I need to generate and STP traffic using scapy and when I visualize it via wireshark I get an output similar to the caption shown below:
when I run this code:
from scapy.all import STP
import scapy
from scapy.all import *
data='STP'
sendp(Ether(dst="01:80:c2:00:00:00")/LLC(dsap=0xaa, ssap=0xaa)/STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002)/data, iface="eth1", count=200)
this is my wireshark output
I don't know how to change the organization code to 00:00:0c, because I believe it's the one who is making this problem
you forgot the layer SNAP
here are 2 exemples taht helped me debug:
exemple 1: your code.
exemple 2: added the SNAP layer
for both exemples:
from scapy.layers.inet import SNAP
from scapy.layers.l2 import Ether, LLC, STP
data = "STP"
exemple number1:
packet = (
Ether(dst="01:80:c2:00:00:00")
/ LLC(dsap=0xAA, ssap=0xAA)
/ STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002)
/ data
)
packet.show2()
output:
###[ Ethernet ]###
dst = 01:80:c2:00:00:00
src = 4c:d9:8f:77:3b:33
type = 0x8870
###[ LLC ]###
dsap = 0xaa
ssap = 0xaa
ctrl = 3
###[ SNAP ]###
OUI = 0x0
code = 0x1
###[ 802.3 ]###
dst = 00:00:00:00:00:00
src = 00:00:00:00:00:00
len = 0
###[ Padding ]###
load = '\x00\x00\x00\x00\x00\x00\x80\x02\x01\x00\x14\x00\x02\x00\x0f\x00STP'
Do you see how scapy decode a layer named SNAP right after the LLC layer?
that makes the decoding all wrong after
so let's add it, so all the decoding will true:
exemple 2: add the SNAP layer
packet = (
Ether(dst="01:80:c2:00:00:00")
/ LLC(dsap=0xAA, ssap=0xAA)
/ SNAP()
/ STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002)
/ data
)
packet.show2()
output:
###[ Ethernet ]###
dst = 01:80:c2:00:00:00
src = 4c:d9:8f:77:3b:33
type = 0x8870
###[ LLC ]###
dsap = 0xaa
ssap = 0xaa
ctrl = 3
###[ SNAP ]###
OUI = 0x0
code = 0x10b
###[ Spanning Tree Protocol ]###
proto = 0
version = 0
bpdutype = 0
bpduflags = 1
rootid = 0
rootmac = 00:00:00:00:00:00
pathcost = 0
bridgeid = 0
bridgemac = 00:00:00:00:00:00
portid = 32770
age = 1.0
maxage = 20.0
hellotime = 2.0
fwddelay = 15.0
###[ Raw ]###
load = 'STP'
it seems to look a lot better.
I didn't try with wireshark, but at the least scapy seems happy with it.
Related
I have wrote a small app to respond to ICMP, however it seems that the sender is ignoring the ICMP replies. Inspecting the packets in Wireshark they are missing the timestamp fields, and working ICMP replies from actual devices contain the timestamp fields, is it just a case I'm missing them in mine?
I've poisoned the ARP cache so it has a correct ARP mapping in the ARP table.
I've confirmed using TCPDump that the ICMP replies are at least hitting the interface, not sure if they are being processed beyond that - if anyone has any advice on where to check for that, it would be appreciated
def respond_to_icmp(self, icmp_packet):
if icmp_packet["IP"].dst == self.ip: # if this is my IP
eth = Ether(dst=icmp_packet["Ether"].src, src=self.mac)
ip = IP(src=icmp_packet["IP"].dst, dst=icmp_packet["IP"].src)
icmp = ICMP(type=0, id=icmp_packet['ICMP'].id, seq=icmp_packet['ICMP'].seq)
icmp_reply = eth/ip/icmp
sendp(icmp_reply, iface=self.interface) # eth0 (on which it is received)
ICMP Reply Packet
###[ Ethernet ]###
dst = de:ad:be:ef:ee:ff
src = aa:bb:cc:dd:ee:ff
type = IPv4
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = None
id = 1
flags =
frag = 0
ttl = 64
proto = icmp
chksum = None
src = 192.168.3.46
dst = 192.168.3.1
\options \
###[ ICMP ]###
type = echo-reply
code = 0
chksum = None
id = 0x6b86
seq = 0x19f
ICMP activity from sender
21:14:06.487711 IP 192.168.3.46 > 192.168.3.1: ICMP echo reply, id 0, seq 0, length 8
21:14:07.417939 IP 192.168.3.1 > 192.168.3.46: ICMP echo request, id 27526, seq 52, length 64
21:14:07.487494 IP 192.168.3.46 > 192.168.3.1: ICMP echo reply, id 0, seq 0, length 8
21:14:08.441948 IP 192.168.3.1 > 192.168.3.46: ICMP echo request, id 27526, seq 53, length 64
21:14:08.548995 IP 192.168.3.46 > 192.168.3.1: ICMP echo reply, id 0, seq 0, length 8
Actual ICMP Result
From 192.168.3.1 icmp_seq=368 Destination Host Unreachable
From 192.168.3.1 icmp_seq=369 Destination Host Unreachable
From 192.168.3.1 icmp_seq=370 Destination Host Unreachable
From 192.168.3.1 icmp_seq=458 Destination Host Unreachable
From 192.168.3.1 icmp_seq=459 Destination Host Unreachable
From 192.168.3.1 icmp_seq=460 Destination Host Unreachable
Turns out when Linux is responsible for ICMP, it includes a nice little data payload, without adding this payload to the reply, Linux must think that there was an error or malformation of packet.
def respond_to_icmp(self, icmp_packet):
if icmp_packet["IP"].dst == self.ip:
eth = Ether(dst=icmp_packet["Ether"].src, src=icmp_packet["Ether"].dst)
ip = IP(src=icmp_packet["IP"].dst, dst=icmp_packet["IP"].src)
icmp = ICMP(type=0, id=icmp_packet['ICMP'].id, seq=icmp_packet['ICMP'].seq)
raw = Raw(load=icmp_packet["Raw"].load)
icmp_reply = eth/ip/icmp/raw
sendp(icmp_reply, iface=self.interface)
I'm playing with scapy. I'm trying to forge JUST PSH/ACK and ACK packets in sequence
I coded two tools: A which sends PSH/ACK packets and then sniffs the resulting ACK, writing the sequence in a file to use it later
.....
bitack = random.randrange(1,656787969)
bitseq = random.randrange(1,4294967295)
if os.path.exists('test.txt'):
with open('test.txt','r') as f:
bitseq = int(f.read())
else:
with open('test.txt','w') as f:
f.write(str(bitseq))
.....
text = "Ok"
TSval = int(time.time())
TSecr = TSval
acker = IP(src="127.0.0.1",dst=destinazione"127.0.0.1")/TCP(sport=88,dport=8888,
flags="PA", seq=bitseq, ack=bitack, options=[('Timestamp', (TSval, TSecr))])/text
send(acker)
.....
rx = sniff(filter="host 127.0.0.1 and src port 8888", iface="lo", count=1)
seqcc = rx[0].getlayer(TCP).seq
ackcc = rx[0].getlayer(TCP).ack
with open('test.txt','w') as f:
f.write(str(ackcc))
print("SEQFINALE=", ackcc)
B: which sends ACK packets AFTER it sniffs a PSH/ACK packet from A. I know the ack packets contain text ( in this example the same of A), but this is what I want
....
rx = sniff(filter="host 127.0.0.1 and dst port 8888", iface="lo", count=1)
seqcc = rx[0].getlayer(TCP).seq
print("seq:", seqcc)
ackcc = rx[0].getlayer(TCP).ack
print("ack:", ackcc)
var = rx[0][Raw].load.decode(encoding='utf-8', errors='ignore')
acker = IP(src="127.0.0.1",dst="127.0.0.1")/TCP(sport=8888,dport=88, flags="A",
seq=ackcc, ack=seqcc + int(len(var)), options=[('Timestamp', (TSval, TSecr))])/var
send(acker)
.....
Everything works fine expect that wireshark gives some warning and I don't understand why:
"Expert Info (Note/Sequence): This frame is a (suspected) retransmission"
The first two packets are perfect:
Is there any issue in how I handle the sequence number/ ack number?
This makes me crazy
It is a retransmission. Your capture shows a frame from 8888 to 88 at seq=1 with 52 bytes of data (len=52). If you ever send another frame from 8888 to 88 at seq=1, it's a retransmission. TCP streams are in a single direction: A sends to B, B ACK's what A sent. (in this case, there should be an ACK=53 in a frame from 88 to 8888, either alone or piggybacking data.)
I have the following code in micropython that is running on my Espressif ESP32-PICO-KIT. To this I have attached a WaveShare 1.54" ePaper display (supporting red color).
When I reach the last line the display updates in waves, but I only get white-red noise on the display.
I'm using the driver from mcauser/micropython-waveshare-epaper on Github.
This is my code:
from machine import Pin, SoftSPI
import epaper1in54b
miso = Pin(19)
sck = Pin(18) # yellow
mosi = Pin(23) # white
cs = Pin(5) # green
dc = Pin(25) # gray
rst = Pin(21) # orange
busy = Pin(19) # gray
spi = SoftSPI(baudrate=20000000, polarity=0, phase=0, sck=sck, mosi=mosi, miso=miso)
e = epaper1in54b.EPD(spi, cs, dc, rst, busy)
e.init()
w = 200
h = 200
x = 0
y = 0
import framebuf
buf = bytearray(w * h // 8)
fb = framebuf.FrameBuffer(buf, w, h, framebuf.MONO_VLSB)
black = 0
white = 1
red = 2
fb.fill(white)
fb.text('Hello world!', 0, 0,black)
e.display_frame(buf,None)
The result
Update:
I'm using MicroPython v1.16 on 2021-06-18; ESP32 module with ESP32.
Please note that I did file a new issue in the mcauser/micropython-waveshare-epaper repository.
Don't know anything about your Espressif ESP32-PICO-KIT, but the v4 datasheet says: "USB-UART bridge Single-chip USB-UART bridge: CP2102 in V4 provides up to 1 Mbps transfer rates and CP2102N in V4.1 offers up to 3 Mbps transfers rates."
The 20,000,000 value you have in SoftSPI looks VERY suspicious. Did you mean 2,000,000?
Edit: I just realied this isn't using USB-UART, rather SDIO/SPI. So, those rate limits above aren't relevant.
I'm trying to switch to using Scapy instead of Wireshark, but am having trouble decoding the data I'm getting. In Wireshark I can easily see the last layer for filtered packets labeled as "Distributed Interactive Simulation", but in Scapy the last layer is "Raw". I'm trying to get the data from this layer in the same human readable format. So far I've gotten:
# Capture with Scapy
from scapy.all import sniff
capture = sniff(filter="dst 10.6.255.255 and port 3000", count=5)
packet = capture[0]
raw = pkt.lastlayer()
print(raw)
<Raw load='\x068\x14\x05L\x88nK\x00x\x00\x00\x00\x94\x08\x88\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x9f\x00\x00\x02 \x00\x01sj\x9b\xf4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04p\x00\x08\x00\x00\x00\x00\x00\x00d\xe9Y<\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x8c\x00\x00\x113\x00\x00\x00\x01\x00\x02\x0c\x00\x00\x00\x01\x02\x00\x00\x00\x041187\x00\x00\x00\x00\x00' |>
Could someone show me how to make this human readable?
First, you have an error in your script. raw = pkt.lastlayer() should be raw = packet.lastlayer().
Try adding print(packet.show()) to your script for a more readable format which will give you something similar to this:
###[ Ethernet ]###
dst = 94:c6:91:1c:68:c3
src = 94:c6:91:1c:68:1d
type = 0x800
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 84
id = 49689
flags = DF
frag = 0
ttl = 64
proto = icmp
chksum = 0x1938
src = 192.168.111.4
dst = 192.168.111.2
\options \
###[ ICMP ]###
type = echo-request
code = 0
chksum = 0xb468
id = 0x6d3
seq = 0xab
###[ Raw ]###
load = '\x0e\x85\x96[\x00\x00\x00\x00\xd2e\x06\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'
None
You can also use hexdump command to show the raw load in a more readable format.
from scapy.utils import hexdump
raw = packet.lastlayer()
hexdump(raw)
Which will output something like this:
0000 D091965B0000000080FD0E0000000000 ...[............
0010 101112131415161718191A1B1C1D1E1F ................
0020 202122232425262728292A2B2C2D2E2F !"#$%&'()*+,-./
0030 3031323334353637 01234567
0000 063814054CC2886E4B0078000000C294 .8..L..nK.x.....
0010 08C2880000C3BFC3BFC3BFC3BF000000 ................
0020 00000000000000000000000000000100 ................
0030 0000C29F000002200001736AC29BC3B4 ....... ..sj....
0040 00000000000000000000000470000800 ............p...
0050 000000000064C3A9593C000000000000 .....d..Y<......
0060 0000000004C28C000011330000000100 ..........3.....
0070 020C0000000102000000043131383700 ...........1187.
0080 00000000 ....
readable_payload = bytes(packet[TCP].payload).decode('UTF8','replace')
If I generate an Ethernet frame without any upper layers payload and send it at layer two with sendp(), then I receive the "Mac address to reach destination not found. Using broadcast." warning and frame put to wire indeed uses ff:ff:ff:ff:ff:ff as a destination MAC address. Why is this so? Shouldn't the Scapy send exactly the frame I constructed?
My crafted package can be seen below:
>>> ls(x)
dst : DestMACField = '01:00:0c:cc:cc:cc' (None)
src : SourceMACField = '00:11:22:33:44:55' (None)
type : XShortEnumField = 0 (0)
>>> sendp(x, iface="eth0")
WARNING: Mac address to reach destination not found. Using broadcast.
.
Sent 1 packets.
>>>
Most people encountering this issue are incorrectly using send() (or sr(), sr1(), srloop()) instead of sendp() (or srp(), srp1(), srploop()). For the record, the "without-p" functions like send() are for sending layer 3 packets (send(IP())) while the "with-p" variants are for sending layer 2 packets (sendp(Ether() / IP())).
If you define x like I do below and use sendp() (and not send()) and you still have this issue, you should probably try with the latest version from the project's git repository (see https://github.com/secdev/scapy).
I've tried:
>>> x = Ether(src='01:00:0c:cc:cc:cc', dst='00:11:22:33:44:55')
>>> ls(x)
dst : DestMACField = '00:11:22:33:44:55' (None)
src : SourceMACField = '01:00:0c:cc:cc:cc' (None)
type : XShortEnumField = 0 (0)
>>> sendp(x, iface='eth0')
.
Sent 1 packets.
At the same time I was running tcpdump:
# tcpdump -eni eth0 ether host 00:11:22:33:44:55
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:33:47.774570 01:00:0c:cc:cc:cc > 00:11:22:33:44:55, 802.3, length 14: [|llc]