chksum)
for i in range(len(myPackets)):
myPackets[i] = myPackets[i].__class__(str(myPackets[i]))
I'm asking this because Scapy's sr function, which matches packets with their responses (ICMP in my case) has been returning data with a few RTTs > 1 second, which is absurd since I'm using ttl=1.
Have you tried just sending the packet? Scapy should recompute the checksums for you automatically.You could also try setting them to None, but I don't believe that's necessary.
I believe scapy will automatically recalculate the checksums if you call the show2() command on the packet. So if you have a packet at index 0 in the object pckt, you should call pckt.show2() and the checksum should be correct. At least that's my understanding.
pkt.show2() same as show but on the assembled packet (checksum is calculated, for instance) Source