gmane.comp.security.scapy.general

Custom response matching

Johan Johansson — 2012-05-14T23:17:44

Hi

I have a scenario where I will be sending packets into an ip-ip tunnel 
and will receive responses that are not tunneled. Since the normal response 
matcher requires layer-by-layer class membership equality this fails. 
I have implemented a workaround that sets conf.match_debug and filters 
the debug.recv packet list, but apart from being an ugly hack this 
approach has real limitations. Is there a better way to roll your own 
response matcher?

Thanks
Johan


---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Defining Type of fields for a class according to a field from another class ???

Mojo — 2012-05-11T14:32:01

Hi folks,

I'm wondering how to define Type of fields of class according to a field from 
another class ???
I mean how to define and link a field from a class to another class, example:

class TemplateRecord(Packet):
        name = "Template Record"
        fields_desc = [ ShortField("Type", 0),
                        ShortField("Length", 0) ]
        def extract_padding(self, s):
                return "", s


class DataRecord(Packet):
        name = "Data Record"
        fields_desc = [ ==> Here i would like something like this :

"if Type == 0 from Class TemplateRecord:
IPField("ipsrc", "0.0.0.0"),
if Type == 1 from Class TemplateRecord
IPField("ipdst", "0.0.0.0"),
if Type == 2 from IPField("nexthop", "0.0.0.0")

....etc..." 
      
]
def extract_padding(self, s):
                return "", s

Thx in advance,

Regards,

Mojo.


---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

PACKET INJECTION

2012-05-02T21:27:39

I try to inject a packet with an atheros chip (pingpacketscapy), and
capture on a totally different card (pingpacketcaptured).
The wireshark dump from the other card shows that infact the source and
destination MAcs of the 802.11 packet have been changed! in fact a whole
20bytes is added to the packet?! C.f. attatchments.
Is this normal operation?

Thanks so much!
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

IPv4 over IPv6

Nathan Michaels — 2012-05-02T18:46:58

This code:

    >> IPv6() / IP()

creates this packet:

    <IPv6  |<IP  |>>

But what it should create is this packet:

    <IPv6  nh=IP |<IP  |>>

I think the right way to fix this is to put

IP.overload_fields[IPv6] = {"nh": 4}

somewhere in inet6.py. Is that correct?

~Nathan

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Virtual network

Dirk Loss — 2012-05-02T18:20:37

It seems you are running into the long-standing problem of Scapy's
incorrect network interface detection on Windows.

I haven't looked at this for years, and I don't have a useful suggestion
(besides from what I put in the above error message), but here is some
background information:

http://article.gmane.org/gmane.comp.security.scapy.general/3932
http://article.gmane.org/gmane.comp.security.scapy.general/3937
http://article.gmane.org/gmane.comp.security.scapy.general/3902

Best regards
Dirk

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Re: Virtual network

Andrew McConachie — 2012-05-02T08:24:02

I'm just guessing here but do you have at least 1 interface with an IP
address?  Maybe it would help to paste the output of
'ipconfig/ifconfig' along with your question.

Thanks,
Andrew

On Wed, May 2, 2012 at 9:50 AM, Denis <den.meln< at >gmail.com> wrote:

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Virtual network

Denis — 2012-05-02T07:50:42

But if I connect my virtual machine to 
the physical network, it works correct...

What is the reason?





---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Virtual network

Denis — 2012-05-02T07:14:46

Hi!

So I have one question about scapy, if anyone can, 
help me please.

I installed Scapy on VMWare virual machine and 
this machine is in virual network. This virtual 
network isn't connected to my physical network. 
And I attempting to run Scapy, 
but there is one error:

"No match between your pcap and dnet network 
interfaces found. You probably won't be able 
to send packets. Deactivating unneeded 
interfaces and restarting Scapy might help."

How can I resolve this problem?

Thanks.


---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

not getting any ICMP time exceeded messages

Riccardo R. — 2012-04-27T07:16:54

Hi all,

I'm playing around with Scapy and I noticed something weird. If I create 
a packet in order to trigger an ICMP time-exceeded error message:

|myPacket = IP(dst="www.google.com", ttl=3)/TCP()
|

... I do get the ICMP message once I send it with the function |sr| . On 
the other hand, if I take any outgoing packet that I have sniffed and 
change its ttl value to the same used above, I get no reply whatsoever.

What's the problem here? I thought I could experience this when using 
dummy traffic, not real traffic! I even tried with other TTL values, but 
to no avail.

Thanks.

RIccardo.

Re: srp() and wireshark

jeetika kataria — 2012-04-26T21:08:02

Thanks for your quick reply. Also I want to sniff packets and filter ARP
reply packets, opcode=0x0002. The following command will filter ARP packets
but what will be the filter for ARP reply packets.?
"sniff(filter="arp",prn=lambda x: x.summary,count=1,iface=i)"



On Thu, Apr 26, 2012 at 11:01 PM, StalkR <stalkr< at >stalkr.net> wrote:

Re: srp() and wireshark

StalkR — 2012-04-26T21:01:02

Hello,

Maybe promiscuous mode?

Enable it with:
# ifconfig eth0 promisc
then try again srp()

Back to normal with:
# ifconfig eth0 -promisc

(or whatever the interface name is)

Cheers,
StalkR

On Thu, Apr 26, 2012 at 22:19, jeetika kataria
<jeetika.kataria< at >gmail.com> wrote:

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

srp() and wireshark

jeetika kataria — 2012-04-26T20:19:46

Hello List,

Scapy is only receiving packets and matching requests with replies using
srp() function when Wireshark is running in background. What can be
possible reason for this behavior?

Greetings.

Help writing a new dissector

Aris Adamantiadis — 2012-04-22T20:47:45

Hello Scapy users,

I am writing a dissector/parser for a network protocol that has tricky
length fields embedded in it.
One of these packets X is very easy to dissemble:

class PacketX(Packet):
    fields_desc = [
                   FieldLenField("y_count",None, fmt="I",
count_of="y_packets"),
                   PacketListField("y_packets",None, PacketY,
                                   count_from=lambda pkt:pkt.y_count)
                   ]
The packet Y is an header that introduce an other packet:

class PacketY(Packet):
    fields_desc = [
                   ByteEnumField("type",1,{1:"a",2:"b"}),
                   ShortField("length",0),
                   Packet Z1,Z2,Z3, ...
                   ]

Following this packet, there are 4 or 5 type of packets (that I call
Z1,Z2,Z3) which are very different between them.
What I am stuck now, is that the number of fields inside these packets
directly depend on the length field of the Y packet (which contain the
size of Y + Z(1,2,...).
I am stuck, as I don't kn

Re: Sendpfast() rate

Dirk Loss — 2012-04-20T15:54:07

Ah, yes. Here's a new patch that allows the additional_options
parameter to be a string of multiple options, separated by whitespace:

sendpfast(s, iface='eth0',
additional_options="--timer=gtod --preload-pcap")

http://hg.secdev.org/scapy-com/rev/937f99e3dbbd

Regards
Dirk

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Sendpfast() rate

jeetika kataria — 2012-04-20T09:34:20

Thanks for your help and the patch.
But if I want to specify two or more additional options. For example
sendpfast(s,iface='eth0',
additional_options="--timer=gtod","--preload-pcap")



On Thu, Apr 19, 2012 at 8:34 PM, Dirk Loss <lists< at >dirk-loss.de> wrote:

Re: Sendpfast() rate

Dirk Loss — 2012-04-19T18:34:32

AFAIK that's not possible. But here's a simple patch that allows you to
specify additional options for sendpfast:
http://hg.secdev.org/scapy-com/rev/1f021e89f2b9

So if you install from scapy-com (see the docs for instructions), or if
you apply the patch manually, you could do something like this:


(I fixed the docstring in the next commit.)

Regards
Dirk

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: Sendpfast() rate

jeetika kataria — 2012-04-19T17:49:49

Yes, I think this is a issue with tcpreplay but there are some options and
arguments which when provided while running tcpreplay can help in achieving
accurate speed (
http://tcpreplay.synfin.net/wiki/FAQ#HowcanImaketcpreplayrunfaster ). But I
dont know how can I specify these arguments for tcpreplay in sendpfast()
function of Scapy.

On Thu, Apr 19, 2012 at 6:22 PM, Dirk Loss <lists< at >dirk-loss.de> wrote:

Re: Sendpfast() rate

Dirk Loss — 2012-04-19T16:22:31

This seems to be a tcpreplay problem, because Scapy passes your pps
parameter directly to tcpreplay:

== scapy/sendrecv.py ==
def sendpfast(x, pps=None, mbps=None, realtime=None, loop=0,
file_cache=False, iface=None):
    """Send packets at layer 2 using tcpreplay for performance
[...]
    argv = [conf.prog.tcpreplay, "--intf1=%s" % iface ]
[...]
    if pps is not None:
        argv.append("--pps=%i" % pps)
[...]
subprocess.check_call(argv)


Not that I know.

Best regards
Dirk


---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Sendpfast() rate

jeetika kataria — 2012-04-19T10:23:30

Hello List,

I am using sendpfast() function to send around 100000 packets at a defined
rate of 25000pps, but Scapy never sends these packets with this exact rate.
"  sendpfast(a, pps=25000,iface='eth0')
   Rated: 16528.93pps "
Is there any feature in Scapy which will make it send packets approximately
with the rate specified in the argument of sendpfast().

Thanks

Re: load_contrib() Help

Andrew McConachie — 2012-04-17T19:37:20

Thanks Dirk.  This solved my issue.

--Andrew

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org

Re: load_contrib() Help

Dirk Loss — 2012-04-16T17:43:56

[...]

The file "__init__.py" is missing (and the other contrib files as well).
At least the __init__.py must exist. It can be empty:

$ ls -l __init__.py
-rw-r--r--  1 dirk  staff  0 15 Apr 14:51 __init__.py

You can create it with "touch":
$ touch /usr/local/lib/python2.7/site-packages/scapy/contrib/__init__.py


This is the right syntax and will work if you have created the
__init__.py file in the contrib directory.

Best regards
Dirk

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe< at >secdev.org