Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Daniel Walker
    @nickeldan
    For the simple case of when I want to send a packet and capture the reply, I can solve the race condition by using the started_callback keyword argument to sniff. However, for more complicated use cases, it seems cumbersome (and inefficient due to the capture initialization overhead) to call sniff over and over again with different started_callback arguments.
    fouzhe
    @fouzhe

    Hi, all!
    In the Fuzz function, those fields without pre-assigned values will be randomly generated, as is referred in the usage.
    However, in general, fuzzing a packet p means randomly modify some fields of p.
    So, as for a well-formed packet p, how to generate a malformed packet p' based on p using Fuzz function, or in other ways?
    Thanks!

    For example,

    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show()
    pkt_fuzz=fuzz(pkt)  # the content of pkt doesn't change after being fuzzed
    pkt.show()

    If I want to randomly change the value of any fields of pkt, how to do that?

    Guillaume Valadon
    @guedou
    @fouzhe the corrupt_bytes() and corrupt_bit() functions can be used to modified this IP packet.
    For example:
    >>> data = hex_bydata = hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01")
    >>> hexdiff(data,hexdiff(data, corrupt_bytes(data))
    0000        E5 E6 00 14 C2 2E 1B DA  2F 7F F0 12 C0 A8 01 66   ......../......f
         0000   E5 E6 00 14 77 2E 1B DA  2F 7F F0 12 C0 A8 01 66   ....w.../......f
    0010 0010   50 5A 0A 01
    fouzhe
    @fouzhe
    @guedou Hello, thanks for your answer!
    Can I specify which field to be modified, when using function corrupt_bytes() or corrupt_bit()?
    Guillaume Valadon
    @guedou
    Unfortunately, no.
    fouzhe
    @fouzhe
    So, if I use Fuzz function, can I specify the field to be modified?
    Guillaume Valadon
    @guedou
    If you set the field value to None, yes.
    fouzhe
    @fouzhe

    If you set the field value to None, yes.

    Sometimes, set the field to None can be illegal. Would it be better if we delete the corresponding key-value in the directory pkt.fields?

    Guillaume Valadon
    @guedou
    Sorry, I meant deleting the field value, like pkt.version in your example.
    fouzhe
    @fouzhe
    Thanks!
    If I want to fuzz the version field, del pkt.version before Fuzz can achieve it.
    For example
    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show2()
    del pkt.version
    pkt_fuzz=fuzz(pkt)  
    pkt.show2()
    fouzhe
    @fouzhe

    Thanks!
    If I want to fuzz the version field, del pkt.version before Fuzz can achieve it.
    For example

    pkt=IP(hex_bytes("E5E60014C22E1BDA2F7FF012C0A80166505A0A01"))
    pkt.show2()
    del pkt.version
    pkt_fuzz=fuzz(pkt)  
    pkt.show2()

    @guedou Hi, based on this, to randomly fuzz any well-formed packet, I'd like to give this a shot like following:

    @conf.commands.register
    def fuzz(p,  # type: Packet
             _inplace=0,  # type: int
             ):
        # type: (...) -> Packet
        """
        Transform a layer into a fuzzy layer by replacing some default values
        by random objects.
    
        :param p: the Packet instance to fuzz
        :return: the fuzzed packet.
        """
        if not _inplace:
            p = p.copy()
        q = p
        while not isinstance(q, NoPayload):
            new_default_fields = {}
            multiple_type_fields = []  # type: List[str]
    -        for f in q.fields_desc:
    +        for f in list(q.fields_desc):
                if isinstance(f, PacketListField):
                    for r in getattr(q, f.name):
                        fuzz(r, _inplace=1)
                elif isinstance(f, MultipleTypeField):
                    # the type of the field will depend on others
                    multiple_type_fields.append(f.name)
                elif f.default is not None:
                    if not isinstance(f, ConditionalField) or f._evalcond(q):
                        rnd = f.randval()
                        if rnd is not None:
                            new_default_fields[f.name] = rnd
    +                    import random
    +                    if random.randint(1,5) == 2:    # randomly delete some fields
    +                        delattr(q, f.name)
            # Process packets with MultipleTypeFields
            if multiple_type_fields:
                # freeze the other random values
                new_default_fields = {
                    key: (val._fix() if isinstance(val, VolatileValue) else val)
                    for key, val in six.iteritems(new_default_fields)
                }
                q.default_fields.update(new_default_fields)
                # add the random values of the MultipleTypeFields
                for name in multiple_type_fields:
                    fld = cast(MultipleTypeField, q.get_field(name))
                    rnd = fld._find_fld_pkt(q).randval()
                    if rnd is not None:
                        new_default_fields[name] = rnd
            q.default_fields.update(new_default_fields)
    +        if _inplace:
    +            q.fields.update(new_default_fields)
            q = q.payload
        return p

    I'm new to scapy thus is not sure whether it is correct.
    Could you please help me?
    Thanks!

    lapinouxxx
    @lapinouxxx

    Hello dev(s) and contributor(s), as I said on github, I have an issue with the wifi card 036ach and scapy. when sniffing, no packet are captured.
    This is how I simply test if the card is working or not :

    └─$ sudo python3                                               
    Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
    [GCC 10.2.1 20210110] on linux
    >>> from scapy.all import *
    >>> sniff(count=4, iface="wlan1mon")
    <Sniffed: TCP:0 UDP:0 ICMP:0 Other:0>
    >>> sniff(count=4, iface="wlan1mon")
    <Sniffed: TCP:0 UDP:0 ICMP:0 Other:0>
    >>> exit()

    As you can see, there is no packet at all.

    Enviromment : 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-1kali1 (2021-06-25) x86_64 GNU/Linux
    Scapy version : 2.4.4
    Driver of the card : latest
    lapinouxxx
    @lapinouxxx
    ( with the 036nah i have no issue at all fyi , using custom sockets and async sniffing)
    higher75
    @higher75
    who can help me ?
    IP(dst='localhost') / ICMP(type=3,code=0) / ICMPExtensionHeader()
    but the result is that :
    Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 0 (Network unreachable)
    Checksum: 0xfcff [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol, bogus version (2) ---> Why not an extended data package, but such a package?????
    0010 .... = Version: 2
    i cant understand, Do I need to modify the scapy code to send a normal ICMP extended packet??
    lapinouxxx
    @lapinouxxx
    For my issue, some update, I have the same problem with an Alfa Network AWUS1900. They are sharing the same driver. Maybe scapy doesnt handle yet the driver realtek-rtl88xxau-dkms in the latest version ? I tried to use the version 2.1 but it's the same outcome.
    Guillaume Valadon
    @guedou
    @higher75 I am not familiar with ICMP Extension but I believe that the Scapy implementation is only designed to parse answers.
    @lapinouxxx what are the link layers used by Wireshark with 036nah and 036ach ?
    grandnew
    @grandnew

    Hello, I have a question.
    The post_build doesn't work sometimes.
    For those initialized packets, when some fields are set to other values, those late evaluated fields (like checksums, length, etc.) won't be updated.
    For example, for one IP packet p, when the frag of p is set another value, the chksum field won't be recalculated.
    The reason is that those fields won't be recalculated when they owns value (like this).
    If we run the following code snippet:

    pkt=IP(hex_bytes("450001e0a5764000401148bec0a86488c0a864ff"))
    pkt.show2()
    setattr(pkt, 'frag', 1)
    pkt.show2()

    Then the output is

    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = udp
      chksum    = 0x48be
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \
    
    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 1
      ttl       = 64
      proto     = udp
      chksum    = 0x48be
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \

    However, I think the expected result should be like

    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = udp
      chksum    = 0x48be
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \
    
    ###[ IP ]### 
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 480
      id        = 42358
      flags     = DF
      frag      = 1
      ttl       = 64
      proto     = udp
      chksum    = 0x48bd
      src       = 192.168.100.136
      dst       = 192.168.100.255
      \options   \

    Is it a bug? If not, how to guarantee the validity of the packet after changing some fields?

    lapinouxxx
    @lapinouxxx
    @guedou you are right, they are not working with wireshark either. I will contact the driver team of these products then. Merci =)
    ( I don't think you will be able to do something about this ... )
    Guillaume Valadon
    @guedou
    @grandnew you need to del() the field or set its value to None. FYI, that’s one of the top stack overflow question.
    grandnew
    @grandnew
    @guedou del() the late evaluated field or setting its value to None indeed works.
    But, if I’m new to the protocol, how to know which field is late evaluated thus it should be deleted after assignment?
    grandnew
    @grandnew
    @guedou By the way, which stack overflow question referred this? I can’t find it, could you please show me the link? Thanks!
    lapinouxxx
    @lapinouxxx
    @guedou you said in 2019, "Don’t call sniff() in threads." in order to not miss data. I agree with you. You suggested to use a custom capture logic . But what your pov about using redis in a callback function instead or a custom capture logic , in order to manage the dissection in a better multi threading way and preventing data loss ?
    Guillaume Valadon
    @guedou
    @lapinouxxx i don’t remind the context =\
    Customizing AsyncSniffer might be a good alternative
    @grandnew try searching « Scapy compute checksum »
    grandnew
    @grandnew

    @guedou del() the late evaluated field or setting its value to None indeed works.
    But, if I’m new to the protocol, how to know which field is late evaluated thus it should be deleted after assignment?

    @guedou Got it, thanks!
    So, for one new protocol, how to know which field is late evaluated thus it should be deleted after assignment?

    Guillaume Valadon
    @guedou
    ls(IP) for example
    It shows the fields assigned to None
    grandnew
    @grandnew
    But, how about those fields (like StrField) whose default value is assigned to None?
    grandnew
    @grandnew

    But, how about those fields (like StrField) whose default value is assigned to None?

    @guedou The fields assigned to None means the default value is None. But the default value of some StrField fields may also be assigned to None.

    eaglerbits
    @eaglerbits
    Hello, I'm new here.
    I need to track Netflix, HBO streaming sessions, I guess Scapy Sessions will be the best way, right?
    gpotter2
    @gpotter2
    @grandnew Interesting question. As of right now, you need to look through the code to see fields that are changed (in post_build) but it would be nice to see which fields are auto computed... lot of work though
    grandnew
    @grandnew
    @gpotter2 Yeah, it can be lots of manual work. For the reason that, apart from post_build, some fields are change in i2m.
    As for those fields changed in i2m, I went through the fields.py and listed them:
    [LenField, FCSField, PacketLenField, StrFixedLenField, StrLenField, _XStrLenField, FieldLenField, LenField, BitFixedLenField, BitFieldLenField, MultiFlagsField, _IPPrefixFieldBase, _ScalingField]
    Merc
    @mercurial12
    In Scapy Sniff, is it possible to filter on a specific src/dst IP or src/dst port?
    Merc
    @mercurial12
    nvm found it
    just uses bpf style filter: https://biot.com/capstats/bpf.html
    drmlbrt
    @drmlbrt
    Question: trying to build a 'test' QOS script. Using Scapy, works ok for my local address. Howver, when I try a corporate IP, it is giving me a routing issue.... WARNING: No route found (no default route?)
    Nils Weiss
    @polybassa
    Hi, will appveyor be available for unit testing in the near future?
    gpotter2
    @gpotter2
    Yes.. we have no plans of switching off Appveyor.. Why ask? Did they have a policy change or something?
    @eaglerbits Probably not. Scapy will only allow you to see what IPs people connect to, so that's what you'll see (and you'll need to maintain a giant list of all Netflix' IPs...)
    eaglerbits
    @eaglerbits
    Right, But do you have a better idea?
    I need to know when a device starts/ends Netflix streamings