How to read perfectly a .pcap file - linux

Using tcpdump im trying to sniff some packets. The result is this:
reading from file /tmp/prueba.pcap, link-type LINUX_SLL (Linux cooked v1)
13:35:51.767194 IP6 fdc1:41d:9c3:dbef:a6e9:69f0:59aa:b70a.47193 > fdc1:41d:9c3:dbef:0:ff:fe00:8c00.47193: UDP, length 63
0x0000: 6000 0000 0047 1140 fdc1 041d 09c3 dbef `....G.#........
0x0010: a6e9 69f0 59aa b70a fdc1 041d 09c3 dbef ..i.Y...........
0x0020: 0000 00ff fe00 8c00 b859 b859 0047 d42e .........Y.Y.G..
0x0030: 3f0c 0000 0dc2 50f1 0d7b 2254 696d 6522 ?.....P..{"Time"
0x0040: 3a5b 3136 3632 3033 3933 3531 2c22 225d :[1662039351,""]
0x0050: 2c22 4d6f 6417 0012 320f 00f0 0352 6f6c ,"Mod...2....Rol
0x0060: 6c22 3a5b 3533 302c 2264 c2ba 225d 7d l":[530,"d.."]}
The point is in the line with address 0x0050 we can read "Mod...2". That "Mod" means "Mode" but I don't understand why is not the whole word "Mode". ¿Where is the "e"? I need to read that message perfectly for automate a program reading values from there.
I discarded a puntual problem transmiting the message because every time I sniff a packet that contain that info, the format is exactly the same.
Regards,

There are indications that the packet is not correct in other ways than a missing e. For example, the ether type is 0x09c3 and not 0x86dd (IPv6).
Maybe this code to create a PCAP file can help. Using the raw packet you provided as input the output file is bad.pcap and you could use a tool like Wireshark to examine the packet in more detail, see here
import codecs
from scapy.all import wrpcap, Ether, IP, IPv6, UDP, Raw
data = (
'60 00 00 00 00 47 11 40 fd c1 04 1d 09 c3 db ef '
'a6 e9 69 f0 59 aa b7 0a fd c1 04 1d 09 c3 db ef '
'00 00 00 ff fe 00 8c 00 b8 59 b8 59 00 47 d4 2e '
'3f 0c 00 00 0d c2 50 f1 0d 7b 22 54 69 6d 65 22 '
'3a 5b 31 36 36 32 30 33 39 33 35 31 2c 22 22 5d '
'2c 22 4d 6f 64 17 00 12 32 0f 00 f0 03 52 6f 6c '
'6c 22 3a 5b 35 33 30 2c 22 64 c2 ba 22 5d 7d' )
data_list = data.split( " " )
data_s = codecs.decode(''.join(data_list), 'hex')
packet = Raw(load=data_s)
wrpcap('bad.pcap', [packet])
data = (
'3f 0c 00 00 0d c2 50 f1 0d 7b 22 54 69 6d 65 22 '
'3a 5b 31 36 36 32 30 33 39 33 35 31 2c 22 22 5d '
'2c 22 4d 6f 64 17 00 12 32 0f 00 f0 03 52 6f 6c '
'6c 22 3a 5b 35 33 30 2c 22 64 c2 ba 22 5d 7d' )
data_list = data.split( " " )
data_s = codecs.decode(''.join(data_list), 'hex')
packet = Ether(dst="60:00:00:00:00:47", src="11:40:fd:c1:04:1d") / IPv6(dst="fdc1:41d:9c3:dbef:0:ff:fe00:8c00", src="fdc1:41d:9c3:dbef:a6e9:69f0:59aa:b70a" ) / UDP(sport=47193, dport=47193, len=0x0047 ) / Raw(load=data_s)
wrpcap('better.pcap', [packet])

The hex dump begins with the IPv6 header; the link-layer header is not being dumped, so the Ethertype that would appear in the LINKTYPE_SLL_LINUX link-layer header isn't shown.
So the header is:
6000 0000: version (6), traffic class (0), flow label (0)
0047: payload length (0x47 = 71)
1140: next header (0x11 = 17 = UDP), hop limit (0x40 = 64)
fdc1 041d 09c3 dbef a6e9 69f0 59aa b70a: source IPv6 address (fdc1:41d:9c3:dbef:a6e9:69f0:59aa:b70a)
fdc1 041d 09c3 dbef 0000 00ff fe00 8c00: destination IPv6 address (fdc1:41d:9c3:dbef:0:ff:fe00:8c00)
The next header field is 17, so what follows that is a UDP header:
b859: source port (0x5859 = 47193)
b859: destination port (0x5859 = 47193)
0047: length (0x47 = 71)
d42e: checksum
Those 71 bytes are the UDP header (8 bytes) plus the UDP payload (71 - 8 = 63 bytes).
Port 47193 is a in the "registered" port range; however, it does not appear in the current list of well-known and registered ports.
It does, however, appear, from some web searches, to be the default gateway port for MQTT-SN. MQTT "is a lightweight, publish-subscribe, machine to machine network protocol", and MQTT-SN, according to that page, "is a variation of the main protocol aimed at battery-powered embedded devices on non-TCP/IP networks".
If this is MQTT-SN, then, according to the protocol specification for MQTT-SN, the payload would be:
3f0c: length (0x3f = 63), message type (0c = PUBLISH)
00: flags (0x0000)
000d: TopicId
c250: MsgId
f1 0d7b 2254 696d 6522 3a5b 3136 3632 3033 3933 3531 2c22 225d 2c22 4d6f 6417 0012 320f 00f0 0352 6f6c 6c22 3a5b 3533 302c 2264 c2ba 225d 7d: Data
So that data is:
0xf1 0x0d {"Time":[1662039351,""],"Mod 0x17 0x00 0x12 2 0x0f 0x00 0xf0 0x03 Roll":[530,"d 0xc2 0xba "]}
If the published data is intended to be ASCII text, it appears to have been damaged; if this is from a wireless low-power network, perhaps there was radio interference.

The answer is easy... The content of the pcap packet was compressed with lz4...

Related

How can I emulate an I2C device on Linux?

I have a custom SOM (based on iMX6) board being developed that will run Ubuntu, and has several I2C devices attached to one of the iMX6 I2C "adapters". Given the hardware is not yet available, I'd like to write software to access and control said I2C devices, preferably by emulating them on my Ubuntu laptop; I'm thinking such as setup might also be useful for software testing.
I've been playing with i2cdetect to see what is on my laptop, and I found a few particularly intriguing things; consider these commands and the responses:
$ sudo i2cdetect -l
i2c-3 i2c i915 gmbus dpd I2C adapter
i2c-1 i2c i915 gmbus dpc I2C adapter
i2c-6 i2c DPDDC-C I2C adapter
i2c-4 i2c DPDDC-A I2C adapter
i2c-2 i2c i915 gmbus dpb I2C adapter
i2c-0 i2c Synopsys DesignWare I2C adapter I2C adapter
i2c-5 i2c DPDDC-B I2C adapter
$ sudo i2cdetect -y -r 4
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10: 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30: 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40: 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50: 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60: 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70: 70 71 72 73 74 75 76 77
I understand this to mean that, for each cell in that table that has a number, a device with that number as its address is present on the bus; for example, the first number, 0x03, means there is a device with I2C address 0x03. It seems rather unlikely that the i2c-4 adapter really has 117 devices attached to it! (FWIW most of the other adapters have no devices, with only two showing a small number of devices on each bus; these appear to be "real" I2C buses.) But back to i2c-4 - is that some sort of simulated (or emulated) adapter with simulated devices on it? I decided to see what I could i2cdump data from one of the suspect devices, and found something like this:
$ sudo i2cdump -y 4 0x3 b
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
00: 00 00 02 02 04 04 06 06 08 08 0a 0a 0c 0c 0e 0e ..??????????????
10: 10 10 12 12 14 14 16 16 18 18 1a 1a 1c 1c 1e 1e ????????????????
20: 20 20 22 22 24 24 26 26 28 28 2a 2a 2c 2c 2e 2e ""$$&&((**,,..
30: 30 30 32 32 34 34 36 36 38 38 3a 3a 3c 3c 3e 3e 0022446688::<<>>
40: 40 40 42 42 44 44 46 46 48 48 4a 4a 4c 4c 4e 4e ##BBDDFFHHJJLLNN
50: 50 50 52 52 54 54 56 56 58 58 5a 5a 5c 5c 5e 5e PPRRTTVVXXZZ\\^^
60: 60 60 62 62 64 64 66 66 68 68 6a 6a 6c 6c 6e 6e ``bbddffhhjjllnn
70: 70 70 72 72 74 74 76 76 78 78 7a 7a 7c 7c 7e 7e pprrttvvxxzz||~~
80: 80 80 82 82 84 84 86 86 88 88 8a 8a 8c 8c 8e 8e ????????????????
90: 90 90 92 92 94 94 96 96 98 98 9a 9a 9c 9c 9e 9e ????????????????
a0: a0 a0 a2 a2 a4 a4 a6 a6 a8 a8 aa aa ac ac ae ae ????????????????
b0: b0 b0 b2 b2 b4 b4 b6 b6 b8 b8 ba ba bc bc be be ????????????????
c0: c0 c0 c2 c2 c4 c4 c6 c6 c8 c8 ca ca cc cc ce ce ????????????????
d0: d0 d0 d2 d2 d4 d4 d6 d6 d8 d8 da da dc dc de de ????????????????
e0: e0 e0 e2 e2 e4 e4 e6 e6 e8 e8 ea ea ec ec ee ee ????????????????
f0: f0 f0 f2 f2 f4 f4 f6 f6 f8 f8 fa fa fc fc fe fe ????????????????
This worked for device addresses 0x03 through 0x07; above that, the hex data was replaced with XX! Anyway, I'm guessing this table shows 256 bytes of data on the "device".
I tried to read/write/read a byte, but it doesn't work:
$ sudo i2cget -y 4 0x3 0xff
0xfe
$ sudo i2cset -y 4 0x3 0xff 0x27
$ sudo i2cget -y 4 0x3 0xff
0xfe
With all that as background, here are my questions:
Is i2c-4 really an simulated I2C adapter, and what is its purpose?
Am I using i2cget and i2cset correctly, and if not, where am I going wrong? (Of course, this assumes i2c-4 address 0x3 works as I expected)
If not, is there a way to emulate an I2C device (and probably, adapter) so that I can write software that is able to read/write to it?
Of course, question 3 is the main focus here...
Thanks!
Answering this in case someone else has the same/similar question.
The secret is to use i2c-stub, which I had heard of but didn't get a clear understanding of what it is. Here is all I was looking for:
# Set up fake device
$ sudo modprobe i2c-dev
$ sudo modprobe i2c-stub chip_addr=0x03
$ i2cdetect -l
...
i2c-7 unknown SMBus stub driver N/A <<--- Here it is!
# Read data
$ sudo i2cdump -y -r 0-7 7 0x03 b
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
00: 00 00 00 00 00 00 00 00 .?......
# Write data
$ sudo i2cset -y 7 0x03 0x01 0x27
# Read data again
$ sudo i2cdump -y -r 0-7 7 0x03 b
0 1 2 3 4 5 6 7 8 9 a b c d e f 0123456789abcdef
00: 00 27 00 00 00 00 00 00 .?......

How to convert Big Endian Hex to ASCII in Node?

I'm trying to interpret a HEX message that is transmitted in network byte order (big endian), how should I proceed to achieve conversion to ASCII?
server.on('message', function (message, remote) {
//I receive message via UDP in HEX.
});
The message comes in this format:
2B 41 43 4B 19 EF 24 10 01 02 03 02 56 50 22 00 0A 02 3B 01 00 00 4E 07 DD 02 17 11 21 20 46 AD 4E 1E 0D 0A
With that being said, each byte has a parameter attached, let's say I have 4 bytes to parameter1, 2 bytes to parameter2 and 8 bytes to parameter 3, how would I interpret it?

Unknown Bittorrent Message

I have been receiving an odd/unknown message while attempting to communicate with some bittorrent peers. In this particular case I am in the middle of downloading pieces and all of a sudden this new/odd message pops up in front of a piece response.The message is odd because it doesn't appear to follow the protocol, all messages are supposed to look like this
'<length prefix><message ID><payload>'
length prefix is 4 bytes, message id is 1 byte and the payload. I am including a capture to show what I mean, on line 509 of the capture you will
see a request for a piece, on line 510 you will see the beginning of the response.
The first 4 bytes of the response are 00 00 00 00, ie 0 length message (Which is causing me issues), the next 4 bytes are the actual length of the message which is 30. The actual response to the piece request starts on line 513, so I get the piece I was requesting but this new/odd message is messing me up. I'm certain I can find a workaround but I would really like to understand what this means.
Also, I have no idea what the actual message means, and cannot find any information about it anywhere.
Here is the Wireshark capture.
https://1drv.ms/u/s!Agj06pa-wu0tnFqsYn_KnHmVz3x2
Data from packet 510:
0000 00 00 00 00 00 00 00 1e 14 01 64 35 3a 61 64 64 ..........d5:add
0010 65 64 36 3a 63 f2 7a 48 17 f4 37 3a 64 72 6f 70 ed6:c.zH..7:drop
0020 70 65 64 30 3a 65 ped0:e
00 00 00 00 4 bytes keep-alive message
00 00 00 1e message length 30 bytes
14 message type extended message (BEP10)
01 extended message ID = 1 as specified by the previous extension handshake: ut_pex
64 35 3a 61 64 64 65 64 36 3a 63 f2 7a 48 17 f4 37 3a 64 72 6f 70 70 65 64 30 3a 65
d5:added6:c.zH..7:dropped0:e
ut_pex message data (bencoded)
d
5:added
6:c.zH..
7:dropped
0:
e
ut_pex message data (bencoded with added white space)
The first 4 bytes of the response are 00 00 00 00, ie 0 length message (Which is causing me issues)
The bittorrent spec says
Messages of length zero are keepalives, and ignored.

Capturing packets getting only payload

I need to get only the payload of network packets (without Ethernet header). I used TCPDump, I get something like :
0x0000: 4500 013f 7913 4000 4006 72ee ac10 01e3 E..?y.#.#.r.....
0x0010: c732 d894 b826 0050 9455 3f65 51f9 a5f4 ./...&.P.U?eQ...
0x0020: 8018 0990 4ee9 0000 0101 080a 0079 6387 ....N........yc.
[...]
I also tried with Scapy :
>>>hexdump(p)
0000 00 19 4B 10 38 79 00 26 5E 17 00 6E 08 00 45 00 ..K.8y.&^..n..E.
0010 00 40 90 E7 40 00 40 11 26 66 C0 A8 01 0E C0 A8 .#..#.#.&f......
0020 01 01 97 F1 00 35 00 2C 06 5A 6E 18 01 00 00 01 .....5.,.Zn.....
Do you know how to get only the middle column? (preferably all on one line)
(I tried Tshark, but it doesn't correspond to my expectations)
Thanks
There is a tcpick project on sourceforge that should do what you want.
You can use wireshark to analyzes the packets.And also you get more detailed description

How to start REPL for slimv with MIT-Scheme

My operating system is Debian Squeeze. Here's the vim version:
VIM - Vi IMproved 7.2 (2008 Aug 9, compiled Jul 12 2010 02:29:33)
I read a tutorial on http://kovisoft.bitbucket.org/tutorial.html and tried to start REPL for MIT-Scheme. Unfortunately, I failed to start.
When I pressed ",c", it started a terminal window loading mit-scheme. Nothing showed in the REPL buffer of vim. Some errors showed in the terminal:
Listening on port: 4005
;netcat: "4005: inverse host lookup failed: Unknown host"
;To continue, call RESTART with an option number:
; (RESTART 1) => Return to read-eval-print level 1.
2 error>
I read the source code and fixed some bugs (about the parameters of netcat and something else), here's the diff file:
*** /home/gaussfrank/slimv/slime/contrib/swank-mit-scheme.scm 2012-02-02 16:41:58.357463955 +0800
--- swank-mit-scheme.scm 2012-02-06 22:30:42.929212874 +0800
***************
*** 113,126 ****
(define (netcat port)
(let* ((sh (os/shell-file-name))
! (cmd (format #f "exec netcat -v -q 0 -l ~a 2>&1" port))
(netcat (start-pipe-subprocess sh
(vector sh "-c" cmd)
scheme-subprocess-environment)))
(list netcat port)))
(define (netcat-accept nc)
! (let* ((rx "^Connection from .+ port .+ accepted$")
(line (read-line (subprocess-input-port nc)))
(match (re-string-match rx line)))
(cond ((not match) (error "netcat:" line))
--- 113,126 ----
(define (netcat port)
(let* ((sh (os/shell-file-name))
! (cmd (format #f "exec netcat -v -q 0 -l -p ~a 2>&1" port))
(netcat (start-pipe-subprocess sh
(vector sh "-c" cmd)
scheme-subprocess-environment)))
(list netcat port)))
(define (netcat-accept nc)
! (let* ((rx "^listening on.*")
(line (read-line (subprocess-input-port nc)))
(match (re-string-match rx line)))
(cond ((not match) (error "netcat:" line))
I retried, but some new problems happened.
;The object #f, passed as the second argument to integer-add, is not the correct type.
;To continue, call RESTART with an option number:
; (RESTART 4) => Specify an argument to use in its place.
; (RESTART 3) => Return to SLIME top-level.
; (RESTART 2) => Close connection.
; (RESTART 1) => Return to read-eval-print level 1.
Here's the log file (swank.log)
[---Sent---] 0.21
(:emacs-rex (swank:connection-info) nil t 1)
[---Sent---] 16.11
(:emacs-rex (swank:swank-require 'swank-fuzzy) nil t 2)
Here's the packet:
8 0.739991 127.0.0.1 127.0.0.1 TCP 50732 > pxc-pin [PSH, ACK] Seq=1 Ack=1 Win=32792 Len=51 TSV=1451459 TSER=1451459
0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E.
0010 00 67 91 53 40 00 40 06 ab 3b 7f 00 00 01 7f 00 .g.S#.#..;......
0020 00 01 c6 2c 0f a5 f9 57 b4 93 fc 40 7f 85 80 18 ...,...W...#....
0030 10 03 fe 5b 00 00 01 01 08 0a 00 16 25 c3 00 16 ...[........%...
0040 25 c3 30 30 30 30 32 64 28 3a 65 6d 61 63 73 2d %.00002d(:emacs-
0050 72 65 78 20 28 73 77 61 6e 6b 3a 63 6f 6e 6e 65 rex (swank:conne
0060 63 74 69 6f 6e 2d 69 6e 66 6f 29 20 6e 69 6c 20 ction-info) nil
0070 74 20 31 29 0a t 1).
9 0.740009 127.0.0.1 127.0.0.1 TCP pxc-pin > 50732 [ACK] Seq=1 Ack=52 Win=32768 Len=0 TSV=1451459 TSER=1451459
0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E.
0010 00 34 5a 46 40 00 40 06 e2 7b 7f 00 00 01 7f 00 .4ZF#.#..{......
0020 00 01 0f a5 c6 2c fc 40 7f 85 f9 57 b4 c6 80 10 .....,.#...W....
0030 10 00 fe 28 00 00 01 01 08 0a 00 16 25 c3 00 16 ...(........%...
0040 25 c3 %.
This is a known problem. I have a patched version of Slimv in my git repo which fixes this issue and quite a few others.
Note that it's quite a while ago that I used Slimv, so I can't recall from the top of my head what the exact changes are I made. I only tested this on OS X, so YMMV.

Resources