I am doing a sniffing of the network and trying to get ip address and port number on every tcp packet.
I used scapy with python and could successfully sniff packets and in a callback function could even print the packet summary. But I would want to do more, like fetching only the IP address of the source and its port number. How can i accomplish it? Below is my code:
#!/usr/bin/evn python
from scapy.all.import.*
def print_summary(pkt):
packet = pkt.summary()
print packet
sniff(filter="tcp",prn=packet_summary)
Please suggest a method to print only the source IP address of every packet.
Thanks.
It is not very difficult. Try the following code:
#!/usr/bin/env python
from scapy.all import *
def print_summary(pkt):
if IP in pkt:
ip_src=pkt[IP].src
ip_dst=pkt[IP].dst
if TCP in pkt:
tcp_sport=pkt[TCP].sport
tcp_dport=pkt[TCP].dport
print " IP src " + str(ip_src) + " TCP sport " + str(tcp_sport)
print " IP dst " + str(ip_dst) + " TCP dport " + str(tcp_dport)
# you can filter with something like that
if ( ( pkt[IP].src == "192.168.0.1") or ( pkt[IP].dst == "192.168.0.1") ):
print("!")
sniff(filter="ip",prn=print_summary)
# or it possible to filter with filter parameter...!
sniff(filter="ip and host 192.168.0.1",prn=print_summary)
Enjoy!
User2871462 has a terrific answer, I would comment on it but I don't have the required amount of reputation. :) The only thing I would add is that depending on the use case you may want to add the store=0 flag to the sniff call so you're not storing the packets. From the scapy docstring "store: wether to store sniffed packets or discard them".
sniff(filter="ip",prn=print_summary, store=0)
Related
I want to send the captured packets to another PC in my local network.
When I run it I keep getting the Output:
Sent 1 packets.
Over and over, but in Wireshark I dont see any packets going to the IP-Adress 192.168.0.5...
Not sure what is wrong.
#!/usr/bin/env python3
from scapy.all import sniff, send
def spoof_and_send(packet):
packet[0][1].dst = '192.168.0.5'
send(packet)
packets = sniff(filter='udp and portrange 6000-7999', prn=spoof_and_send)
You cannot use the original Ethernet header:
def spoof_and_send(packet):
datagram = packet[IP]
datagram.dst = "192.168.0.5"
send(packet)
Moreover, if you use this code you are going to receive the packets you create. You need to filter those out to avoid loops.
I've been learning about TCP and UDP lately, and I know that ping uses ICMP so I'm trying to understand that too. My understanding is that when the command ping google.com is run, your computer sends an echo request ICMP packet over IP to google, and then google responds with an echo reply message.
My question is, when a server responds with that echo reply message, what is actually taking care of that? Is it the operating system? Is it a particular application? Or is it something else entirely?
Its the Kernel module which responds the ICMP requests. The ICMPv4 module is net/ipv4/icmp.c.
The ICMP module defines a table of array on how to handle various ICMP requests with object being icmp_objects, named icmp_pointers which is indexed by ICMP message type.
ICMP control structure:
struct icmp_control {
void (*handler)(struct sk_buff *skb);
short error; /* This ICMP is classed as an error message */
};
static const struct icmp_control icmp_pointers[NR_ICMP_TYPES + 1] = {
...
[ICMP_ECHO] = {
.handler = icmp_echo,
},
...
};
From above struct, when you send a echo request to google.com server the message type will be icmp_echo boiling down to subroutine call icmp_echo() which handles echo (ping) requests (ICMP_ECHO) by sending echo replies (ICMP_ECHOREPLY) with
icmp_reply().
In terms of the TCP/IP reference model it is the Network layer of the protocol stack, which is normally in the kernel.
Say I want scapy to be a server to receive packet,
like:
>> p=r("host:port") // waiting for a package
Is it possible?
If you really want to bind a socket, you'll have to use the socket module from Python. You can do so from Scapy and use it to dissect the captured packet.
By doing so however, you'll behave as a regular application and hence will only get the "application" layer (and not the network layers IP and TCP or UDP.
Now if you want to capture one packet from the network on a specific port, you can do so in "pure" Scapy, with the sniff() function and a simple BPF filter:
p = sniff(filter="port 53", count=1)[0]
I have problem with identifying communication established by TCP.
I have to identify first completed communication, for example first complete http communication.
I have dump .pcap file with capture. I know that communication should start by three way handshake ( SYN, SYN - ACK, ACK ) and then closing of communication by double FIN flag from both side.
But I have a lot of communication in that dump file.
So here is the question. Which things i need to remember to match exact one communication ?
I thought about source IP, destination IP, protocol, maybe port but i am not sure.
Thank you for every advice.
And sorry for my english.
You stated that you need:
To identify a particular conversation
To identify the first completed conversation
You can identify a particular TCP or UDP conversation by filtering for
the 5-tuple of the connection:
Source IP
Source Port
Destination IP
Destination Port
Transport (TCP or UDP)
As Shane mentioned, this is protocol dependent e.g. ICMP does not have the concept of
ports like TCP and UDP do.
A libpcap filter like the following would work for TCP and UDP:
tcp and host 1.1.1.1 and port 53523 and dst ip 1.1.1.2 and port 80
Apply it with tcpdump:
$ tcpdump -nnr myfile.pcap 'tcp and host 1.1.1.1 and port 53523 and dst ip 1.1.1.2 and port 80'
To identify the first completed connection you will have to follow the timestamps.
Using a tool like Bro to read a PCAP would yield the answer as it will list each connection
attempt seen (complete or incomplete):
$ bro -r myfile.pcap
$ bro-cut -d < conn.log | head -1
2014-03-14T10:00:09-0500 CPnl844qkZabYchIL7 1.1.1.1 57596 1.1.1.2 80 tcp http 0.271392 248 7775 SF F ShADadfF 14 1240 20 16606 (empty) US US
Use the flag data for TCP to judge whether there was a successful handshake and tear down.
For other protocols you can make judgements based on byte counts, sent and received.
Identifying the first completed communication is highly protocol specific. You are on the right track with your filters. If your protocol is a commonly used one there are plug ins called protocol analyzers and filters that can locate "conversations" for you from a pcap data stream. If you know approximate start time and end time that would help narrow it down too.
I develop a network program that is used to transfer files , it works . But I just know it can works , and I don't know how to monitor and evaluate it . So I want to know what aspects a network program usually need to consider and monitor and how to monitor .
First make sure which protocol you have been used to send files (either TCP or UDP).
1.If you are using TCP at transport layer ,at the receiving end you can use TCPDUMP
packet analyzer to analyze all packets receiving on TCP port and its content.
2.If you want to analyze packets irrespective of protocols used at different layers, you can use wireshark packet analyzer to analyze all packets received on different networks like ethernet,PPP, loop back ,frame relay. you can use IP address of sender host as a reference to extract packets ( you need some reference to extract packets because wire shark will return all the packets received on the NIC interface). Once you extract the packets received from your sender host, you can analyze the packet payload to check whether files content has been received properly or not.
3.you can redirect data ( payload) of all received packets into some file. Once your program is done with receiving packets, you can check with that file to check data has been properly received or not. ( you can use this method only to test your client/server programs within a system)