Riccardo Ravaioli | 25 Aug 15:09 2015
Picon

error on packet with corrupted Frame Check Sequence

Hi all,

On a machine I have access to I seem to receive ICMP packets with a corrupted Frame Check Sequence (FCS) in the Ethernet layer, or at least so says Wireshark. When Scapy reads such packets, it shows all the details as expected, but yields an error as soon as I try to get the packet length or convert the packet to a string.  

I uploaded a corrupted packet on https://goo.gl/QPT5RF and the generated error on http://pastebin.com/SP694VW4

Removing the Ethernet layer, as well as all chksum fields (IP, ICMP, IP in ICMP) works as long as I don't try to recompute them. If do recompute the checksums, it throws the previous error.

Any insight on this?

Thanks!

Riccardo


מיכאל גראיפר | 25 Aug 10:58 2015
Picon

Fwd: An Issue with scapy

Hello!
I have recently started studying scapy (and computer networks in general). I installed it on my computer running Windows 7 64 bit, and all seemed fine- I managed to sniff and manipulate packets.
The problem is when I try to send a packet. Every time i try to send an IP packet I get one of two errors- "OSError: No error" or "OSError: No error". I have added screenshots of these errors.
I have searched online for an answer, and fount out its a common problem with my OS. My question is- is there any workaround for this? Or is my best option to switch to another OS?

in short-
computer with windows7/64, python 2.6.1
scapy cannot send packets, as depicted in pictures

Thank you very much for you help,
Michael
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
Robert | 24 Aug 21:27 2015
Picon

Slow PcapReader

Hi all,
I've recently submitted a bug report in scapy tracker for PcapReader being
slow. It turns out just reading 10000 packets file takes 10 seconds with
PcapReader. 1 ms per packet might looks not that much, but:
- RawPcapReader does that almost instantly
- (not checked) pyshark, which dissects packets as well, does that quickly
as well
- I process thousands of packages quite often
- RawPcapReader means manual dissection (pkt_data[13:17] + struct or similar)

It doesn't matter if I use read_all or iterator or rdpcap, the simplest code
looks like:

def fun2(fileName, connectionId, srcIp):
    packets = scapy.PcapReader(fileName)
    for packet in packets:
        pass
    packets.close()

The top of the profile output look like:
         9622298 function calls (9276644 primitive calls) in 9.394 seconds

   Ordered by: cumulative time

   ncalls  tottime  percall  cumtime  percall filename:lineno(function)
        1    0.009    0.009    9.394    9.394 scapy_pcap_reader_time.py:5(fun)
     9343    0.018    0.000    9.385    0.001 utils.py:509(next)
     9343    0.045    0.000    9.355    0.001 utils.py:578(read_packet)
74736/9342    0.264    0.000    9.185    0.001 base_classes.py:194(__call__)
37368/9342    0.526    0.000    9.123    0.001 packet.py:67(__init__)
37368/9342    0.130    0.000    8.526    0.001 packet.py:591(dissect)
37368/9342    0.095    0.000    8.083    0.001 packet.py:573(do_dissect_payload)
    28026    0.673    0.000    2.729    0.000 packet.py:604(guess_payload_class)
    37368    0.623    0.000    2.046    0.000 packet.py:557(do_dissect)
    37368    0.030    0.000    1.936    0.000 packet.py:96(init_fields)
    37368    0.523    0.000    1.906    0.000 packet.py:99(do_init_fields)
   476442    0.584    0.000    1.772    0.000 {hasattr}

As one can see, it's mostly spent on dissect.
Does anybody have an idea how to fix that? I wish the time was reduced 10
times ... I can do some experiments and coding, but right now have no idea
where to start. Replace dissect recursion with iteration over payload? Don't
even know if it'll pay off... Use some caching? Could be promising, but the
data has variable length and structure, so plain caching won't work. Write
that as C extension? Don't have much experience on that.

I'd appreciate your opinions.

Regards,
Robert

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Robert | 18 Aug 12:09 2015
Picon

Re: TCP_client does not send packet from script, works from interactive shell

Marco Zunino <eng.marco.zunino <at> gmail.com> writes:

> 
> 
> I tried to use the iface parameter in the send() call, but this parameter
is not accepted in the TCP_client.tcplink.send() method.

Ok, I've assumed that the methods you use accept quite common iface arg - I
was wrong on that.

> I checked the route by printing scapy conf.route in both the script and
scapy console, and they are identical.
> 
> Regarding comparing the default interface, I am not sure what you are
referring to.
> 
> In case of Scapy route, I do not have a default route, in case of system
route, I do have a default route defined to the internet route

[cut]

It turns out I have no idea. But when I'm in similar situation (too often :)
I just put print statements or run pdb too see where's the difference in
execution path.

Just a guess - you're not using any virtual env? The Python when launched as
a script and from command line is the same?

Regards,
Robert
Robert | 18 Aug 08:53 2015
Picon

Re: TCP_client does not send packet from script, works from interactive shell

Marco Zunino <eng.marco.zunino <at> gmail.com> writes:

> 
> Dear all, good morning
> I am including the TCP_client object in a wrapper class, all this is done
in a python script I run from bash:
> 
[cut]

Have you tried checking routing from scapy?
Have you tried comparing default interface in both cases? (Personally I find
it unfortunate that default value has precedence over routing in scapy)
Have you tried sending with iface= explicit argument?

Keywords: config, ifaces, show_faces, route, conf.route, ...

Regards,
Robert

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Nathan Michaels | 17 Aug 15:45 2015

Re: TCP_client does not send packet from script, works from interactive shell

You have a typo in your __init__ function's name. Maybe that's your problem.

On Mon, Aug 17, 2015 at 5:28 AM, Marco Zunino
<eng.marco.zunino <at> gmail.com> wrote:
> Dear all, good morning
>
> I am including the TCP_client object in a wrapper class, all this is done in
> a python script I run from bash:
>
> #! /usr/bin/python
>
> import scapy.all import *
>
> conf.L3socket.L3RawSocket
>
> class TCPConnection(object):
>     def __inint__(self, add, port):
>         self.tcp = TCP_client.tcplink(Raw, add, port)
>     def sendInt(self, payload):
>         self.tcp.send(payload)
>
> conn = TCPConnection("127.0.0.1", 6666)
> conn.sendInt("Prova")
>
>
> But nothing is sent, even if I do not get any particular error in the
> console.
> If I use the same code in the interactive console, the code works and I can
> see the data received by my local instance of nc -l 6666
>
> I am not even sure if the problem is incorporating the TCP_client in a
> custome class or if it is a kind of routing issue.
>
> If in the script I replace my localhost IP address with www.google.com, in
> wireshark I see the DNS request for google, but still no TCP SYN sent
> anywhere.
>
> Does anybody know if there is some information about routing that is
> available to the interactive console but might not be available in a custom
> script?
>
> Any suggestion on different investigation approach will be appreciate. Bye!
>

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Marco Zunino | 17 Aug 11:28 2015
Picon

TCP_client does not send packet from script, works from interactive shell

Dear all, good morning

I am including the TCP_client object in a wrapper class, all this is done in a python script I run from bash:

#! /usr/bin/python
import scapy.all import *

conf.L3socket.L3RawSocket

class TCPConnection(object):
    def __inint__(self, add, port):
        self.tcp = TCP_client.tcplink(Raw, add, port)
    def sendInt(self, payload):
        self.tcp.send(payload)

conn = TCPConnection("127.0.0.1", 6666)
conn.sendInt("Prova")

But nothing is sent, even if I do not get any particular error in the console.
If I use the same code in the interactive console, the code works and I can see the data received by my local instance of nc -l 6666

I am not even sure if the problem is incorporating the TCP_client in a custome class or if it is a kind of routing issue.

If in the script I replace my localhost IP address with www.google.com, in wireshark I see the DNS request for google, but still no TCP SYN sent anywhere.

Does anybody know if there is some information about routing that is available to the interactive console but might not be available in a custom script?

Any suggestion on different investigation approach will be appreciate. Bye!

Suraj Deshmukh | 13 Aug 20:42 2015
Picon

class FieldListField - attributes

In class `FieldListField` in file `fields.py` what is the use of
attributes `length_from` and `count_from`?
Can somebody please point me to proper source or documentation where I
can read more about it. What are the possible use cases, where these
are helpful?

--

-- 
- Suraj Deshmukh
http://deshmukhsuraj.wordpress.com/
http://github.com/surajssd/
https://bitbucket.org/suraj_deshmukh/

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Suraj Deshmukh | 30 Jul 15:20 2015
Picon

SNMP packet shows as malformed DNS packet in wireshark

Hi,

When I created a SNMP packet in scapy as below

>>> a = Ether()/IP()/UDP()/SNMP()
>>> wireshark(a)
>>>
In wireshark instead of showing SNMP packet at application layer it
shows [Malformed Packet: DNS]. Is this a bug? Should this be reported
or am I doing something wrong?

--

-- 
- Suraj Deshmukh
http://deshmukhsuraj.wordpress.com/
http://github.com/surajssd/
https://bitbucket.org/suraj_deshmukh/

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Veit Hailperin | 29 Jul 13:40 2015

Missing TCP response if also received host-redirect

Hi,

Not sure if this is me doing it wrong or if it's an issue with the library.

I'm sending a very simple request:

>>> ans, unans = sr(IP(dst="173.194.116.52")/TCP(dport=80, flags="S"))
>>> ans.summary()
IP / TCP 172.20.75.39:ftp_data > 173.194.116.52:http S ==> IP / ICMP 172.20.75.252 > 172.20.75.39 redirect host-redirect / IPerror / TCPerror / Raw

If I look at the traffic using tcpdump, I see the ICMP host redirect, but also the packet that I'm actually interested in, the TCP SA-flagged one. 

How come I get IPerror/TCPerror instead of the SA flagged proper TCP packet? 

Kind regards,

--
Veit
patrick.battistello | 24 Jul 10:24 2015

Updated Diameter support for Scapy

Hello,

A couple of updates for Diameter support are available at https://bitbucket.org/PBattistello/scapy
under 2 branches:

1) 'diameter' branch:

It provides the Diameter layer support in scapy/contrib directory; the 3 additional files are:

* diameter.py: the library file.

This version includes the following modifications:

- bugs correction and enhanced decoding for a couple of AVPs,

- source code shrinking from 3678 lines to 1682 lines (for an equivalent protocol coverage) by avoiding to
have a class per AVP (only the enumerated now AVPs have a corresponding class),

- support for new standards; the coverage is now: RFC 6733, RFC 7155, RFC 4004, RFC 4006, RFC 4072, RFC 4740,
RFC 5778, RFC 5447, RFC 6942, RFC 5777, TS 29.229 V12.3.0 (2014-09), TS 29.272 V13.1.0 (2015-03), TS
29.329 V12.5.0 (2014-12), TS 29.212 V13.1.0 (2015-03), TS 32.299 V13.0.0 (2015-03), TS 29.210 V6.7.0
(2006-12), TS 29.214 V13.1.0 (2015-03), TS 29.273 V12.7.0 (2015-03), TS 29.173 V12.3.0 (2015-03), TS
29.172 V12.5.0 (2015-03), TS 29.215 V13.1.0 (2015-03), TS 29.209 V6.8.0 (2011-09), TS 29.061 V13.0.0
(2015-03), TS 29.219 V13.0.0 (2014-12).

* diameterExtras.py: the Diameter commands and AVPs Python dictionaries with additional information on
standards and flags. These dictionaries are generated from standards parsing and are then used to
produce diameter.py.

* diameter.uts: the UTScapy test script.

2) 'sctp' branch:

This SCTP branch contains a few modifications to sctp.py, to bind the SCTPChunkData layer decoding to the
next layer based on:

- the 'proto_id' field of the SCTPChunkData layer (when not null), or,
- the 'sport/dport' fields of the SCTP layer.

Regards,
Patrick

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne
doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur,
veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant
susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be
protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org


Gmane