I am using scapy in python to capture packets. For some analysis I want to check is a packet HTTP or just TCP. How can I do that ? Is it related to /raw or something else?
Related
I have tried and tested scapy to create TCP packets and UDP packets.
Investigated the packet using tcpdump also.
I created the packet with one source IP and one destination IP.
My purpose was to test suricata with the content in the rule as my packet payload.
Suricata could trigger alerts easily in these scenarios.
But when the turn came to create http packets with the payload, it failed.
Please tell me how to create an http packet using scapy.
The packet should contain any string as data. {In TCP I used Raw(load=data)}
I have a device which is sending packet with its own specific construction (header, data, crc) through its ethernet port.
What I would like to do is to communicate with this device using a Raspberry and Python 3.x.
I am already able to send Raw ethernet packet using the "socket" Library, I've checked with wireshark on my computer and everything seems to be transmitted as expected.
But now I would like to read incoming raw packet sent by the device and store it somewhere on my RPI to use it later.
I don't know how to use the "socket" Library to read raw packet (I mean layer 2 packet), I only find tutorials to read higher level packet like TCP/IP.
What I would like to do is Something similar to what wireshark does on my computer, that is to say read all raw packet going through the ethernet port.
Thanks,
Alban
Did you try using ettercap package (ettercap-graphical)?
It should be available with apt.
Alternatively you can try using TCPDump (Java tool) or even check ip tables
I am sending packets using:
send(IP(dst="192.168.1.114")/fuzz(UDP()/NTP(version=4)), loop=1)
But I am not able to capture these packets in any other nearby machine (including the one with IP 192.168.1.114) which is on the same network. I am using wlan as my interface.
I also tried to sniff and then replay using scapy but I am still not able to capture those packets.
i would first try to capture the traffic on the sender machine with tcpdump while executing your program:
tcpdump -i any udp dst 192.168.1.114
if you can see the traffic leaving the source host it may be that it does not arrive on the target host. UDP packets are the first packets to be dropped by any network device and as it is the nature of UDP it wont get retransmitted. if you are sure the packet leaves the source verify if it arrives at the target:
tcpdump -i any upd dst 192.168.1.114
Another point to check is your firewall settings. It could be either on the source or target system that your firewall is blocking those requests.
I finally resolved this. Here is the checklist I made which might help others when dealing with replaying/fuzzing using scapy.
Check if all IP addresses you are dealing with are alive in the
network (use ping)
Understand the difference between send() (layer 3)and sendp() (layer 2)
If mutating existing packet make sure to
remove the checksum (using 'del') and recalculate the checksum
either using show2() or using str to convert packets to string
and then converting them back to packets
You should use Wireshark, or the sniff function in Scapy and make it pretty print the contents on the screen:
sniff(lambda x:x.show())
Is there any support for sending packets in impacket or dpkt libraries?
I was able to find examples of sniffing, interpreting and constructing packets using these libraries, but they don't seem to support sending over network interfaces.
Ping example of impacket library uses standard socket library in python to send the packet.
Any help would be great. Thanks
dpkt does not have any built-in way to send packets. Once you construct the packet, you will need to use a RAW socket to send out packets. Here is a good example, which shows you how to send a raw ICMP packet constructed using dpkt.
Is there any way to send ARP packet on Windows without the use of another library such as winpcap?
I have heard that Windows XP SP2 blocks raw ethernet sockets, but I have also heard that raw sockets are only blocked for administrators. Any clarification here?
There is no way to do that in the general case without the use of an external library.
If there are no requirements on what the packet should contain (i.e., if any ARP packet will do) then you can obviously send an ARP request if you're on an Ethernet network simply by trying to send something to any IP on your own subnet (ensuring beforehand that the destination IP is not in the ARP cache by running an external arp -d tar.get.ip.address command), but this will probably not be what you want.
For more information about raw socket support see the TCP/IP Raw Sockets Docs page, specifically the Limitations on Raw Sockets section.
You could use the OpenVPN tap to send arbitrary packets as if you where using raw sockets.