Re: Re: Sniffing in 802.11

Hi,

A frame arrived on an interface in promiscuous mode that's not 
destinated to the host (pkt_type == PACKET_OTHERHOST) will be dropped by 
the network stack so it won't make it to the PREROUTING chain from 
Netfilter.
There are patches that allow iptables to work with all the traffic from 
a promisc interface, ebtables might also help to rewrite the mac 
destination address... However, a quick and dirty hack would be creating 
a bridge interface.

alex <at> ab-ub:~$ cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet dhcp
   bridge_ports eth0

The following rule redirects UDP traffic destinated to another host, 
port 1234 to yourself, port 1234.

alex <at> ab-ub:~$ sudo iptables -t nat -A PREROUTING -i br0 -p udp -d 
192.168.204.128 --dport 1234 -j REDIRECT --to-port 1234

Hope this helps,
Alex

Re: countryLoc.csv/world.dat

toto <at> Reloaded.AceShells.com wrote:
> However, I have been unable 
> to find or locate countryLoc.csv, GeoIPCountry4Scapy.gz or world.dat. 

Attached is a Python script that constructs those files from data that 
is publicly available on the Web.

countryLoc.csv is taken from the MaxMind web site,
GeoIPCountry4Scapy.gz is a specially crafted file based on the MaxMind 
GeoIPCountry CSV file and world.dat is a demo file from the GnuPlot 
distribution.

BTW: I think there is a little bug in locate_ip(). It doesn't find some 
IPs, although they occur in the database (e.g. 62.96.193.216). I'll have 
a closer look at this tomorrow.

Regards
Dirk

import urllib 
import zipfile
import cPickle
import gzip

# If you need a proxy, set the following environment variable 
# http_proxy="http://www.someproxy.com:3128"

def retrieve_zipped_file(url, filename, outfilename=None):

Re: countryLoc.csv/world.dat

Dirk Loss wrote:
> BTW: I think there is a little bug in locate_ip(). It doesn't find some 
> IPs, although they occur in the database (e.g. 62.96.193.216).

Here's my new version of locate_ip(). It seems to handle the above 
corner case correctly and has survived some unit testing.
Moreover I separated the country code lookup from the longitude/latitude 
conversion, because it could be useful on its own.

def country(ip):
     """Return two letter country code for given IP address.

     Example:
     >>> country('11.4.5.6')
     'US'
     Will return None if the IP address is not found.

     """
     ip = map(int, ip.split("."))
     ip = (ip[0]<<24L) + (ip[1]<<16L) + (ip[2]<<8L) + ip[3]
     db = IP_country_kdb.get_base()

     low = 0
     high = len(db) - 1
     while low <= high:
         mid = (low + high) / 2
         mid_start, mid_end, countrycode = db[mid]
         if ip < mid_start:
             high = mid - 1
         elif ip > mid_end:

Cheat sheet: Interpreting received packets

Hi,

as you know, sr() returns a quite complicated data structure of tuples 
and lists. To make it easier to build an appropriate mental model,
I have tried to visualize these data structures in a little cheat sheet.

The sheet - including visuals for sniff() and sr1() - is available in 
SVG and PDF format at <http://dirk-loss.de/scapy/scapy-cheatsheet1.zip>.

As always, any comments or corrections are appreciated.

Regards
Dirk

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Re: Cheat sheet: Interpreting received packets

On Sat, May 3, 2008 at 3:19 PM, Dirk Loss <lists <at> dirk-loss.de> wrote:
> Hi,
>
>  as you know, sr() returns a quite complicated data structure of tuples and
> lists. To make it easier to build an appropriate mental model,
>  I have tried to visualize these data structures in a little cheat sheet.
>
>  The sheet - including visuals for sniff() and sr1() - is available in SVG
> and PDF format at <http://dirk-loss.de/scapy/scapy-cheatsheet1.zip>.
>
>  As always, any comments or corrections are appreciated.
>
>  Regards
>  Dirk
>

This is great, I like it.  I think the Scapy documentation would
benefit from more example like this.  For me, I'm specifically looking
to make sense of the traceroute graphs that are produced.  Looking
through the code, red octagons are "Black Holes," and green rectangles
are "Endpoints" which respond with either a RST-ACK or SYN-ACK.  But
what about these "Nodes" that are circular in shape and are labeled
"Unk##"?  The graphs I've been generating have tons of these cropping
up, and I'm wondering what they are and what they represent.  Any help
there would be appreciated.

-Marcin
tssci-security.com

---------------------------------------------------------------------

Cool things you can do with Scapy

Re: Cheat sheet: Interpreting received packets

Hi,

On Sat, 3 May 2008, Dirk Loss wrote:

> as you know, sr() returns a quite complicated data structure of tuples and 
> lists. To make it easier to build an appropriate mental model,
> I have tried to visualize these data structures in a little cheat sheet.
>
> The sheet - including visuals for sniff() and sr1() - is available in SVG and 
> PDF format at <http://dirk-loss.de/scapy/scapy-cheatsheet1.zip>.

http://www.secdev.org/conf/scapy-IPv6_HITB06.pdf
there is something that may interest you at slide 25 (pdf page 37)

--

-- 
Philippe Biondi <phil <at>  secdev.org>      SecDev.org
Computer Security/R&D                   http://www.secdev.org
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Re: HTTP protocol support

On Fri, 18 Apr 2008, Mark Sass wrote:

> Has anyone developed a class for the HTTP protocol?  I don't see it 
> listed in ls(), but I thought it might be an add-on that someone 
> released.

There is no implementation of the HTTP protocol I am aware of.

--

-- 
Philippe Biondi <phil <at>  secdev.org>      SecDev.org
Computer Security/R&D                   http://www.secdev.org
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Re: Cheat sheet: Interpreting received packets

On Sun, 4 May 2008, Marcin Wielgoszewski wrote:

> This is great, I like it.  I think the Scapy documentation would
> benefit from more example like this.  For me, I'm specifically looking
> to make sense of the traceroute graphs that are produced.  Looking
> through the code, red octagons are "Black Holes," and green rectangles
> are "Endpoints" which respond with either a RST-ACK or SYN-ACK.  But
> what about these "Nodes" that are circular in shape and are labeled
> "Unk##"?  The graphs I've been generating have tons of these cropping
> up, and I'm wondering what they are and what they represent.  Any help
> there would be appreciated.

I thought it was obvious those nodes were unknown routers, i.e. routers we 
know the presence of but which did not answer to our probes (so we do not 
know their IP address).

--

-- 
Philippe Biondi <phil <at>  secdev.org>      SecDev.org
Computer Security/R&D                   http://www.secdev.org
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org

Re: Cheat sheet: Interpreting received packets

Philippe Biondi wrote:
> http://www.secdev.org/conf/scapy-IPv6_HITB06.pdf
> there is something that may interest you at slide 25 (pdf page 37)

Oh, that's nice! It seems everytime I look at your slides again, I find 
something interesting that I haven't noticed before. 

Regards
Dirk

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-unsubscribe <at> secdev.org