I want to use the python module scapy to perform an equivalent command of
dig ANY google.com #8.8.4.4 +notcp
I've made a simple example code:
from scapy.all import *
a = sr(IP(dst="8.8.4.4")/UDP(sport=RandShort(),dport=53)/DNS(qd=DNSQR(qname="google.com",qtype="ALL",qclass="IN")))
print str(a[0])
And it send and recieve a packet,
but when I sniffed the packet the response says Server failure.
Wireshark Screenshot - scapy
Wireshark Screenshot - dig
Sniffing the dig command itself, looks nearly the same but it gives me a correct response and also it does not send another ICMP - Destination unreachable Packet.. this only comes up when sending it with scapy.
If you need more information, feel free to ask.
Maybe someone can help me with this..
EDIT:
Maybe the ICMP - Destination unreachable packet were send because 8.8.4.4 tries to send the response to my sport, wich is closed? But why should dig then work?!
Got the Python code working with scapy..
srp(Ether()/IP(src="192.168.1.101",dst="8.8.8.8")/UDP(sport=RandShort(),dport=53)/DNS(rd=1,qd=DNSQR(qname="google.com",qtype="ALL",qclass="IN"),ar=DNSRROPT(rclass=3000)),timeout=1,verbose=0)
In Wireshark we can see now a correct response:
Wireshark Screenshot
But I'm still getting the ICMP - Destination unreachable packet..
and I don't know why..
Related
Im using python 2.7.15, scapy and scapy-http on windows.
I want to sniff all the http packets and extract the html pages that were sent.
This is the code Im using:
from scapy.all import *
import scapy_http.http
def printPacket(packet):
if packet.haslayer('HTTP'):
print '='*50
print packet.show()
sniff(prn=printPacket)
but from some reason it only captures some of the http packets(when I use the browser I dont see any packets) and I dont see any html code in the ones that it does print.
I think that's because some of the traffic sent is HTTPS (= HTTP + TLS). In your function you expect to HTTP application layer, which is encapsulated and encrypted in a TLS layer, and therefore it is not matched.
To sniff HTTPS, you can use this: https://github.com/tintinweb/scapy-ssl_tls (I haven't tried it yet).
I have tcpdump and scapy running sniff() on the same interface. There is a scp file transfer happening.
tcpdump: I see the tcp packets with the seq and acks going over.
scapy sniff() returned list: All I see in each packet summary() is (MAC addr1 ) > (Mac addr 2) (0x800) / Raw. Even in the packet .show(), all I see is a link layer stuff with "## [ Ethernet ] ##", src and dst.
I ran this with a timeout of 30 so I know I would capture the scp transfer of an empty text file so I know I timed it right.
There are definitely TCP packets going over, but none of them are being detected. Is there an issue with Scapy?
Thank you
There is probably a bug that prevents Scapy from processing the ethernet payload.
You can try to set conf.debug_dissector = True to debug the issue.
You can also get the current development version of Scapy (from the repository), since this may be an already fixed bug (we had a bug similar to what you are seeing with Python 3 until very recently).
If the bug still exists after updating to the current development version, please report it!
I'm working on a project in which I sniff http packets that go through my network,
but scapy sniffs only packets that are sent to my computer or broadcasted.
I saw that there is a parameter called iface for the sniffing function-
sniff(iface= ? )
Yet, I find no documentation or explanation about it online.
Can someone explain how it can help and what value to put in it when sniffing if I want to sniff the whole network and not just my computer?
Also I don't find a filter function for http packets, so I'd appreciate it if someone could write it to me.
Here is some documentation on sniffing for Scapy. There is also some information regarding filters but it's quite sparse.
More than likely you will be able to use something like the following:
sniff(iface="eth0", filter="tcp and port 80") to get the HTTP packets. Obviously the actual interface will be different based on the names of the interfaces on your machine.
I'm having trouble receiving all related packets to a request when using scapy's sr function.
ans, unans = sr(IP(dst="172.xxx.xxx.xxx")/TCP(dport=80,flags="S"))
returns:
Received 2 packets, got 1 answers, remaining 0 packets
What happens is that I first get an ICMP redirect. Afterwards I get the answer from my local service with SA. Sometimes it tells me it received two packets, which makes sense, but when I look at it in the summary it prints the following:
<bound method SndRcvList.summary of <Results: TCP:0 UDP:0 ICMP:1 Other:0>>
and in summary() I find this:
IP / TCP 172.xxx.xxx.xxx:ftp_data > 172.zzz.zzz.zzz:http S ==> IP / ICMP 172.yyy.yyy.yyy > 172.xxx.xxx.xxx redirect host-redirect / IPerror / TCPerror
For one, I wonder where my SA flagged TCP packet is. When I look at the network dump, I definitely see it, right after the ICMP packet. I've made sure to run scapy with and without running tcpdump, just in case it would interfere, which it shouldn't.
I've also tried to set and increased timeout, just in case it didn't wait long enough to receive the TCP packet. Didn't work.
I've also tried it out on loopback interface, the local lan and systems that are located in the internet. Same result everywhere.
Any ideas on where the error could be located?
Scapy considers this ICMP packet to be response on initial TCP SYN request (which it actually is). Try using sr(..., multi = True) to get multiple response packets.
I recently began exploring Scapy. A wonderful tool indeed!
I have a problem... When I monitor my network card using Wireshark and I do a regular ping from the systems command prompt with the standard PING installation, wireshark pops up with "Ping request" and then "Ping reply" indication that it sent a reply. But when i do it manually in Scapy, it sends no reply back.. How can this be? I spent alot of time trying to figure this out so i really hope someone can shed some light on this issue of mine...
Here is the code i used:
>>> from scapy.all import IP, ICMP, send
>>> IP = IP(dst="127.0.0.1")
>>> Ping = ICMP()
>>> send(IP/Ping)
The packet is sent successfully and Wireshark shows a Ping request received, but not that it has sent a reply back.
This is an FAQ item:
I can't ping 127.0.0.1. Scapy does not work with 127.0.0.1 or on the loopback interface
The loopback interface is a very special interface. Packets going through it are not really assembled and dissassembled. The kernel routes the packet to its destination while it is still stored an internal structure. What you see with tcpdump -i lo is only a fake to make you think everything is normal. The kernel is not aware of what Scapy is doing behind his back, so what you see on the loopback interface is also a fake. Except this one did not come from a local structure. Thus the kernel will never receive it.
In order to speak to local applications, you need to build your packets one layer upper, using a PF_INET/SOCK_RAW socket instead of a PF_PACKET/SOCK_RAW (or its equivalent on other systems that Linux) :
>>> conf.L3socket
<class __main__.L3PacketSocket at 0xb7bdf5fc>
>>> conf.L3socket=L3RawSocket
>>> sr1(IP(dst="127.0.0.1")/ICMP())
<IP version=4L ihl=5L tos=0x0 len=28 id=40953 flags= frag=0L ttl=64 proto=ICMP chksum=0xdce5 src=127.0.0.1 dst=127.0.0.1 options='' |<ICMP type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>
Try this
def ping(host, repeat=3):
packet = IP(dst=host)/ICMP()
for x in range(repeat):
response = sr1(packet)
response.show2()
Your not storing the reply properly