TCP Null Scan using Scapy - tcp

Can someone guide me on how to send packets in Scapy to an ip address, with all flags in the TCP header set to null ? I have so far tried sending packets without specifying which flags to set, but it seems to set the Syn flag everytime I send the packet.
I would like to know it so that I can learn more about TCP Null Scans. Would be grateful for ur help and guidance.

I haven't used Scapy, but from a quick scan of the documentation there is an example of creating a TCP packet while specifying which flags to set, on this page of the docs:
http://www.secdev.org/projects/scapy/doc/usage.html#simple-one-liners
sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") )
Perhaps you could try a command like that, with an empty string ""? i.e. TCP(dport=80,flags="") ?

If you don't want to actually send a TCP header, you'd be better off just setting the protocol of the IP packet and gluing a string of zeros on top of it.
sr( IP(dst="192.168.1.", proto="TCP")/"\0"*50)
Edit: I'm not actually positive on the syntax, you might have to use the protocol number instead of "TCP"

Thank you Andy and Jdizzle for the suggestions.
I tried out what Andy Recommended earlier itself, but the packet somehow seemed to have the Syn Flag set, when i checked it on wireshark.
The good news is, i solved the problem, the flags can be set to null, at the instance when you create the packet to be sent.
create a packet --> a=TCP() and then setting the flag to zero by --> a.flags=0
there are many other attributes that you can preset in this manner before preparing the packet to be sent over the network. You can view these attributes by --> ls(a)
where a=the name of the packet.
This worked successfully !

Related

Wireshark not showing SNMP

I am having an issue with wireshark capture. The wireshark doesn't show SNMP protocol but as UDP and complaints as malformed packet.1: https://i.stack.imgur.com/EXcfN.jpg May I know the reason and solution for this issue.
Thanks and Regards,
Alexander.
Looks like your packet is cut out in the middle.
Notice that both the IP and the SNMP length field are indicating longer payload than there actually is (they are even marked red for that reason).
Somewhere in the way from the sender to wireshark the packet was cut short. could be because of a malfunctioning router, BER, or just corrupted pcap file.
Wireshark has a really hard time trying to dissect packets (remember it doesn't know the configurations on the end components), but it does it's best with heuristics defined by the community. A malformed packet not being dissected right is not surprising.
If you decide to change WS's heuristics on your PC you may as well do that using LUA plugins.

Wireshark: How to filter for a specific SYN packet?

I'm pretty new to Wireshark and stuck with a filter task.
I have network traffic and error messages from a certain system. I need to trace the SYN packet of one of my error messages.
For Wireshark, that means I need to filter for one specific IP-port combination x.x.x.x:xxxx among the SYN packets.
With tcp.flags.syn == 1 as a display filter I have been able to narrow down Wireshark's output to only SYN packets, but it's still far too many to find the one packet belonging to the port where we see the error and that we would like to follow.
Can you help me with that?
Looking only at SYN packets is not very helpful if you need to find a conversation that has problems - it's usually better to gather as much information about the IPs involved in the problem and filter on them. E.g. if you know that the computer with the IP 192.168.1.1 has a problem, and your capture has tons of conversations, you can filter on that IP by using the following filter:
ip.addr==192.168.1.1
If you also know the layer 4 protocol and port (e.g. TCP on port 1025) you can filter on both IP and port, like this:
ip.addr==192.168.1.1 and tcp.port==1025.
If you have a plain text protocol and know the text of the error message (if it is actually visible in a packet, and not just some coded thing), you could use the "find" option and search for the string (don't forget to set the search type to "string", because the default is "display filter").

Why do I need source port on UDP

When I use TCP I need destination port (to be able to "talk" to other process on the other host) and source port (because TCP is connection oriented so I'll send data back to source like ack, seq and more).
On the other side, UDP which is connectionless needs also source port.
Why is it? (I don't need to send back data)
Probably, two reasons.
First, receivers often need to reply and it is useful to provision a standard tool for that.
Secondly, you may have multiple interfaces (network cards) and using source address, you decide which of them must be used to emit the packet.
You don't need to but there's still the possibility to send a response back (that is very useful actually) however as stated in the RCF 768
Source Port is an optional field, when meaningful, it indicates the port
of the sending process, and may be assumed to be the port to which a
reply should be addressed in the absence of any other information. If
not used, a value of zero is inserted.
https://www.rfc-editor.org/rfc/rfc768
I would like to add to the answers here. Apart from simply knowing what to reply to, the source port can belong to the list of well-known port numbers. These ports specify what kind of data is encapsulated in the UDP (or TCP!) packet.
For example, the source port 530 indicates that the packet contains a Remote Procedure Call, and 520 indicates a Routing Information Protocol packet.

how to know whether the TCP ends or not?

TCP is stream to communicate and it has varying length. So in the application, how I can know whether the TCP ends or not?
In the transfom layer, The TCP packet header doesn't have a length field and its length is varying, how can the TCP layer know where is the end.
You design a protocol that runs on top of TCP that includes a length field (or a message terminator). You can look at existing protocols layered on top of TCP (such as DNS, HTTP, IRC, SMTP, SMB, and so on) to see how they do this.
To avoid pain, it helps to have a thorough understanding of several different protocols layered on top of TCP before attempting to design your own. There's a lot of subtle details you can easily get wrong.
If you look at this post, it gives a good answer.
Depending on what you are communicating with, or how you are communicating there will need to be some sort of character sequence that you look for to know that an individual message or transmission is done if you plan to leave the socket open.
n the transfom layer
I assume you mean 'transport layer'?
The TCP packet header doesn't have a length field and its length is varying
The IP header has a length field. Another one in the TCP header would be redundant.
how can the TCP layer know where is the end.
From the IP header length word, less the IP and TCP header sizes.
When a party of a TCP connection receives a FIN or RST signal it knows that the other side has stopped sending. At an API level you can call shutdown to give that signal. The other side will then get a zero length read and knows that nothing more will be coming.

Obligatory options for tcp syn

I'm writing a soft for a microchip that will send some data via Ethernet and I've encountered a problem. I'm sending a TCP SYN segment and I have no answer from the server.
Everything looks fine, the only one difference between packets that gain answer and my ones is that my packets have no options (the pool described as optional). Are there some options that should be defined for SYN to work properly?
(If anyone know how to copy a packet from wireshark in a nice form I'll show you my packet.)
Make sure that your tcp header padding bytes are set to all 0's or 0xff
As cxxl mentioned in a comment the problem was incorrect TCP checksum.

Resources