Decode raw Scapy data to human readable - python-3.x

I'm trying to switch to using Scapy instead of Wireshark, but am having trouble decoding the data I'm getting. In Wireshark I can easily see the last layer for filtered packets labeled as "Distributed Interactive Simulation", but in Scapy the last layer is "Raw". I'm trying to get the data from this layer in the same human readable format. So far I've gotten:
# Capture with Scapy
from scapy.all import sniff
capture = sniff(filter="dst 10.6.255.255 and port 3000", count=5)
packet = capture[0]
raw = pkt.lastlayer()
print(raw)
<Raw load='\x068\x14\x05L\x88nK\x00x\x00\x00\x00\x94\x08\x88\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x9f\x00\x00\x02 \x00\x01sj\x9b\xf4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04p\x00\x08\x00\x00\x00\x00\x00\x00d\xe9Y<\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x8c\x00\x00\x113\x00\x00\x00\x01\x00\x02\x0c\x00\x00\x00\x01\x02\x00\x00\x00\x041187\x00\x00\x00\x00\x00' |>
Could someone show me how to make this human readable?

First, you have an error in your script. raw = pkt.lastlayer() should be raw = packet.lastlayer().
Try adding print(packet.show()) to your script for a more readable format which will give you something similar to this:
###[ Ethernet ]###
dst = 94:c6:91:1c:68:c3
src = 94:c6:91:1c:68:1d
type = 0x800
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 84
id = 49689
flags = DF
frag = 0
ttl = 64
proto = icmp
chksum = 0x1938
src = 192.168.111.4
dst = 192.168.111.2
\options \
###[ ICMP ]###
type = echo-request
code = 0
chksum = 0xb468
id = 0x6d3
seq = 0xab
###[ Raw ]###
load = '\x0e\x85\x96[\x00\x00\x00\x00\xd2e\x06\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'
None
You can also use hexdump command to show the raw load in a more readable format.
from scapy.utils import hexdump
raw = packet.lastlayer()
hexdump(raw)
Which will output something like this:
0000 D091965B0000000080FD0E0000000000 ...[............
0010 101112131415161718191A1B1C1D1E1F ................
0020 202122232425262728292A2B2C2D2E2F !"#$%&'()*+,-./
0030 3031323334353637 01234567
0000 063814054CC2886E4B0078000000C294 .8..L..nK.x.....
0010 08C2880000C3BFC3BFC3BFC3BF000000 ................
0020 00000000000000000000000000000100 ................
0030 0000C29F000002200001736AC29BC3B4 ....... ..sj....
0040 00000000000000000000000470000800 ............p...
0050 000000000064C3A9593C000000000000 .....d..Y<......
0060 0000000004C28C000011330000000100 ..........3.....
0070 020C0000000102000000043131383700 ...........1187.
0080 00000000 ....

readable_payload = bytes(packet[TCP].payload).decode('UTF8','replace')

Related

ACK packets forged issues: "This frame is a (suspected) retransmission"

I'm playing with scapy. I'm trying to forge JUST PSH/ACK and ACK packets in sequence
I coded two tools: A which sends PSH/ACK packets and then sniffs the resulting ACK, writing the sequence in a file to use it later
.....
bitack = random.randrange(1,656787969)
bitseq = random.randrange(1,4294967295)
if os.path.exists('test.txt'):
with open('test.txt','r') as f:
bitseq = int(f.read())
else:
with open('test.txt','w') as f:
f.write(str(bitseq))
.....
text = "Ok"
TSval = int(time.time())
TSecr = TSval
acker = IP(src="127.0.0.1",dst=destinazione"127.0.0.1")/TCP(sport=88,dport=8888,
flags="PA", seq=bitseq, ack=bitack, options=[('Timestamp', (TSval, TSecr))])/text
send(acker)
.....
rx = sniff(filter="host 127.0.0.1 and src port 8888", iface="lo", count=1)
seqcc = rx[0].getlayer(TCP).seq
ackcc = rx[0].getlayer(TCP).ack
with open('test.txt','w') as f:
f.write(str(ackcc))
print("SEQFINALE=", ackcc)
B: which sends ACK packets AFTER it sniffs a PSH/ACK packet from A. I know the ack packets contain text ( in this example the same of A), but this is what I want
....
rx = sniff(filter="host 127.0.0.1 and dst port 8888", iface="lo", count=1)
seqcc = rx[0].getlayer(TCP).seq
print("seq:", seqcc)
ackcc = rx[0].getlayer(TCP).ack
print("ack:", ackcc)
var = rx[0][Raw].load.decode(encoding='utf-8', errors='ignore')
acker = IP(src="127.0.0.1",dst="127.0.0.1")/TCP(sport=8888,dport=88, flags="A",
seq=ackcc, ack=seqcc + int(len(var)), options=[('Timestamp', (TSval, TSecr))])/var
send(acker)
.....
Everything works fine expect that wireshark gives some warning and I don't understand why:
"Expert Info (Note/Sequence): This frame is a (suspected) retransmission"
The first two packets are perfect:
Is there any issue in how I handle the sequence number/ ack number?
This makes me crazy
It is a retransmission. Your capture shows a frame from 8888 to 88 at seq=1 with 52 bytes of data (len=52). If you ever send another frame from 8888 to 88 at seq=1, it's a retransmission. TCP streams are in a single direction: A sends to B, B ACK's what A sent. (in this case, there should be an ACK=53 in a frame from 88 to 8888, either alone or piggybacking data.)

Is there a way to check the Socket Priority with Wireshark or Tcpdump?

I am doing some changes in the SO_PRIORITY of the socket that sends UDP packets, using the command setsockopt, is there a way to see that changes with Wireshark or Tcpdump.
I read that can be DSF (Differentiated Services Field), but I am not sure because when I make the changes I see that this field is 00.
I am running a Linux Mint 19.3
It is part of the 802.1Q header. For ex:
> 802.1Q Virtual LAN, PRI: 5, DEI: 0, ID: 4
101. .... .... .... = Priority: Voice, < 10ms latency and jitter (5)
...0 .... .... .... = DEI: Ineligible
.... 0000 0000 0100 = ID: 4
Type: IPv6 (0x86dd)

Configure STP protocol via scapy

I need to generate and STP traffic using scapy and when I visualize it via wireshark I get an output similar to the caption shown below:
when I run this code:
from scapy.all import STP
import scapy
from scapy.all import *
data='STP'
sendp(Ether(dst="01:80:c2:00:00:00")/LLC(dsap=0xaa, ssap=0xaa)/STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002)/data, iface="eth1", count=200)
this is my wireshark output
I don't know how to change the organization code to 00:00:0c, because I believe it's the one who is making this problem
you forgot the layer SNAP
here are 2 exemples taht helped me debug:
exemple 1: your code.
exemple 2: added the SNAP layer
for both exemples:
from scapy.layers.inet import SNAP
from scapy.layers.l2 import Ether, LLC, STP
data = "STP"
exemple number1:
packet = (
Ether(dst="01:80:c2:00:00:00")
/ LLC(dsap=0xAA, ssap=0xAA)
/ STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002)
/ data
)
packet.show2()
output:
###[ Ethernet ]###
dst = 01:80:c2:00:00:00
src = 4c:d9:8f:77:3b:33
type = 0x8870
###[ LLC ]###
dsap = 0xaa
ssap = 0xaa
ctrl = 3
###[ SNAP ]###
OUI = 0x0
code = 0x1
###[ 802.3 ]###
dst = 00:00:00:00:00:00
src = 00:00:00:00:00:00
len = 0
###[ Padding ]###
load = '\x00\x00\x00\x00\x00\x00\x80\x02\x01\x00\x14\x00\x02\x00\x0f\x00STP'
Do you see how scapy decode a layer named SNAP right after the LLC layer?
that makes the decoding all wrong after
so let's add it, so all the decoding will true:
exemple 2: add the SNAP layer
packet = (
Ether(dst="01:80:c2:00:00:00")
/ LLC(dsap=0xAA, ssap=0xAA)
/ SNAP()
/ STP(bpdutype=0x00, bpduflags=0x01, portid=0x8002)
/ data
)
packet.show2()
output:
###[ Ethernet ]###
dst = 01:80:c2:00:00:00
src = 4c:d9:8f:77:3b:33
type = 0x8870
###[ LLC ]###
dsap = 0xaa
ssap = 0xaa
ctrl = 3
###[ SNAP ]###
OUI = 0x0
code = 0x10b
###[ Spanning Tree Protocol ]###
proto = 0
version = 0
bpdutype = 0
bpduflags = 1
rootid = 0
rootmac = 00:00:00:00:00:00
pathcost = 0
bridgeid = 0
bridgemac = 00:00:00:00:00:00
portid = 32770
age = 1.0
maxage = 20.0
hellotime = 2.0
fwddelay = 15.0
###[ Raw ]###
load = 'STP'
it seems to look a lot better.
I didn't try with wireshark, but at the least scapy seems happy with it.

Loading Images from a LevelDB in python 2.7

I am facing a problem with python (2.7) "strings".
I am using a LevelDB and want to load an image from the database and save it to disk (e.g., as test.jpeg).
To access the db I am using the plyvel package. I get the img data as follows:
img = db.get(str(id))
The problem is that LevelDB stores every value as byte string. Thus, db.get() returns a byte string. If I try to write the img to disk
f = io.open('test.jpeg', 'wb')
f.write(img)
f.close()
and open it I afterwards I get something like:
Not a JPEG file: starts with 0xc3 0xbf
c3 bf is the UTF-8 encoding of ff in latin-1, which are the first bytes of JFIF's start of image marker.
How can I encode/decode the string so taht I can open the jpeg file?
I tried bytearray(img) which did not work. Encoding /decoding the img string did not help at all.
=== EDIT ===
I am using now this sequence:
img = db.get(str(id))
img_decode_utf8 = img.decode('utf-8')
img_bytes = array.array('u', img_decode_utf8)
If I print img_bytes I get:
array('u', u'\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x00\x00\...
However, if I write it to disk, each byte is "zero extended". Hexdump:
00ff 0000 00d8 0000 00ff 0000 00e0 0000
Thanks in advance
This solved my problem:
img = db.get(str(hash_value))
img_bytes = img.decode('utf-8').encode('latin-1')
with open('test.jpeg', 'wb') as new_file:
new_file.write(img_bytes)
I am quite sure that I tried this and it did not work in the first place..

What's the redundant data in TCP packet?

I am reading "Unix Network Programming" and tcpdump the packet generate by the example. The example is just send out a packet contain string "liha".
I read the TCP/IP RFC and found normal IP header is 20B. and normal TCP header except data is 24B.
So, there are 8B before string "liha" in the captured packet. Are "0121 3d2a 0120 b43e" useless?
11:00:51.690949 IP localhost.40163 > localhost.9877: Flags [P.], seq 94:99, ack 95, win 513, options [nop,nop,TS val 18955562 ecr 18920510], length 5
0x0000: 4500 0039 ddc6 4000 4006 5ef6 7f00 0001 E..9..#.#.^.....
0x0010: 7f00 0001 9ce3 2695 8465 e35c 8466 58ca ......&..e.\.fX.
0x0020: 8018 0201 fe2d 0000 0101 080a 0121 3d2a .....-.......!=*
0x0030: 0120 b43e 6c69 6861 0a ...>liha.
Those are the TCP options. And your analyzer already parsed them for you:
options [nop,nop,TS val 18955562 ecr 18920510],
They are generally important and used by communication sides to negotiate which extra enhancements can be used for the TCP connection.

Resources