I use Wireshark to capture the traffic for browsing a certain website and use ip.src and ip.dst to get correct traffic.
I'd like to do this programmatically using Scapy. Anyone know how to achieve this?
Using Scapy and its wonderful documentation, create a Python script. In the script, define a function that will act as a callback handler for received packets and in the main portion of the script make use of the sniff() function:
def packetReceived(packet):
print("Packet received!")
sniff(filter="host xx.xx.xx.xx and host xx.xx.xx.xx and tcp port 80", prn=packetReceived)
Obviously, change the BPF filter to match the hosts you're targeting.
Related
I've got one question. Is it possible to create wireshark/tcpdump from netcat? I mean,if you can use, for example, flags or series of commands combined with netcat to get the same / similar monitoring results as tcpdump / wireshark?
It is not possible because netcat cannot eavesdrop on existing connections.
tcpdump and wireshark get access to all packets that go through a network device. netcat cannot possibly do that.
I want to sniff UDP Lite traffic using sniff() function in scapy, but udplite is not supported by scapy so we can't execute :sniff(filter="udplite")
So I want to write a filter in scapy to specify that the protocol is IP and the field "proto" in IP Header is 136 (which matches UDP Lite).
Is such filter possible in scapy, and in this case, how can I write it? Thanks !
For those who may have the same problem, I have found the answer
sniff(filter="ip and proto 136")
I am trying to verify a new functionality added to the router kernel. So lets assume I added a filter,iptable and such. I have live traffic. I tried to use tcp dump and look into the packet header and see if the new values in the header are there but I am getting random traffic passing through.
I wonder if it is possible to have tcpdump send traffic and dump it so I have specific packets I sent ? or any other linux commands I can use to do the process. I have a destination port that has no traffic but I don't know how I can send to it and capture those packets. I did some reading on sendip and tcpdump and couldnt help myself.
Send packets, tcpdump it or something like that, verify the packet header has what I want and move on with my life.
I hope I was clear enough.
I have a Linux router on which I use CONFIG_IP_NF_QUEUE, iptables userland and Perl module IPTables::IPv4::IPQueue to examine H323 - H.225 packets and pass or drop then. I have need to not only accept or drop the packet but to modify it, to be more specific I would like to change the IP address of the MCU (in the packet) returned from the H323 gatekeeper to the client.
This would require me to examine the TCP packet body and change the IP address in the packet body. Anyone know how can I accomplish this? Is there any open source layer 7 router capable of doing this?
In the old days I've used "ip masquerade" to do something similar to what you are describing.
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/supported-client-software.html
But the best solution is to place a gatekeeper as a proxy. In that way you are not fooling the protocol, you are actually remaking the call.
I would look for gnugk routed mode here:
http://www.gnugk.org/h323-proxy.html
If you have already got the IP packet, which from your statement you have succeeded in doing so, I don't see the problem to change the IP address of the packet before passing it on.
Just do some bits manipulation to change the IP address in IP header (also update the IP checksum). Also note that you have to update the TCP header checksum as its calculation involves a pseudo-header that includes IP addresses.
Just read RFC 791 and RFC 793 would give you an idea on how to do this. It's pretty straightforward.
I want to test a toy gateway I wrote. The testing will occur on Linux machines. I would like to do this in the easiest way possible, ideally writing no code and using existing utilities. This boils down to two questions:
Is there an existing utility that can send packets with simple stuff in them(like a string that I supply) to a host through a user-specified gateway, without reconfiguring Linux's network settings? If so, what syntax would I use for the utility?
Is there a simple utility I can run on the receiving end to verify that the correct packet was received? If so, what syntax would I use for the utility?
I don't know about the first, but I don't think it's that hard to modify your routing table:
route add -host 1.2.3.4 gw 5.6.7.8
(replace 1.2.3.4 by your target IP and 5.6.7.8 by the IP of your gateway).
For 2.:
On the target server type netcat -l 1234 and on the client then type netcat 1.2.3.4 1234. (1234 is a "random" port number)(depending on your distribution netcat might be called simple "nc".) If a connection gets established you can just type data on the client or the server machine, press enter and see the data arriving on the other machine.
The easiest would probably be the nc(1). Assuming your gateway IP is 192.168.1.1 and you are using TCP, then on the server, listening on port 8888:
~$ nc -k -l 8888
On the client:
~$ nc 192.168.1.1 8888
your input
...
^C