22 May 2013 16:20
20 May 2013 22:43
[Scapy][bug]Memory leak in sendp() function
Stepan B. <stepan.bajburtyan <at> gmail.com>
2013-05-20 20:43:42 GMT
2013-05-20 20:43:42 GMT
Hi!
Great thx from happy Scapy user! :)
I experience a problem with memory leak(s) in sendp() function (I
suppose): sending more than 30 000 packets with sendp() cause FreeBSD to
kill python's process due to his large size in memory (over 3 Gb!).
Please, fix it! :(
I wrote short test with some debug information - he tries to send
10000000 packets with sendp(). FreeBSD 8.2+ x86 (scapy 2.2.0, 2.1.1)
fails approximately at 30 000'th packet. Here it is:
<test begin>
#! /usr/bin/env python
# -*- coding: utf-8 -*-
from scapy.all import *
from scapy.layers.inet import IP, TCP, UDP, ICMP
from scapy.layers.sctp import SCTP
from commands import *
import gc
import pdb
def printAllGcObjs():
i = 0
sum = 0
for obj in gc.get_objects():
i = i + 1
curBytes = sys.getsizeof(obj)
sum = sum + curBytes
print('\n\nObject #' + str(i) + ' (' + str(curBytes) + ' bytes, all
elements by now are at ' + str(sum) + ' bytes):')
#print obj # Informative, but unsafe: scapy may brake this by
throwing "*** Type error bla-bla-bla...".
print i
port = 1024
counter = 0
counter_to_print = 1
while port < 10000000:
print('\n\n\n\n Packet #' +
str(counter_to_print) + '\n\n\n')
counter_to_print = counter_to_print + 1
if port == 65534:
port = 1024
pkt_A_TCP_start1 = Ether(src="00:0c:29:1e:b4:15",
dst="00:0c:29:1e:b4:10") / IP(version=4L, id=1000, src="10.0.0.1",
dst="10.0.0.2") / TCP(sport=1027, dport=port, seq=0x0)
sendp(pkt_A_TCP_start1, iface='em0', verbose=0)
del(pkt_A_TCP_start1)
port=port+1
counter = counter + 1
if counter == 10000:
text = getoutput('top -S')
print text
print gc.garbage
gc.collect()
print gc.garbage
test = getoutput('top -S')
print text
#time.sleep(10)
counter = 0
printAllGcObjs()
pdb.set_trace()
<test end>
I appreciate what you are doing and have a hope that you will pay
attention to my request!
P.S. I can't neither login, nor register to trac.secdev.org/scapy - I'd
rather post this bug as ticket there.
--
Best regards,
Stepan Bajburtyan
stepan.bajburtyan <at> gmail.com
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
2 May 2013 19:22
Documentation error in build_dissect.rst
Bruce Barnett <grymoire <at> gmail.com>
2013-05-02 17:22:50 GMT
2013-05-02 17:22:50 GMT
In the file scapy-com/scapy/doc/build_dissect.rst is the code:
def m2i(self, pkt, x):
if s is None:
return None, 0
return str2vlenq(x)[1]
"s" is undefined.
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
2 May 2013 17:03
Bug: Scapy-com does not properly decode IPv6 packets when the IP version == 6
Bruce Barnett <grymoire <at> gmail.com>
2013-05-02 15:03:50 GMT
2013-05-02 15:03:50 GMT
When given an IPv6 packet trace, and the following code
a=rdpcap("ipv6.pcap")
print hexdump(a[1])
print a[1].show()
scapy decodes it as IPv4:
0000 60 00 00 00 00 40 3A FF FE 80 00 00 00 00 00 00 `.... <at> :.........
0010 00 00 00 00 00 00 00 00 FF 02 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 01 86 00 8D 1D 40 00 00 00 ............ <at> ...
0030 00 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 ................
0040 05 01 00 00 00 00 05 DC 03 04 40 E0 00 00 03 20 .......... <at> ....
0050 00 00 01 90 00 00 00 00 20 01 04 70 1F 15 16 EA ........ ..p....
0060 00 00 00 00 00 00 00 00 ........
None
###[ IP ]###
version = 6
ihl = 0
tos = 0x00
len = 0
id = 64
flags = MF
frag = 6911
ttl = 254
proto = 128
chksum = 0x00
src = 0.0.0.0
dst = 0.0.0.0
\options \
###[ Padding ]###
load =
'\x00\x00\x00\x00\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86\x00\x8d\x1d <at> \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x05\x01\x00\x00\x00\x00\x05\xdc\x03\x04 <at> \xe0\x00\x00\x03
\x00\x00\x01\x90\x00\x00\x00\x00
\x01\x04p\x1f\x15\x16\xea\x00\x00\x00\x00\x00\x00\x00\x00'
None
Clearly the version of the packet is IPv6. TCPdumnp and wireshark
decode it properly.
Workaround:
conf.l2types.register(101, IPv6)
and the .show now prints
###[ IPv6 ]###
version = 6
tc = 0
fl = 0
plen = 64
nh = ICMPv6
hlim = 255
src = fe80::
dst = ff02::1
###[ ICMPv6 Neighbor Discovery - Router Advertisement ]###
type = Router Advertisement
code = 0
cksum = 0x8d1d
chlim = 64
M = 0
O = 0
H = 0
prf = Medium (default)
P = 0
res = 0
routerlifetime= 0
reachabletime= 0
retranstimer= 0
###[ ICMPv6 Neighbor Discovery Option - Source Link-Layer Address ]###
type = 1
len = 1
lladdr = 00:00:00:00:00:00
###[ ICMPv6 Neighbor Discovery Option - MTU ]###
type = 5
len = 1
res = 0x00
mtu = 1500
###[ ICMPv6 Neighbor Discovery Option - Prefix Information ]###
type = 3
len = 4
prefixlen = 64
L = 1
A = 1
R = 1
res1 = 0
validlifetime= 0x0320
preferredlifetime= 0x0190
res2 = 0x00
prefix = 2001:470:1f15:16ea::
None
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
29 Apr 2013 23:15
Using fragment6 with layer2 commands
Antonios Atlasis <antonios.atlasis <at> gmail.com>
2013-04-29 21:15:49 GMT
2013-04-29 21:15:49 GMT
Hi,
I know that in order to fragment IPv6 packets, you can use fragment6. However, all the examples that I have found are used with the send (layer 3) command. Antonios
26 Apr 2013 06:30
byte array from raw packet data
Kevin Ross <sedecim <at> gmail.com>
2013-04-26 04:30:39 GMT
2013-04-26 04:30:39 GMT
Hello all,
I'm new to Scapy and I'm having trouble understanding how to do something that is probably pretty simple. I want to process a pcap file and get the raw packet data into an array of bytes. This is in order to do statistical processing of the bytes to try to look for attacks in a manner similar to a network-based IDS. If anyone has a suggestion I would appreciate it.
Thanks,
26 Apr 2013 02:46
Fwd: ARP Cache Poisong
Otavio Augusto <otavioarj <at> gmail.com>
2013-04-26 00:46:42 GMT
2013-04-26 00:46:42 GMT
Hi,
May I missing something about arp cache poison? I had test the buildin function arpcachepoison and it appears to be sending only an ARP Ping.When I run that function, that is catch by tcpdump:
21:18:28.435348 ARP, Request who-has 192.168.1.1 tell 192.168.1.4, length 28
0x0000: 0001 0800 0604 0001 0800 2721 75ed c0a8
0x0010: 0104 0000 0000 0000 c0a8 0101
21:18:28.435692 ARP, Reply 192.168.1.1 is-at c4:3d:c7:4b:53:ac (oui Unknown), length 46
0x0000: 0001 0800 0604 0002 c43d c74b 53ac c0a8
0x0010: 0101 0800 2721 75ed c0a8 0104 0000 0000
0x0020: 0000 0000 0000 0000 0000 8c81 70b8
21:18:28.435348 ARP, Request who-has 192.168.1.1 tell 192.168.1.4, length 28
0x0000: 0001 0800 0604 0001 0800 2721 75ed c0a8
0x0010: 0104 0000 0000 0000 c0a8 0101
21:18:28.435692 ARP, Reply 192.168.1.1 is-at c4:3d:c7:4b:53:ac (oui Unknown), length 46
0x0000: 0001 0800 0604 0002 c43d c74b 53ac c0a8
0x0010: 0101 0800 2721 75ed c0a8 0104 0000 0000
0x0020: 0000 0000 0000 0000 0000 8c81 70b8
So it's just forging a request from 192.168.1.4 asking who is the the router. When checking 192.168.1.4 arp cache, that is there:
Interface: 192.168.1.4 --- 0xd
Internet Address Physical Address Type
192.168.1.1 c4-3d-c7-4b-53-ac dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Interface: 192.168.1.4 --- 0xd
Internet Address Physical Address Type
192.168.1.1 c4-3d-c7-4b-53-ac dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Actually the gateway MAC. So.. ? Maybe I didn't understand the prototype of that function, a missing parameter? =]
After using that:
poison= Ether(dst=getmacbyip(target),src=getmacbyip(me))/ARP(op="is-at",psrc=me, pdst=target)
poison= Ether(dst=getmacbyip(target),src=getmacbyip(me))/ARP(op="is-at",psrc=me, pdst=target)
sendp(poison)
tcpdump catch that:
21:28:34.023229 ARP, Reply 192.168.1.1 is-at 00:1e:68:92:ad:68 (oui Unknown), length 28
0x0000: 0001 0800 0604 0002 001e 6892 ad68 c0a8
0x0010: 0101 0000 0000 0000 c0a8 0104
21:28:34.023229 ARP, Reply 192.168.1.1 is-at 00:1e:68:92:ad:68 (oui Unknown), length 28
0x0000: 0001 0800 0604 0002 001e 6892 ad68 c0a8
0x0010: 0101 0000 0000 0000 c0a8 0104
And arp cache on 192.168.1.4 is:
Interface: 192.168.1.4 --- 0xd
Internet Address Physical Address Type
192.168.1.1 00-1e-68-92-ad-68 dynamic
192.168.1.3 00-1e-68-92-ad-68 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Interface: 192.168.1.4 --- 0xd
Internet Address Physical Address Type
192.168.1.1 00-1e-68-92-ad-68 dynamic
192.168.1.3 00-1e-68-92-ad-68 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Where the gateway have my MAC now, so a successful ARP Poisong attack. For some reason there is tons of codes on internet reproducing that "who-has" behavior, so maybe I'm missing something... is I?
Best
--
Otavio Augusto.
25 Apr 2013 17:08
scapy SNMP decode doesn't recognize GAUGE32 ?
Reynolds, Samuel <Samuel.Reynolds <at> viasat.com>
2013-04-25 15:08:11 GMT
2013-04-25 15:08:11 GMT
I'm trying to use scapy for SNMP polling.
When I decode a response containing a "GAUGE32" value...
data = sock.recv(8192)
rpkt = SA.SNMP(data)
I get "Unknown prefix [42]" instead of value=<GAUGE32[0]>.
Am I doing something wrong? Or is this a (known or unknown) bug in scapy?
---------- RCVD ------------------------------------------
version : ASN1F_enum_INTEGER = <ASN1_INTEGER[1L]> (1)
community : ASN1F_STRING = <ASN1_STRING['public']> ('public')
PDU : ASN1F_CHOICE = <SNMPresponse id=<ASN1_INTEGER[0L]> error=<ASN1_INTEGER[0L]>
error_index=<ASN1_INTEGER[0L]> varbindlist=[<SNMPvarbind
oid=<ASN1_OID['vsatSb2UtSysUptime.0']> value=<ASN1_COUNTER32[1292142L]> |>, <SNMPvarbind
oid=<ASN1_OID['vsatSb2UtSysSoftwareVersion.0']> value=<ASN1_STRING['UT_1.5.1.0.13']> |>,
<SNMPvarbind oid=<ASN1_OID['vsatSb2UtSysHardwareVersion.0']> value=<ASN1_STRING['UT_8
P3_V2']> |>, <SNMPvarbind oid=<ASN1_OID['vsatSb2UtSysResets.0']> value=<ASN1_COUNTER32[68L]>
|>, <SNMPvarbind oid=<ASN1_OID['vsatSb2UtSysTerminalType.0']> value=<ASN1_COUNTER32[1L]> |>,
<SNMPvarbind oid=<ASN1_OID['vsatSb2UtMacMsId.1']> value=<ASN1_STRING['\x00\xa0\xbc&O\xb0']>
|>, <SNMPvarbind oid=<ASN1_OID['vsatSb2UtOduFwVer.1']>
value=<ASN1_DECODING_ERROR['B\x01\x00']{{Unknown prefix [42] for ['B\x01\x00']}}> |>] |>
(<SNMPget |>)
###[ SNMP ]###
version= <ASN1_INTEGER[1L]>
community= <ASN1_STRING['public']>
\PDU\
|###[ SNMPresponse ]###
| id= <ASN1_INTEGER[0L]>
| error= <ASN1_INTEGER[0L]>
| error_index= <ASN1_INTEGER[0L]>
| \varbindlist\
| |###[ SNMPvarbind ]###
| | oid= <ASN1_OID['vsatSb2UtSysUptime.0']>
| | value= <ASN1_COUNTER32[1292142L]>
| |###[ SNMPvarbind ]###
| | oid= <ASN1_OID['vsatSb2UtSysSoftwareVersion.0']>
| | value= <ASN1_STRING['UT_1.5.1.0.13']>
| |###[ SNMPvarbind ]###
| | oid= <ASN1_OID['vsatSb2UtSysHardwareVersion.0']>
| | value= <ASN1_STRING['UT_8 P3_V2']>
| |###[ SNMPvarbind ]###
| | oid= <ASN1_OID['vsatSb2UtSysResets.0']>
| | value= <ASN1_COUNTER32[68L]>
| |###[ SNMPvarbind ]###
| | oid= <ASN1_OID['vsatSb2UtSysTerminalType.0']>
| | value= <ASN1_COUNTER32[1L]>
| |###[ SNMPvarbind ]###
| | oid= <ASN1_OID['vsatSb2UtMacMsId.1']>
| | value= <ASN1_STRING['\x00\xa0\xbc&O\xb0']>
| |###[ SNMPvarbind ]###
| | oid= <ASN1_OID['vsatSb2UtOduFwVer.1']>
| | value= <ASN1_DECODING_ERROR['B\x01\x00']{{Unknown prefix [42] for ['B\x01\x00']}}>
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
25 Apr 2013 13:42
How to inject 802.11 frames on FreeBSD
Mark Moes <mark_moes <at> hotmail.com>
2013-04-25 11:42:00 GMT
2013-04-25 11:42:00 GMT
I already posted this same question on stackoverflow http://stackoverflow.com/questions/16212208/how-to-inject-802-11-frames-with-scapy-on-freebsd but I'll just copy the whole text.
On a FreeBSD 8.1 machine I am trying to inject 802.11 frames with Scapy 2.2.0 as described in the documentation's example: http://www.secdev.org/projects/scapy/doc/usage.html#wireless-frame-injection. I installed it from a precompiled FreeBSD package.
This is how I entered it in Scapy's console:
def doit(intf):
sendp(Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/
Dot11Beacon(cap="ESS")/
Dot11Elt(ID="SSID",info='I should see this')/
Dot11Elt(ID="Rates",info='\x82\x84\x0b\x16')/
Dot11Elt(ID="DSset",info="\x03")/
Dot11Elt(ID="TIM",info="\x00\x01\x00\x00"),iface=intf,loop=1)
I have created interfaces in the following ways (and started them by issueing `ifconfig wlanx up`):
ifconfig wlan create wlandev ath0 wlanmode monitor
wlan1
ifconfig wlan create wlandev ath0 wlanmode hostapd
wlan2
I checked on both my smartphone and laptop and no sign of a new SSID, even though it says that it sent a bunch of packets. Then again, I don't even need to start the interfaces, it will still tell me that it sent the packets.
According to source the sendp() function does the following:
# scapy/sendrecv.py:259
__gen_send(conf.L2socket(iface=iface, *args, **kargs), x, inter=inter, loop=loop, count=count, verbose=verbose, realtime=realtime)
# scapy/arch/linux.py:401
class L2Socket(SuperSocket):
desc = "read/write packets at layer 2 using Linux PF_PACKET sockets"
def __init__(self, iface = None, type = ETH_P_ALL, filter=None, nofilter=0):
if iface is None:
iface = conf.iface
self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))
I'm thinking that FreeBSD sockets do not support the AF_PACKET parameter (see http://www.freebsd.org/cgi/man.cgi?query=socket&apropos=0&sektion=0&manpath=FreeBSD%208.1-RELEASE&arch=default&format=html), but that's just a wild guess.
On a FreeBSD 8.1 machine I am trying to inject 802.11 frames with Scapy 2.2.0 as described in the documentation's example: http://www.secdev.org/projects/scapy/doc/usage.html#wireless-frame-injection. I installed it from a precompiled FreeBSD package.
This is how I entered it in Scapy's console:
def doit(intf):
sendp(Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/
Dot11Beacon(cap="ESS")/
Dot11Elt(ID="SSID",info='I should see this')/
Dot11Elt(ID="Rates",info='\x82\x84\x0b\x16')/
Dot11Elt(ID="DSset",info="\x03")/
Dot11Elt(ID="TIM",info="\x00\x01\x00\x00"),iface=intf,loop=1)
I have created interfaces in the following ways (and started them by issueing `ifconfig wlanx up`):
ifconfig wlan create wlandev ath0 wlanmode monitor
wlan1
ifconfig wlan create wlandev ath0 wlanmode hostapd
wlan2
I checked on both my smartphone and laptop and no sign of a new SSID, even though it says that it sent a bunch of packets. Then again, I don't even need to start the interfaces, it will still tell me that it sent the packets.
According to source the sendp() function does the following:
# scapy/sendrecv.py:259
__gen_send(conf.L2socket(iface=iface, *args, **kargs), x, inter=inter, loop=loop, count=count, verbose=verbose, realtime=realtime)
# scapy/arch/linux.py:401
class L2Socket(SuperSocket):
desc = "read/write packets at layer 2 using Linux PF_PACKET sockets"
def __init__(self, iface = None, type = ETH_P_ALL, filter=None, nofilter=0):
if iface is None:
iface = conf.iface
self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type))
I'm thinking that FreeBSD sockets do not support the AF_PACKET parameter (see http://www.freebsd.org/cgi/man.cgi?query=socket&apropos=0&sektion=0&manpath=FreeBSD%208.1-RELEASE&arch=default&format=html), but that's just a wild guess.
22 Apr 2013 18:35
Decoding IPv6/sixlowpan problem
Bruce Barnett <grymoire <at> gmail.com>
2013-04-22 16:35:09 GMT
2013-04-22 16:35:09 GMT
I'm trying to decode a sixlowpan packet, but scapy seems to be decoding it as IPv4.
hexdump(packet) says the packet contains these values
0000 60 00 00 00 00 20 3A FF 20 01 04 70 1F 15 16 EA `.... :. ..p....
0010 00 00 00 00 00 00 00 00 FF 02 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 01 88 00 21 BF A0 00 00 00 ..........!.....
0030 20 01 04 70 1F 15 16 EA 00 00 00 00 00 00 00 00 ..p............
0040 02 01 00 00 00 00 00 00
tcpdump decodes this packet as as:
........
23:45:59.361475 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:470:1f15:16ea:: > ip6-allnodes: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2001:470:1f15:16ea::, Flags [router, override]
destination link-address option (2), length 8 (1): 00:00:00:00:00:00
0x0000: 0000 0000 0000
tshark decodes this as:
1 0.000000 2001:470:1f15:16ea:: -> ff02::1 ICMPv6 72 Neighbor Advertisement
But using scapy-com's packet.show(), I get
###[ IP ]###
version = 6
ihl = 0
tos = 0x00
len = 0
id = 32
flags = MF
frag = 6911
ttl = 32
proto = icmp
chksum = 0x0470
src = 31.21.22.234
dst = 0.0.0.0
\options \
###[ Padding ]###
load = '\x00\x00\x00\x00\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x88\x00!\xbf\xa0\x00\x00\x00 \x01\x04p\x1f\x15\x16\xea\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01\x00\x00\x00\x00\x00\x00'
Any suggestions?
19 Apr 2013 20:33
New user problem
Bruce Barnett <grymoire <at> gmail.com>
2013-04-19 18:33:08 GMT
2013-04-19 18:33:08 GMT
New scapy user here. I'm having trouble getting scapy-com to work right.
I'm trying to use it to analyse sixlowpan packets.
I did an hg clone of scapy, and installed it, then did the same for
scapy-com. I've tried it on a few machines, and I've gotten different
errors, and using different working directories, etc. Here are three
of these errors:
1) When I start scapy, I get
ImportError: cannot import name corrupt_bits
also - the test/import_tester fails in scapy-com
2) When I type
>>> import scapy.layers.sixlowpan
Traceback (most recent call last):
File "<console>", line 1, in <module>
ImportError: No module named sixlowpan
3) Another error I have seen is when I type
a=rdpcap("file.pcap")
it tells me that it doesn't understand the function rdpcap(.I
I get one of the three errors, depending on current directory, etc. I
can't find the right combination that lets me do all three without
error.
Perhaps I'm not properly setting up my PYTHONPATH variable. I tried a
few different variations, but I must be missing something.
4) On another machine, I get rdpcap to work(finally), but it tells me
>>> a=rdpcap("endpoint-join.pcap")
WARNING: bad ihl (0). Assuming ihl=5
WARNING: bad ihl (0). Assuming ihl=5
WARNING: more bad ihl (0). Assuming ihl=5
The system I am monitoring is an engineering prototype, btw.
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org
RSS Feed