I want to sniff UDP Lite traffic using sniff() function in scapy, but udplite is not supported by scapy so we can't execute :sniff(filter="udplite")
So I want to write a filter in scapy to specify that the protocol is IP and the field "proto" in IP Header is 136 (which matches UDP Lite).
Is such filter possible in scapy, and in this case, how can I write it? Thanks !
For those who may have the same problem, I have found the answer
sniff(filter="ip and proto 136")
Related
I use Wireshark to capture the traffic for browsing a certain website and use ip.src and ip.dst to get correct traffic.
I'd like to do this programmatically using Scapy. Anyone know how to achieve this?
Using Scapy and its wonderful documentation, create a Python script. In the script, define a function that will act as a callback handler for received packets and in the main portion of the script make use of the sniff() function:
def packetReceived(packet):
print("Packet received!")
sniff(filter="host xx.xx.xx.xx and host xx.xx.xx.xx and tcp port 80", prn=packetReceived)
Obviously, change the BPF filter to match the hosts you're targeting.
According to this question libnetfilter_queue good choice for mangling packet using userspace app, but I need implement some IP over UDP scenario.
Is this good idea to return using nfq_set_verdict new packet (UDP datagram) with encapsulated IP?
I have a Linux router on which I use CONFIG_IP_NF_QUEUE, iptables userland and Perl module IPTables::IPv4::IPQueue to examine H323 - H.225 packets and pass or drop then. I have need to not only accept or drop the packet but to modify it, to be more specific I would like to change the IP address of the MCU (in the packet) returned from the H323 gatekeeper to the client.
This would require me to examine the TCP packet body and change the IP address in the packet body. Anyone know how can I accomplish this? Is there any open source layer 7 router capable of doing this?
In the old days I've used "ip masquerade" to do something similar to what you are describing.
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/supported-client-software.html
But the best solution is to place a gatekeeper as a proxy. In that way you are not fooling the protocol, you are actually remaking the call.
I would look for gnugk routed mode here:
http://www.gnugk.org/h323-proxy.html
If you have already got the IP packet, which from your statement you have succeeded in doing so, I don't see the problem to change the IP address of the packet before passing it on.
Just do some bits manipulation to change the IP address in IP header (also update the IP checksum). Also note that you have to update the TCP header checksum as its calculation involves a pseudo-header that includes IP addresses.
Just read RFC 791 and RFC 793 would give you an idea on how to do this. It's pretty straightforward.
I am searching for a TCP traffic generator. The problem is that I do not simply want to send TCP traffic as it can be done with e.g. Iperf. I want to be able to configure the flags and other header fields and I want to react on incoming packets e.g. a TCP SYN.
So for example I want to send a TCP FIN packet if a TCP SYN arrives.
I prefer Linux tools but it would be also ok if the tool only runs under other OS.
I have looked into hping3, it looks promising. But I would like to look into other tools before choosing it.
SendIP can generate TCP packets, with options to manipulate SYN/FIN bits as well as other fields.
This sort of question really belongs on Server Fault.
Assuming that you have determined that for a given niche case, neither TCP or UDP are ideal, how would you go about writing your own IP based protocol?
For example, if you're developing on Linux, where would you look in the kernel to "hook" your protocol in?
Where would you start?
You can do this through a kernel module. I would start by reading how arp works for example. That is a simpler protocol since userspace doesn't send packets out with it directly.
The entry point for creating a new network protocol is dev_add_pack, and the code for arp can be found here.
If your protocol can be implemented directly on top of IP, then it can also be implemented wrapped in UDP packets - and the latter has the advantage that it'll pass through existing NAT devices and firewalls that would simply drop your custom protocol.
Read up on UNIX sockets and networking. It's not so much 'hooking' into the kernel, as it is opening a socket and sending your binary data over that.