General questions (was: IPv6 and other stuff)

Hi!

Thks for fast reply.

--- Philippe Biondi <phil <at> secdev.org> escreveu:
>You can, but it is not the wisest way to do that.
>Netfilter is done for that.

1) You are sure, but netfilter isn't portable, since
it's a Linux specific. Can you provide-me a simple
example or tutorial that show a example of
modification on the fly of NATed connection ?

I'm interrested in see how it will manage the packets
before it be NATed, since I belive that a NAT is 
done (After configured) directilly in kernel, doesn't
needing send this data to user-space (like scapy).

2) I saw in Portability page
(http://www.secdev.org/projects/scapy/portability.html)
how to use scapy in other plataforms using libpcap and
libdnet. What are exactilly this wrappers ? Are it a
kind of port from libpcap and libdnet to python (to
use like with import) ? Or are it a interface that
python use to access libdnet and libpcap original
files(in this case need necessary install
libpcap/libdnet files) ?

Thank you.

Re: 3-in-1 patch

On Wed, 10 Aug 2005, Pierre LALET wrote:

> Philippe Biondi wrote:
>>> - Mtu appears in "netstat -rn" output on NetBSD also. Removed the
>>> sys.platform test and added a test in the output of "netstat -rn"
>>> (cleaner, IMHO).
>>
>> applied
>
> You've let the now useless line "OPENBSD=...". Unless I'm wrong, it can
> safely be removed.

Right, but I thought it may be useful later, so I did not removed it.

>>> - Added a parser for some files in "/etc" to fill IP_PROTOS,
>>> ETHER_TYPES, and (TCP,UDP)_SERVICES. Changed some dissectors to take
>>> advantage of them.
>>
>> Applied, but its easier and cleaner to use sprintf() in summaries
>> instead of recalling fields to transform a number into its representation.
>
> [...]
>
>>> - Added mysummary methods to Sebek*(), and hanged the Sebek version
>>> number, according to a change of the Honeynet Project.
>>
>> Not applied, I let you do the changes as an exercise ;)
>
> Yes, Master. See attached file, Master ;) (SebekV2 -> SebekV3,
> Sebek*().mysummary(), and Ether().mysummary() that you had forgotten).

Using scapy to graph traceroute

Hi,

I found scapy.py through a phrack magazine article. I've looked at the
site, downloaded and built the tools for getting graphic results, but I
only get the boxes and arrows.  It would be really nice to get the
results like in the picture at the bottom of the site.  What do I need
to do to get that level of detail?

Thanks very much,

Tony Plastino

hakin9

Hello,

my name is Bohdan Garstka and I work for the worlds biggest IT security
magazine - hakin9. We are publishing articles about various methods of
attacks and what is more important how to protect yourself from such. 

I am very interested in Your tool - Scapy. And so I'd like to ask You
whether You would be willing to write rather short article about this
aplication and its various possible uses. 

Thaks in advance for Your response.

with best regards,
Bohdan Garstka
--

-- 
Bohdan Garstka
Czech editions of Linux+ and hakin9 magazines
http://www.lpmagazine.org/cz/
http://www.haking.pl/cz/
mobile:    +48 601 091 690
telephone: +48 22 887 10 10
email:          bohdan <at> software.com.pl
private email:  bgarstka <at> poczta.onet.pl

---------------------------------------------------------------------
Desinscription: envoyez un message a: scapy.ml-unsubscribe <at> secdev.org
Pour obtenir de l'aide, ecrivez a: scapy.ml-help <at> secdev.org

Re: 3-in-1 patch

Philippe Biondi wrote:
>> You've let the now useless line "OPENBSD=...". Unless I'm wrong, it can
>> safely be removed.
> 
> Right, but I thought it may be useful later, so I did not removed it.

OK.

>> Yes, Master. See attached file, Master ;) (SebekV2 -> SebekV3,
>> Sebek*().mysummary(), and Ether().mysummary() that you had forgotten).
> 
> Applied.

There is an error in Ether().mysummary(). I'm sorry for that. It has
been fixed in the new patch (attached file). I've also added
NTP().mysummary().

I have a problem with the i2repr() function, which lets the trailing 'L'
when displaying some fields. For example :

>>> a.summary()
'Ether / IP / UDP / NTP v4L, client'

We've got 'v4L' instead of 'v4'. I've tried this (in class Field, around
line 2306) :

        if x is None:
            x = 0
-        return repr(self.i2h(pkt,x))
+        if type(x) is long:

Re: Using scapy to graph traceroute

Hi,

On Thu, 11 Aug 2005, Anthony R. Plastino III wrote:

> I found scapy.py through a phrack magazine article. I've looked at the
> site, downloaded and built the tools for getting graphic results, but I
> only get the boxes and arrows.  It would be really nice to get the
> results like in the picture at the bottom of the site.  What do I need
> to do to get that level of detail?

Did you check that your graphviz installation is working properly ?
If the text is missing, you probably have a problem with your fonts.

--

-- 
Philippe Biondi <phil <at>  secdev.org>      SecDev.org
Security Consultant/R&D                 http://www.secdev.org
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

---------------------------------------------------------------------
Desinscription: envoyez un message a: scapy.ml-unsubscribe <at> secdev.org
Pour obtenir de l'aide, ecrivez a: scapy.ml-help <at> secdev.org

Re: 3-in-1 patch

On Thu, 11 Aug 2005, Pierre LALET wrote:

> There is an error in Ether().mysummary(). I'm sorry for that. It has
> been fixed in the new patch (attached file).

applied

> I've also added NTP().mysummary().
> I have a problem with the i2repr() function, which lets the trailing 'L'
> when displaying some fields. For example :
>
>>>> a.summary()
> 'Ether / IP / UDP / NTP v4L, client'
>
> We've got 'v4L' instead of 'v4'. I've tried this (in class Field, around
> line 2306) :

There's some obscure magic in Packet.sprintf(). The format for 
substitution operator is %[fmt[r],][cls[:nb].]field%. If you use 
%NTP.version%, that's the repr() of the field that is used. This means you 
work on a string. %s will be used. You can replace %s by %.1s with this : 
%.1s,NTP.version%. This will work if version < 10. But there is a better 
choice. You can work on the raw value of the field, i.e. an int, using the 
'r' letter after the format : %ir,NTP.version% is what you're looking for.

>        if x is None:
>            x = 0
> -        return repr(self.i2h(pkt,x))
> +        if type(x) is long:
> +            return repr(self.i2h(pkt,x))[0:-1]

Re: IPv6 support

Once I get all these different versions patched together I'll post  
anything from my patches that is still relevant.

\T

On Aug 8, 2005, at 2:23 AM, Guillaume Valadon wrote:

> Hi,
>
> Here is my IPv6 code based on scapy 0.9.17.89.
>
> Guilaume
>
>

> ---------------------------------------------------------------------
> Desinscription: envoyez un message a: scapy.ml-unsubscribe <at> secdev.org
> Pour obtenir de l'aide, ecrivez a: scapy.ml-help <at> secdev.org

---------------------------------------------------------------------
Desinscription: envoyez un message a: scapy.ml-unsubscribe <at> secdev.org
Pour obtenir de l'aide, ecrivez a: scapy.ml-help <at> secdev.org

Re: IPv6 support

Hi,

> Once I get all these different versions patched together I'll post  
> anything from my patches that is still relevant.

Ok, please let me know if there is any problem. I am planning to finish 
the Net6 class next week.

Guillaume

---------------------------------------------------------------------
Desinscription: envoyez un message a: scapy.ml-unsubscribe <at> secdev.org
Pour obtenir de l'aide, ecrivez a: scapy.ml-help <at> secdev.org

Sending packets to local addresses

Hello,

while trying to send packets to the host local addresses (127.... or local
address on the LAN) with scapy 1.0.0.16beta, for exemple:

sr1(IP(dst='127.0.0.1')/ICMP(type=8)

I am unable to receive any response.
Is this a bug, a feature or did a miss something ?

Thanks in advance.

---------------------------------------------------------------------
Desinscription: envoyez un message a: scapy.ml-unsubscribe <at> secdev.org
Pour obtenir de l'aide, ecrivez a: scapy.ml-help <at> secdev.org