I want to send the captured packets to another PC in my local network.
When I run it I keep getting the Output:
Sent 1 packets.
Over and over, but in Wireshark I dont see any packets going to the IP-Adress 192.168.0.5...
Not sure what is wrong.
#!/usr/bin/env python3
from scapy.all import sniff, send
def spoof_and_send(packet):
packet[0][1].dst = '192.168.0.5'
send(packet)
packets = sniff(filter='udp and portrange 6000-7999', prn=spoof_and_send)
You cannot use the original Ethernet header:
def spoof_and_send(packet):
datagram = packet[IP]
datagram.dst = "192.168.0.5"
send(packet)
Moreover, if you use this code you are going to receive the packets you create. You need to filter those out to avoid loops.
Related
I am trying to reproduce a problem which is happening in live network.
I network whenever a packet with UDP length 0 is coming my network equipment is crashing.
So to reproduce the same scenario in my LAB i need to send a UDP packet with UDP length 0 and no data block.
How can i go about it?
You didn't say which language you want to use but your profile shows some Python activity, so here's how to do it in Python:
import socket
import time
dest_addr = '10.9.87.64' # the destination address or hostname
dest_port = 1234 # the destination port
usock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)
while True:
usock.sendto('', (dest_addr, dest_port))
time.sleep(10)
That creates a UDP endpoint named usock and then loops forever, sending an empty string (which produces a datagram with a zero-length payload) through that endpoint to the specified destination and then waiting for ten seconds before repeating.
I'm trying to run tests on a simulated network I'm running on my machine and would like to get timing information on packets I'm sending and then receiving over local loopback.
When I run tcpdump -i lo I see two packets for every packet of data I send over local loopback: a data-carrying packet with a sequence number, and an associated ack packet. Each has only 1 timestamp associated with it.
I'd like to see when the data-carrying packet is sent and received, and when the ack packet is sent and received-- that is, 4 timestamps in total. I can't figure out how to do this in tcpdump no matter what Google searches I try or flags I pass it.
Right now I'm only getting 2 timestamps, one for each packet. I'm pretty sure they are both receive times for the packets.
I could probably run this test using two different machines, but I don't have another one on hand right now, and if I did that the clock between the two wouldn't be synchronized perfectly so the timestamps would be off.
It turns out what I'm asking for here is impossible. When sending over local loopback, the kernel uses a purely software layer, so there are no TCP packets actually being sent.
This is actually true for using any device and sending to yourself-- the kernel automatically optimizes and doesn't actually use the hardware to send packets.
In order to get send and receive times, you need to route through some other external agent. Alternatively, you can pretend there are two different interfaces running on your computer using netns, then connect them using virtual ethernet (veth) and then log tcpdump data over that connection.
See this blog post on setting up a connected netns namespace.
Say I want scapy to be a server to receive packet,
like:
>> p=r("host:port") // waiting for a package
Is it possible?
If you really want to bind a socket, you'll have to use the socket module from Python. You can do so from Scapy and use it to dissect the captured packet.
By doing so however, you'll behave as a regular application and hence will only get the "application" layer (and not the network layers IP and TCP or UDP.
Now if you want to capture one packet from the network on a specific port, you can do so in "pure" Scapy, with the sniff() function and a simple BPF filter:
p = sniff(filter="port 53", count=1)[0]
I develop a network program that is used to transfer files , it works . But I just know it can works , and I don't know how to monitor and evaluate it . So I want to know what aspects a network program usually need to consider and monitor and how to monitor .
First make sure which protocol you have been used to send files (either TCP or UDP).
1.If you are using TCP at transport layer ,at the receiving end you can use TCPDUMP
packet analyzer to analyze all packets receiving on TCP port and its content.
2.If you want to analyze packets irrespective of protocols used at different layers, you can use wireshark packet analyzer to analyze all packets received on different networks like ethernet,PPP, loop back ,frame relay. you can use IP address of sender host as a reference to extract packets ( you need some reference to extract packets because wire shark will return all the packets received on the NIC interface). Once you extract the packets received from your sender host, you can analyze the packet payload to check whether files content has been received properly or not.
3.you can redirect data ( payload) of all received packets into some file. Once your program is done with receiving packets, you can check with that file to check data has been properly received or not. ( you can use this method only to test your client/server programs within a system)
I want to identify an UDP or TCP packet that have its source IP address faked. My guess is that even if the packet is faked with a program such has hping, the MAC src address is still the same on all the faked packets, is this correct?
If my idea is not correct, how can I identify such packets that are being faked and looks like it has different source for each and every packet?
Thanks.
MAC addresses can be faked too.
With TCP, its easy to identify / handle this. You'll reply to a fake SYN packet with a SYN-ACK. If it was a real client, it'd reply with an ACK to complete the handshake. Only caveat is that you'll have to implement syn-cookies so that you don't create state & use up resources while waiting for an ACK.
With UDP, there is no way to know, since the protocol is connection-less. If you send a reply to the fake packet, you're not guaranteed a response from a "real" client. So there is no way to identify a fake one.
The way I see it, UDP and TCP have nothing to do with this. You're talking about only layer 2 (MAC) and layer 3 (IP). Even at that though, you have no way of knowing, because the source MAC address should be that of the closest router to the recipient (assuming the packet did not originate in your subnet.) So you should see the same MAC address for most all inbound packets (again, internet traffic only).
Now there are profiling tools like p0f that work on signatures of packets, and you could try and do some heuristics based on that information, but nothing very concreted could be determined.
From the packet you can get the MAC address of the nearest node. Yeah you can send ACK packet to the fake source address(IP) and then use Traceroute command to know the path of the source packet, so that you can atleast find the location of the originating. It works well in TCP and you can have acknowledgement also.