Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    gpotter2
    @gpotter2
    Are you doing ls(..) instead of pkt.show() ?
    kaitogon
    @kaitogon
    Hi I have a question please ? For each datagram exchange, TCP initiates a new session between the FTP client and the FTP server. The question is that can I change the tcp session size from scapy ?
    for ftp ?
    Merc
    @mercurial12
    @gpotter2 - yes doing ls(pkt). Tried pkt.show() too, same outcome:
    ###[ BOOTP ]###
               op        = BOOTREQUEST
               htype     = 1
               hlen      = 6
               hops      = 0
               xid       = 3074830325
               secs      = 0
               flags     = B
               ciaddr    = 0.0.0.0
               yiaddr    = 0.0.0.0
               siaddr    = 0.0.0.0
               giaddr    = 0.0.0.0
               chaddr    = b'4\xef\xb6\x7f\xd5\x81\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    stereoid00
    @stereoid00
    Hi all, Can i join different packet sets into one so that I can send them with a single 'sendpfast()' method? Those packet sets use different protocols (TCP, UDP and ICMP). Of course ther option would be to use python threading and use three 'sendpfast()' commands but i'm not sure how would performance work
    Afilsi
    @Afilsi
    Hi @stereoid00 I'm think it's not the best way to do it, but I would try to join them all in one big list like this: allPackets = [pack for pack in TCPSet] + [pack for pack in UDPSet] + [pack for pack in ICMPSet]
    Afilsi
    @Afilsi
    For my part, I also have a question, I have declared other tables than the usual in /etc/iproute2/rt_tables and add routes to these tables. If I do an ip route show table all, my routes are present, but conf.route does not see them.
    Is it possible to tell scapy to go read this other routes ?
    Guillaume Valadon
    @guedou
    Unfortunately no. Scapy only gets the entries in the main table. I am not aware of a simple way to access them.
    Afilsi
    @Afilsi
    Okay, thank you very much for your answer.
    PhilippTakacs
    @PhilippTakacs
    Hi following code gives None p = DNS(qd=[DNSQR()],an=[DNSRR()]) DNS(DNS(p.build()).an[0].rdlen
    is this considered as a bug?
    PhilippTakacs
    @PhilippTakacs
    • secound part: ```
      DNS(p.build()).an[0].rdlen
    Guillaume Valadon
    @guedou
    Yea this is a bug. Can you fill an issue?
    PhilippTakacs
    @PhilippTakacs
    Yes it's
    Milad
    @miladstar77
    Hello everybody, how can I read big pcap file line by line instead of one time in rdpcap … to increase reading speed
    fouzhe
    @fouzhe
    Hi, all!
    In the Fuzz function, those fields without pre-assigned values will be randomly generated, as is referred in the usage.
    However, in general, fuzzing a packet p means randomly modify some fields of p.
    So, as for a well-formed packet p, how to generate a malformed packet p' based on p using Fuzz function, or in other ways?
    Thanks!
    Afilsi
    @Afilsi
    Hello @miladstar77 , PcapReader() creates an "iterator" on your pcap file and load a packet only when it's needed. So you can simply use an for loop to read your file line by line.
    Daniel Walker
    @nickeldan
    Does scapy have a version of scapy.sendrecv.sniff that works as a context manager? I imagine something like
    with scapy.sendrecv.SniffContextManager(filter=some_bpf) as sniffer:
        scapy.sendrecv.send(some_packet)
        responses = sniffer.receive_packets(1, timeout=1) # Number of packets to receive
        if responses:
            response = responses[0]
            scapy.sendrecv.send(some_other_packet)
            # receive more packets
    For the simple case of when I want to send a packet and capture the reply, I can solve the race condition by using the started_callback keyword argument to sniff. However, for more complicated use cases, it seems cumbersome (and inefficient due to the capture initialization overhead) to call sniff over and over again with different started_callback arguments.
    fouzhe
    @fouzhe

    Hi, all!
    In the Fuzz function, those fields without pre-assigned values will be randomly generated, as is referred in the usage.
    However, in general, fuzzing a packet p means randomly modify some fields of p.
    So, as for a well-formed packet p, how to generate a malformed packet p' based on p using Fuzz function, or in other ways?
    Thanks!

    For example,

    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show()
    pkt_fuzz=fuzz(pkt)  # the content of pkt doesn't change after being fuzzed
    pkt.show()

    If I want to randomly change the value of any fields of pkt, how to do that?

    Guillaume Valadon
    @guedou
    @fouzhe the corrupt_bytes() and corrupt_bit() functions can be used to modified this IP packet.
    For example:
    >>> data = hex_bydata = hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01")
    >>> hexdiff(data,hexdiff(data, corrupt_bytes(data))
    0000        E5 E6 00 14 C2 2E 1B DA  2F 7F F0 12 C0 A8 01 66   ......../......f
         0000   E5 E6 00 14 77 2E 1B DA  2F 7F F0 12 C0 A8 01 66   ....w.../......f
    0010 0010   50 5A 0A 01
    fouzhe
    @fouzhe
    @guedou Hello, thanks for your answer!
    Can I specify which field to be modified, when using function corrupt_bytes() or corrupt_bit()?
    Guillaume Valadon
    @guedou
    Unfortunately, no.
    fouzhe
    @fouzhe
    So, if I use Fuzz function, can I specify the field to be modified?
    Guillaume Valadon
    @guedou
    If you set the field value to None, yes.
    fouzhe
    @fouzhe

    If you set the field value to None, yes.

    Sometimes, set the field to None can be illegal. Would it be better if we delete the corresponding key-value in the directory pkt.fields?

    Guillaume Valadon
    @guedou
    Sorry, I meant deleting the field value, like pkt.version in your example.
    fouzhe
    @fouzhe
    Thanks!
    If I want to fuzz the version field, del pkt.version before Fuzz can achieve it.
    For example
    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show2()
    del pkt.version
    pkt_fuzz=fuzz(pkt)  
    pkt.show2()
    fouzhe
    @fouzhe

    Thanks!
    If I want to fuzz the version field, del pkt.version before Fuzz can achieve it.
    For example

    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show2()
    del pkt.version
    pkt_fuzz=fuzz(pkt)  
    pkt.show2()

    @guedou Hi, based on this, to randomly fuzz any well-formed packet, I'd like to give this a shot like following:

    @conf.commands.register
    def fuzz(p,  # type: Packet
             _inplace=0,  # type: int
             ):
        # type: (...) -> Packet
        """
        Transform a layer into a fuzzy layer by replacing some default values
        by random objects.
    
        :param p: the Packet instance to fuzz
        :return: the fuzzed packet.
        """
        if not _inplace:
            p = p.copy()
        q = p
        while not isinstance(q, NoPayload):
            new_default_fields = {}
            multiple_type_fields = []  # type: List[str]
    -        for f in q.fields_desc:
    +        for f in list(q.fields_desc):
                if isinstance(f, PacketListField):
                    for r in getattr(q, f.name):
                        fuzz(r, _inplace=1)
                elif isinstance(f, MultipleTypeField):
                    # the type of the field will depend on others
                    multiple_type_fields.append(f.name)
                elif f.default is not None:
                    if not isinstance(f, ConditionalField) or f._evalcond(q):
                        rnd = f.randval()
                        if rnd is not None:
                            new_default_fields[f.name] = rnd
    +                    import random
    +                    if random.randint(1,5) == 2:    # randomly delete some fields
    +                        delattr(q, f.name)
            # Process packets with MultipleTypeFields
            if multiple_type_fields:
                # freeze the other random values
                new_default_fields = {
                    key: (val._fix() if isinstance(val, VolatileValue) else val)
                    for key, val in six.iteritems(new_default_fields)
                }
                q.default_fields.update(new_default_fields)
                # add the random values of the MultipleTypeFields
                for name in multiple_type_fields:
                    fld = cast(MultipleTypeField, q.get_field(name))
                    rnd = fld._find_fld_pkt(q).randval()
                    if rnd is not None:
                        new_default_fields[name] = rnd
            q.default_fields.update(new_default_fields)
    +        if _inplace:
    +            q.fields.update(new_default_fields)
            q = q.payload
        return p

    I'm new to scapy thus is not sure whether it is correct.
    Could you please help me?
    Thanks!

    lapinouxxx
    @lapinouxxx

    Hello dev(s) and contributor(s), as I said on github, I have an issue with the wifi card 036ach and scapy. when sniffing, no packet are captured.
    This is how I simply test if the card is working or not :

    └─$ sudo python3                                               
    Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
    [GCC 10.2.1 20210110] on linux
    >>> from scapy.all import *
    >>> sniff(count=4, iface="wlan1mon")
    <Sniffed: TCP:0 UDP:0 ICMP:0 Other:0>
    >>> sniff(count=4, iface="wlan1mon")
    <Sniffed: TCP:0 UDP:0 ICMP:0 Other:0>
    >>> exit()

    As you can see, there is no packet at all.

    Enviromment : 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-1kali1 (2021-06-25) x86_64 GNU/Linux
    Scapy version : 2.4.4
    Driver of the card : latest
    lapinouxxx
    @lapinouxxx
    ( with the 036nah i have no issue at all fyi , using custom sockets and async sniffing)
    higher75
    @higher75
    who can help me ?
    IP(dst='localhost') / ICMP(type=3,code=0) / ICMPExtensionHeader()
    but the result is that :
    Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 0 (Network unreachable)
    Checksum: 0xfcff [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol, bogus version (2) ---> Why not an extended data package, but such a package?????
    0010 .... = Version: 2
    i cant understand, Do I need to modify the scapy code to send a normal ICMP extended packet??
    lapinouxxx
    @lapinouxxx
    For my issue, some update, I have the same problem with an Alfa Network AWUS1900. They are sharing the same driver. Maybe scapy doesnt handle yet the driver realtek-rtl88xxau-dkms in the latest version ? I tried to use the version 2.1 but it's the same outcome.
    Guillaume Valadon
    @guedou
    @higher75 I am not familiar with ICMP Extension but I believe that the Scapy implementation is only designed to parse answers.
    @lapinouxxx what are the link layers used by Wireshark with 036nah and 036ach ?
    grandnew
    @grandnew

    Hello, I have a question.
    The post_build doesn't work sometimes.
    For those initialized packets, when some fields are set to other values, those late evaluated fields (like checksums, length, etc.) won't be updated.
    For example, for one IP packet p, when the frag of p is set another value, the chksum field won't be recalculated.
    The reason is that those fields won't be recalculated when they owns value (like this).
    If we run the following code snippet:

    pkt=IP(hex_bytes("450001e0a5764000401148bec0a86488c0a864ff"))
    pkt.show2()
    setattr(pkt, 'frag', 1)
    pkt.show2()

    Then the output is

    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = udp
      chksum    = 0x48be
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \
    
    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 1
      ttl       = 64
      proto     = udp
      chksum    = 0x48be
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \

    However, I think the expected result should be like

    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = udp
      chksum    = 0x48be
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \
    
    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 1
      ttl       = 64
      proto     = udp
      chksum    = 0x48bd
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \

    Is it a bug? If not, how to guarantee the validity of the packet after changing some fields?

    lapinouxxx
    @lapinouxxx
    @guedou you are right, they are not working with wireshark either. I will contact the driver team of these products then. Merci =)
    ( I don't think you will be able to do something about this ... )
    Guillaume Valadon
    @guedou
    @grandnew you need to del() the field or set its value to None. FYI, that’s one of the top stack overflow question.
    grandnew
    @grandnew
    @guedou del() the late evaluated field or setting its value to None indeed works.
    But, if I’m new to the protocol, how to know which field is late evaluated thus it should be deleted after assignment?
    grandnew
    @grandnew
    @guedou By the way, which stack overflow question referred this? I can’t find it, could you please show me the link? Thanks!
    lapinouxxx
    @lapinouxxx
    @guedou you said in 2019, "Don’t call sniff() in threads." in order to not miss data. I agree with you. You suggested to use a custom capture logic . But what your pov about using redis in a callback function instead or a custom capture logic , in order to manage the dissection in a better multi threading way and preventing data loss ?
    Guillaume Valadon
    @guedou
    @lapinouxxx i don’t remind the context =\
    Customizing AsyncSniffer might be a good alternative