We Keep Coding

WinDbg: How do I get the message displayed in a Word dialog from a core dump?

I'm doing some Office automation with MS Word from a C# application, and I'm finding that Word sometimes hangs. I can't reproduce the hang in a developer environment, so I'm hoping I can diagnose exactly why Word is hanging by taking a core dump and then analyzing it using WinDbg.
If I run kb, I get this stack trace (I've left off everything after the warning as it's probably irrelevant):
ChildEBP RetAddr Args to Child
003bc94c 762ed846 00037b72 00000008 00000000 user32!NtUserWaitMessage+0x15
003bc988 762eda5c 00047b12 00037b72 00000008 user32!DialogBox2+0x222
003bc9b4 762ed98a 59870000 0089aa30 00037b72 user32!InternalDialogBox+0xe5
003bc9d4 762ed70e 59870000 0089aa30 00037b72 user32!DialogBoxIndirectParamAorW+0x37
003bc9f4 59acdf5e 59870000 0089aa30 00037b72 user32!DialogBoxIndirectParamW+0x1b
WARNING: Stack unwind information not available. Following frames may be wrong.
So this seems to indicate that Word is hanging because it's showing a dialog box. How can I get the contents of that dialog box?
If I look at the memory at address 0089aa30, I see this:
........................3....
.M.i.c.r.o.s.o.f.t. .W.o.r.d.
........T.a.h.o.m.a..........
....P#.!.*...........O.K.....
...........PW.!.*...........&
.H.e.l.p..................P..
.............................
....P+...r.......M.S.O.U.N.I.
S.T.A.T...W.o.r.d. .c.a.n.n.o
.t. .o.p.e.n. .t.h.e. .e.x.i.
s.t.i.n.g. .f.i.l.e..... .(.N
.o.r.m.a.l.)................#
..+.........M.S.O.U.N.I.S.T.A
.T...2.0.0.5.2.1.............
So to me this says that the message in the dialog is "Word cannot open the existing file (Normal)".
Am I on the right track? Am I looking at the right bit of memory?
Is there any way to get the exact memory address of the message? (I feel like I'm guessing a bit, because the above message just happens to be close by in memory to a parameter to DialogBoxIndirectParam.) I have looked at the MSDN docs for DialogBoxIndirectParam, hoping to figure out exactly where in memory I should expect to see the dialog's message, but didn't get very far.
Edit: After seeing blabb's (absolutely incredible) answer, I have attempted to perform the same steps in WinDbg for my MS Word core dump. Here's the output:
0:000> ub 762ed98a
user32!DialogBoxIndirectParamAorW+0x1f:
762ed972 83c801 or eax,1
762ed975 50 push eax
762ed976 ff7518 push dword ptr [ebp+18h]
762ed979 ff7514 push dword ptr [ebp+14h]
762ed97c ff7510 push dword ptr [ebp+10h]
762ed97f ff750c push dword ptr [ebp+0Ch]
762ed982 ff7508 push dword ptr [ebp+8]
762ed985 e809000000 call user32!InternalDialogBox (762ed993)
0:000> .frame /r 2
02 003bc9b4 762ed98a user32!InternalDialogBox+0xe5
eax=00000000 ebx=00037b72 ecx=00000000 edx=00000000 esi=003bc97c edi=003bc918
eip=762eda5c esp=003bc990 ebp=003bc9b4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
user32!InternalDialogBox+0xe5:
762eda5c 5f pop edi
0:000> dc /c 1 003bc990 l8
003bc990 00047b12 .{..
003bc994 00037b72 r{..
003bc998 00000008 ....
003bc99c 00000000 ....
003bc9a0 00000000 ....
003bc9a4 00037b72 r{..
003bc9a8 003bcb98 ..;.
003bc9ac 00000000 ....
I know I'm looking at the wrong bit of memory (i.e. the address I'm passing to dc is incorrect), but I don't know why. I used ".frame /r 2" to fetch the address of esp, what did I do wrong?

The InternalDialogBox Api Takes Six Arguments
C:\>cdb -c ".fnent user32!InternalDialogbox;q" cdb | grep Params
Params: 0n6 (0x18 bytes)
you can try deciphering this call by doing a backward disassembly on the return address on stack
0:000> kb 1
# ChildEBP RetAddr Args to Child
00 0017fad8 778be0d5 77860000 001ec4f0 00000000 USER32!InternalDialogBox
0:000> ub #$ra
USER32!SoftModalMessageBox+0x66d:
778be0b8 e87c48fdff call USER32!MessageBeep (77892939)
778be0bd 56 push esi
778be0be 53 push ebx
778be0bf 6848d68b77 push offset USER32!MB_DlgProc (778bd648)
778be0c4 ff75ac push dword ptr [ebp-54h]
778be0c7 ff75e4 push dword ptr [ebp-1Ch]
778be0ca ff35d0908c77 push dword ptr [USER32!hmodUser (778c90d0)]
778be0d0 e8a059fdff call USER32!InternalDialogBox (77893a75)
in a crash dump you can substitute address instead of register or you can
do .frame /r {frame number} to fetch the address of esp
0:000> dc /c 1 #esp l8
0017fadc 778be0d5 ...w
0017fae0 77860000 ...w
0017fae4 001ec4f0 ....
0017fae8 00000000 ....
0017faec 778bd648 H..w
0017faf0 0017fcd8 ....
0017faf4 00000000 ....
0017faf8 00000001 ....
1) The first argument is hModUser a global variable
2) The fourth argument is a DialogProc callback that is documented
3) 3rd and 6th argument are NULL
the second argument consits of an array of DLGTEMPLATE followed by DLGITEMTEMPLATE structure read the document for the format of this variable sized array
the fifth argument is MSGBOXPARAMS structure
a sample dump and deciphering the dump for the variable sized array as follows
0:000> db 1ec4f0 l f8
001ec4f0 c5 01 c8 80 00 00 00 00-02 00 1a 01 9b 00 a7 00 ................
001ec500 3e 00 00 00 00 00 54 00-68 00 69 00 73 00 20 00 >.....T.h.i.s. .
001ec510 69 00 73 00 20 00 4d 00-79 00 20 00 43 00 61 00 i.s. .M.y. .C.a.
001ec520 70 00 74 00 69 00 6f 00-6e 00 20 00 46 00 6f 00 p.t.i.o.n. .F.o.
001ec530 72 00 20 00 32 00 30 00-31 00 35 00 20 00 43 00 r. .2.0.1.5. .C.
001ec540 6f 00 6d 00 6d 00 75 00-6e 00 69 00 74 00 79 00 o.m.m.u.n.i.t.y.
001ec550 20 00 76 00 73 00 00 00-ff 7f 00 00 01 00 03 50 .v.s..........P
001ec560 00 00 00 00 71 00 2a 00-32 00 0e 00 01 00 ff ff ....q.*.2.......
001ec570 80 00 4f 00 4b 00 00 00-00 00 00 00 80 20 02 50 ..O.K........ .P
001ec580 00 00 00 00 07 00 0e 00-8c 00 09 00 ff ff ff ff ................
001ec590 82 00 54 00 68 00 69 00-73 00 20 00 69 00 73 00 ..T.h.i.s. .i.s.
001ec5a0 20 00 6d 00 79 00 20 00-66 00 69 00 72 00 73 00 .m.y. .f.i.r.s.
001ec5b0 74 00 20 00 54 00 65 00-73 00 74 00 20 00 77 00 t. .T.e.s.t. .w.
001ec5c0 69 00 74 00 68 00 20 00-32 00 30 00 31 00 35 00 i.t.h. .2.0.1.5.
001ec5d0 20 00 63 00 6f 00 6d 00-6d 00 75 00 6e 00 69 00 .c.o.m.m.u.n.i.
001ec5e0 74 00 79 00 00 00 00 00 t.y.....
0:000> dt ConsoleApplication1!DLGTEMPLATE 1ec4f0
+0x000 style : 0x80c801c5
+0x004 dwExtendedStyle : 0
+0x008 cdit : 2
+0x00a x : 0x11a
+0x00c y : 0x9b
+0x00e cx : 0xa7
+0x010 cy : 0x3e
0:000> du 1ec504
001ec504 ""
0:000> du 1ec506
001ec506 "This is My Caption For 2015 Comm"
001ec546 "unity vs"
0:000> dt ConsoleApplication1!DLGITEMTEMPLATE 1ec55c
+0x000 style : 0x50030001
+0x004 dwExtendedStyle : 0
+0x008 x : 0x71
+0x00a y : 0x2a
+0x00c cx : 0x32
+0x00e cy : 0xe
+0x010 id : 1
0:000> $$ 80 is a predfined button and the text is OK
0:000> dt ConsoleApplication1!DLGITEMTEMPLATE 1ec57c
+0x000 style : 0x50022080
+0x004 dwExtendedStyle : 0
+0x008 x : 7
+0x00a y : 0xe
+0x00c cx : 0x8c
+0x00e cy : 9
+0x010 id : 0xffff
0:000> $$ 82 is a predfined static text and the text is
0:000> du 1ec592
001ec592 "This is my first Test with 2015 "
001ec5d2 "community"
here is a MSGBOXPARAMSW dump
0:000> dt ConsoleApplication1!MSGBOXPARAMSW 0017fcd8
+0x000 cbSize : 0x28
+0x004 hwndOwner : (null)
+0x008 hInstance : (null)
+0x00c lpszText : 0x01172150 "This is my first Test with 2015 community"
+0x010 lpszCaption : 0x011720f8 "This is My Caption For 2015 Community vs"
+0x014 dwStyle : 0
+0x018 lpszIcon : (null)
+0x01c dwContextHelpId : 0
+0x020 lpfnMsgBoxCallback : (null)
+0x024 dwLanguageId : 0
EDIT
created a dump from taskmanager and loaded it
0:000> .shell -ci "version" grep DMP
Full memory user mini dump: C:\Users\HP\Desktop\cons.DMP
command line: 'windbg -z cons.DMP' Debugger Process 0x17CC
.shell: Process exited
just to be sure resetting the context record
0:000> .cxr
Resetting default scope
dumping stacktrace 9the frame of interest is not at top here)
0:000> kb 5
# ChildEBP RetAddr Args to Child
00 0028f6fc 778766c9 7789382a 00000000 00000000 ntdll!KiFastSystemCallRet
01 0028f700 7789382a 00000000 00000000 00000000 user32!NtUserWaitMessage+0xc
02 0028f734 77893b27 00aa0350 00000000 00000000 user32!DialogBox2+0x207
03 0028f758 778be0d5 77860000 002f63f0 00000000 user32!InternalDialogBox+0xcb
04 0028f7fc 778be659 00000000 69d52104 69d52108 user32!SoftModalMessageBox+0x68a
overriding local context for frame number of interest
0:000> .frame /c /r 04
04 0028f7fc 778be659 user32!SoftModalMessageBox+0x68a
eax=00000001 ebx=0028f958 ecx=0028f458 edx=77ad70f4 esi=005fab18 edi=00000001
eip=778be0d5 esp=0028f760 ebp=0028f7fc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
user32!SoftModalMessageBox+0x68a:
778be0d5 8945e8 mov dword ptr [ebp-18h],eax ss:0023:0028f7e4=00000000
checking esp you can use esp as it is instead of groping for address
0:000> dc /c 1 #esp l 8
0028f760 77860000 ...w
0028f764 002f63f0 .c/.
0028f768 00000000 ....
0028f76c 778bd648 H..w
0028f770 0028f958 X.(.
0028f774 00000000 ....
0028f778 00000001 ....
0028f77c 0028f958 X.(.
dumping DLGTEMPLATE second arg
0:000> db 2f63f0 lf8
002f63f0 c5 01 c8 80 00 00 00 00-02 00 1a 01 9b 00 a7 00 ................
002f6400 3e 00 00 00 00 00 54 00-68 00 69 00 73 00 20 00 >.....T.h.i.s. .
002f6410 69 00 73 00 20 00 4d 00-79 00 20 00 43 00 61 00 i.s. .M.y. .C.a.
002f6420 70 00 74 00 69 00 6f 00-6e 00 20 00 46 00 6f 00 p.t.i.o.n. .F.o.
002f6430 72 00 20 00 32 00 30 00-31 00 35 00 20 00 43 00 r. .2.0.1.5. .C.
002f6440 6f 00 6d 00 6d 00 75 00-6e 00 69 00 74 00 79 00 o.m.m.u.n.i.t.y.
002f6450 20 00 76 00 73 00 00 00-ff 7f 00 00 01 00 03 50 .v.s..........P
002f6460 00 00 00 00 71 00 2a 00-32 00 0e 00 01 00 ff ff ....q.*.2.......
002f6470 80 00 4f 00 4b 00 00 00-00 00 00 00 80 20 02 50 ..O.K........ .P
002f6480 00 00 00 00 07 00 0e 00-8c 00 09 00 ff ff ff ff ................
002f6490 82 00 54 00 68 00 69 00-73 00 20 00 69 00 73 00 ..T.h.i.s. .i.s.
002f64a0 20 00 6d 00 79 00 20 00-66 00 69 00 72 00 73 00 .m.y. .f.i.r.s.
002f64b0 74 00 20 00 54 00 65 00-73 00 74 00 20 00 77 00 t. .T.e.s.t. .w.
002f64c0 69 00 74 00 68 00 20 00-32 00 30 00 31 00 35 00 i.t.h. .2.0.1.5.
002f64d0 20 00 63 00 6f 00 6d 00-6d 00 75 00 6e 00 69 00 .c.o.m.m.u.n.i.
002f64e0 74 00 79 00 00 00 00 00 t.y.....
typeinfo (you need proper private pdb or hack load a binary which you compiled into address space or add the DLGTEMPLATE struct into the official pdb for user32 from ms ( i thought i had a post explaining this in se but i cant seem to find) ill link it later if i find it or sitesearch google for how to add typeinfo to pdb in site:woodmann.com
0:000> dt cons!DLGTEMPLATE poi(#esp+4)
+0x000 style : 0x80c801c5
+0x004 dwExtendedStyle : 0
+0x008 cdit : 2
+0x00a x : 0n282
+0x00c y : 0n155
+0x00e cx : 0n167
+0x010 cy : 0n62
0:000> du poi(#esp+4)+16
002f6406 "This is My Caption For 2015 Comm"
002f6446 "unity vs"
edit 2 this is for a live session in dump mode you need to modify a pdb as you cant use execution commands
we are in a live dbg session we can use step commands which arent available in dmp mode
0:000> .tlist -c -v
0n3324 Msgbox.exe
Session: 1 User: HP-PC\HP Command Line: Msgbox.exe
lets search for some typeinfo we need
0:000> dt *!*DLGTEMPLATE*
0:000> $$ no the thype info is not available
0:000> $$ we know ole32.dll has it
0:000> $$ so lets hack load it
allocate some memory
0:000> .dvalloc 1000
Allocated 1000 bytes starting at 00020000
save the current eip
0:000> ? #eip
Evaluate expression: 2008221094 = 77b305a6
embed the modulename string at some address in the allocated memory
0:000> ea 20100 "ole32.dll"
0:000> db 20100 l20
00020100 6f 6c 65 33 32 2e 64 6c-6c 00 00 00 00 00 00 00 ole32.dll.......
00020110 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
Assemble a LoadLibraryA call inline
0:000> a 20000
00020000 push 20100
push 20100
00020005 call kernel32!LoadLibraryA
call kernel32!LoadLibraryA
0002000a
change eip to the detour address
0:000> r eip = 20000
single step to load a dll into the address space
0:000> p
eax=00000000 ebx=00000000 ecx=0026f80c edx=77ad70f4 esi=fffffffe edi=00000000
eip=00020005 esp=0026f824 ebp=0026f854 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
00020005 e852395877 call kernel32!LoadLibraryA (775a395c)
0:000> p
ModLoad: 77930000 77a8c000 C:\Windows\system32\ole32.dll
ModLoad: 75ee0000 75f81000 C:\Windows\system32\RPCRT4.dll
ModLoad: 77530000 7754f000 C:\Windows\system32\IMM32.DLL
ModLoad: 76030000 760fc000 C:\Windows\system32\MSCTF.dll
eax=77930000 ebx=00000000 ecx=77ae6570 edx=002b0174 esi=fffffffe edi=00000000
eip=0002000a esp=0026f828 ebp=0026f854 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
0002000a 0000 add byte ptr [eax],al ds:0023:77930000=4d
reset eip back
0:000> r eip = 77b305a6
we research the typeinfo and bingo we have it
0:000> dt *!*DLGTEMPLATE*
ole32!LPDLGTEMPLATEA
ole32!LPDLGTEMPLATE
ole32!LPDLGTEMPLATEW
ole32!LPCDLGTEMPLATE
ole32!LPCDLGTEMPLATEA
ole32!LPCDLGTEMPLATEW
ole32!DLGTEMPLATE
ole32!DLGTEMPLATE

ssl socket write gives connection reset exception

I am trying to send ios push notification using javapns library . the code is working fine on java 6 but not working on java 7 . I am trying to write on a ssl socket by java code
this.socket.getOutputStream().write(bytes);
but getting following exception : -
2015-09-24 02:01:17,330 [JavaPNS grouped notification thread in LIST
mode] ERROR javapns.notification.PushNotificationManager
(PushNotificationManager.java:496) - Delivery error
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:196) ~[?:1.7.0_79]
at java.net.SocketInputStream.read(SocketInputStream.java:122) ~[?:1.7.0_79]
at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) ~[?:1.7.0_79]
at sun.security.ssl.InputRecord.read(InputRecord.java:480) ~[?:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
~[?:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
~[?:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
~[?:1.7.0_79]
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
~[?:1.7.0_79]
at java.io.OutputStream.write(OutputStream.java:75) ~[?:1.7.0_79]
at javapns.notification.PushNotificationManager.sendNotification(PushNotificationManager.java:464)
[utils-1.0.jar:?]
at javapns.notification.PushNotificationManager.sendNotification(PushNotificationManager.java:409)
[utils-1.0.jar:?]
at javapns.notification.transmission.NotificationThread.runList(NotificationThread.java:283)
[utils-1.0.jar:?]
at javapns.notification.transmission.NotificationThread.run(NotificationThread.java:254)
[utils-1.0.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.7.0_79]
Following are my ssl debug log : -
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: ........
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 22222491044564264786925450301128660800404037455402211937155693765439451266775814064935111308236503917661658380453607223444671197507922227372310694498331784203397249559620562506847738658137494429967865235154139927237328515659798669693649542833648664525838898423359833650942229563615420055801398510282090750116916759108752545159033267269553610447830532132801594757535863574777003658295660123855620269370519852284530709335738820289388013418673721050782042119531816409879900413319632795054390149130447840278225455201462347192736907867086706041266601675705875530393925455170420669674672723643704537136254104782678046353641
public exponent: 65537
Validity: [From: Thu Jul 16 12:10:32 IST 2015,
To: Fri Jul 15 12:10:32 IST 2016]
Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=Apple Worldwide Developer Relations, O=Apple Inc., C=US
SerialNumber: [ 25dea3f4 f4f072b3]
Certificate Extensions: 8
[1]: ObjectId: 1.2.840.113635.100.6.1.2 Criticality=true
Extension unknown: DER encoded OCTET string =
0000: 04 02 05 00 ....
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.apple.com/ocsp03-wwdr01
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 88 27 17 09 A9 B6 18 60 8B EC EB BA F6 47 59 C5 .'.....`.....GY.
0010: 52 54 A3 B7 RT..
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.2.840.113635.100.5.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 81 B6 0C 81 B3 52 65 6C 69 61 6E 63 65 20 6F 0.....Reliance o
0010: 6E 20 74 68 69 73 20 63 65 72 74 69 66 69 63 61 n this certifica
0020: 74 65 20 62 79 20 61 6E 79 20 70 61 72 74 79 20 te by any party
0030: 61 73 73 75 6D 65 73 20 61 63 63 65 70 74 61 6E assumes acceptan
0040: 63 65 20 6F 66 20 74 68 65 20 74 68 65 6E 20 61 ce of the then a
0050: 70 70 6C 69 63 61 62 6C 65 20 73 74 61 6E 64 61 pplicable standa
0060: 72 64 20 74 65 72 6D 73 20 61 6E 64 20 63 6F 6E rd terms and con
0070: 64 69 74 69 6F 6E 73 20 6F 66 20 75 73 65 2C 20 ditions of use,
0080: 63 65 72 74 69 66 69 63 61 74 65 20 70 6F 6C 69 certificate poli
0090: 63 79 20 61 6E 64 20 63 65 72 74 69 66 69 63 61 cy and certifica
00A0: 74 69 6F 6E 20 70 72 61 63 74 69 63 65 20 73 74 tion practice st
00B0: 61 74 65 6D 65 6E 74 73 2E atements.
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2A 68 74 74 70 3A 2F 2F 77 77 77 2E 61 70 70 .*http://www.app
0010: 6C 65 2E 63 6F 6D 2F 63 65 72 74 69 66 69 63 61 le.com/certifica
0020: 74 65 61 75 74 68 6F 72 69 74 79 2F teauthority/
]] ]
]
[6]: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
codeSigning
]
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
]
[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6F FB BD 5A 59 70 1C 2E 77 32 9A 97 69 C3 23 0E o..ZYp..w2..i.#.
0010: EF D8 E9 D0 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 90 BE B9 5B E7 66 C1 B4 C1 C8 60 90 69 5F 01 04 ...[.f....`.i_..
0010: 2B C4 E6 9E 8D 13 8C A7 3F 81 55 6C CD D1 47 48 +.......?.Ul..GH
0020: 3C D7 D8 3E F5 C2 69 A7 A2 21 CE 15 08 F7 D9 8C <..>..i..!......
0030: 2D FE 37 29 AD DC E3 CA 27 27 83 2C 15 95 4D 40 -.7)....''.,..M#
0040: EA 2C AD EF 99 7C 9B 84 59 3F 6C E6 BA 07 F4 EC .,......Y?l.....
0050: 05 36 E4 58 EA B0 DF 00 AB 54 F2 FF 6B AE C2 C1 .6.X.....T..k...
0060: E4 3C D3 23 79 61 D1 67 DD 0C 0D 2B 77 E0 8E 6F .<.#ya.g...+w..o
0070: A2 7B 21 13 D2 4F D7 8B 98 A7 E0 22 E9 95 D7 1A ..!..O....."....
0080: C5 71 0A 15 35 77 38 37 EC F9 CC 60 79 2D A5 E0 .q..5w87...`y-..
0090: DA C2 78 AD 59 88 7B 92 93 66 9A 44 F7 58 8C 0D ..x.Y....f.D.X..
00A0: 28 E3 42 D0 79 DC F5 23 C7 36 D0 61 0A 34 61 F3 (.B.y..#.6.a.4a.
00B0: 16 AE 7B D8 8B BC B8 6B D6 05 C4 E4 EF B0 BF 4B .......k.......K
00C0: 66 E1 6F 59 EC 67 F6 A3 C0 49 7A 83 8A 7B FC 7B f.oY.g...Iz.....
00D0: 26 3C 42 16 F7 DE DB 74 4D 1A A5 7F AE C2 36 C4 &<B....tM.....6.
00E0: 8E 5A F9 75 05 3A A5 13 70 0C 69 96 00 CB FD 77 .Z.u.:..p.i....w
00F0: 4A 9E C8 E4 AA 39 75 7D 6D C9 79 04 BC DF 59 EF J....9u.m.y...Y.
]
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
JavaPNS grouped notification thread in LIST mode, WRITE: TLSv1 Handshake, length = 1729
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 00 2E C1 C7 9F 24 B2 E9 02 59 7B D2 8A A7 .......$...Y....
0010: 22 D3 72 B2 16 55 5F 5C E1 30 7D 4A 56 F1 3C 32 ".r..U_\.0.JV.<2
0020: 5D 77 8F 13 BD B0 E9 6A 84 9E 81 0D 0B 38 D5 0E ]w.....j.....8..
CONNECTION KEYGEN:
Client Nonce:
0000: 56 03 10 94 63 A2 8C A1 6D 75 2F F0 38 EC CD 4F V...c...mu/.8..O
0010: 3A D6 46 C7 C4 2D 5F 76 4B 38 3F FC 28 59 6B 04 :.F..-_vK8?.(Yk.
Server Nonce:
0000: B2 1F 50 60 42 F5 94 7A 5B 7C FE 50 60 3E 84 BC ..P`B..z[..P`>..
0010: CB 18 B7 B1 E8 50 56 6E F9 DD 6E E2 B9 34 25 01 .....PVn..n..4%.
Master Secret:
0000: 03 87 6A 7D 0E 69 76 FA 5F 2E 48 BB B7 77 79 0F ..j..iv._.H..wy.
0010: 5E 59 CF 32 BA B5 D7 2E 0F 9D 43 F2 4F F1 CD 52 ^Y.2......C.O..R
0020: DF A7 05 EB 47 BF FD 18 48 F0 DD F1 78 10 47 FF ....G...H...x.G.
Client MAC write Secret:
0000: ED B5 4A 85 1D CC 96 D2 D0 94 29 40 AE 8F C3 10 ..J.......)#....
0010: 74 52 24 8D tR$.
Server MAC write Secret:
0000: B9 ED CD B7 30 52 1F 74 9E 47 71 41 2A 1B 90 C7 ....0R.t.GqA*...
0010: AF 2F 93 4E ./.N
Client write key:
0000: A0 B0 7C 23 2F C7 A3 5D 24 03 B4 1F F9 2B B2 97 ...#/..]$....+..
Server write key:
0000: 29 4C 64 FB 39 02 96 43 7A 5B F5 1D D4 2A 51 B7 )Ld.9..Cz[...*Q.
Client write IV:
0000: 85 3C C4 38 B4 9F 41 92 B6 88 7A 47 F6 B9 82 C1 .<.8..A...zG....
Server write IV:
0000: FA 04 7C A8 D7 29 A3 0D 5F 20 BF 3C 4C C8 52 9A .....).._ .<L.R.
*** CertificateVerify
JavaPNS grouped notification thread in LIST mode, WRITE: TLSv1 Handshake, length = 262
JavaPNS grouped notification thread in LIST mode, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 221, 26, 21, 239, 125, 223, 149, 73, 149, 170, 46, 218 }
***
JavaPNS grouped notification thread in LIST mode, WRITE: TLSv1 Handshake, length = 48
JavaPNS grouped notification thread in LIST mode, handling exception: java.net.SocketException: Connection reset
%% Invalidated: [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA]
JavaPNS grouped notification thread in LIST mode, SEND TLSv1 ALERT: fatal, description = unexpected_message
JavaPNS grouped notification thread in LIST mode, WRITE: TLSv1 Alert, length = 32
JavaPNS grouped notification thread in LIST mode, Exception sending alert: java.net.SocketException: Broken pipe
JavaPNS grouped notification thread in LIST mode, called closeSocket()
JavaPNS grouped notification thread in LIST mode, called close()
JavaPNS grouped notification thread in LIST mode, called closeInternal(true)
abhishek$ which openssl
/usr/bin/openssl
abhishek$ openssl version
OpenSSL 1.0.2d 9 Jul 2015
abhishek$ java -version
java version "1.7.0_79"
Java(TM) SE Runtime Environment (build 1.7.0_79-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.79-b02, mixed mode)
Edit : When I printed this SSLSession
SSLSession session = socket.getSession();
//I got [Session-1, SSL_NULL_WITH_NULL_NULL]
// Returns the SSL Session in use by this connection. These can be long lived, and frequently correspond to an entire login session for some user. The session specifies a particular cipher suite which is being actively used by all connections in that session, as well as the identities of the session's client and server.
This method will initiate the initial handshake if necessary and then block until the handshake has been established.
If an error occurs during the initial handshake, this method returns an invalid session object which reports an invalid cipher suite of "SSL_NULL_WITH_NULL_NULL".
System.out.println(session.getLocalCertificates());
// I got null
While Using same certificates in java 6 I did not get null .

The peer has closed the connection. You would have to look at its logs to see why. Possibly it asked you for a certificate and you didn't provide one.

how to get undecoded payload from tshark?

I'm trying to get the undecoded part from a pacap file by using tshark, but it only shows the part it can decode, the rest of the payload is missing, is there a way to get the rest of the part? log as below. I need to get the ESP payload which is after ESP SPI and ESP Sequence "00 00 00 00 01 00 00 00 03"
tshark -r a.pcap -R "esp" -2 -V -x
....
Internet Protocol Version 6, Src: ::200:2000:0:1388 (::200:2000:0:1388), Dst: 2002:cccc::157 (2002:cccc::157)
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... 0000 00.. .... .... .... .... .... = Differentiated Services Field: Default (0x00000000)
.... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
.... .... ...0 .... .... .... .... .... = ECN-CE: Not set
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 89
Next header: IPv6 hop-by-hop option (0)
Hop limit: 16
Source: ::200:2000:0:1388 (::200:2000:0:1388)
Destination: 2002:cccc::157 (2002:cccc::157)
[Destination 6to4 Gateway IPv4: 204.204.0.0 (204.204.0.0)]
[Destination 6to4 SLA ID: 0]
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Hop-by-Hop Option
Next header: ESP (50)
Length: 0 (8 bytes)
IPv6 Option (RPL Option)
Type: RPL Option (99)
Length: 4
Flag: 0
0... .... = Down: False
.0.. .... = Rank Error: False
..0. .... = Forwarding Error: False
...0 0000 = Reserved: 0x00
RPLInstanceID: 0x00
Sender Rank: 0x0100
Encapsulating Security Payload
ESP SPI: 0x00000001 (1)
ESP Sequence: 3
Frame (132 bytes):
0000 61 dc c3 00 00 0a 00 00 00 00 20 00 00 88 13 00 a......... .....
0010 00 00 20 00 00 7c 70 10 20 02 cc cc 00 00 00 00 .. ..|p. .......
0020 00 00 00 00 00 00 01 57 e0 32 06 63 04 00 00 01 .......W.2.c....
0030 00 00 00 00 01 00 00 00 03 9b c8 52 7a 9b 6c 36 ...........Rz.l6
0040 64 e1 f7 1b aa 12 66 ed 2d 6e 8b 9e d5 8e 0c ba d.....f.-n......
0050 ef 15 e6 17 2a 68 70 69 b6 55 1a c1 55 2f 63 fc ....*hpi.U..U/c.
0060 00 f4 72 78 3a c8 a0 af 34 1c 0a ec e3 1e 9a cc ..rx:...4.......
0070 58 89 7d 88 2c 7c 4b 03 fe 6f d8 d6 8b 07 9f d8 X.}.,|K..o......
0080 f0 46 ce 80 .F..
F

I need to get the ESP payload
This will return it as raw hex (without the rest of the layers/fields) :
tshark -Y "tcp.dstport == 50" -T fields -d tcp.port==50,echo -e echo.data
Enjoy. :)

Kernel crash - NULL pointer dereference when calling DEVICE_WRITE from KTHREAD in a USB device driver

I'm writing a simple USB driver to drive a stepper motor based on USB Skeleton 2.2 Driver, kernel 3.8. The basic version is running properly. As a advancement, I introduced KTHREAD to call the DEVICE_WRITE (skel_write) (), so that the driver will be available for other tasks & requests.
Calling procedure : USER (request) -> DEVICE_IOCTL -> KTHREAD -> DEVICE_WRITE.
In this scenario, when I call the DEVICE_WRITE multiple times from KTHREAD through a loop, everything works fine. Then after some iterations, kernel gets messed up, Otherwise if called directly works fine. Upon seeing the log file, the error is :
Dec 30 01:15:14 mit kernel: [ 962.316843] device_write(efed1180,2,10),ioused : 1
Dec 30 01:15:14 mit kernel: [ 962.316900] data : 0, motor_cnt : 2, master_counter : 20
Dec 30 01:15:14 mit kernel: [ 962.366498] data : 1, motor_cnt : 2, master_counter : 21
Dec 30 01:15:14 mit kernel: [ 962.416116] Write over, going for sleep
Dec 30 01:15:14 mit kernel: [ 962.416125] file : efed1180,data : 2,i : 11
Dec 30 01:15:14 mit kernel: [ 962.416128] device_write(efed1180,2,10),ioused : 1
Dec 30 01:15:14 mit kernel: [ 962.416166] BUG: unable to handle kernel NULL pointer dereference at (null)
Dec 30 01:15:14 mit kernel: [ 962.416254] IP: [] skel_write+0xd7/0x360 [usbstep]
Dec 30 01:15:14 mit kernel: [ 962.416294] *pdpt = 0000000000000000* pde= f0002accf0002acc
Dec 30 01:15:14 mit kernel: [ 962.416332] Oops: 0000 [#1] SMP
Dec 30 01:15:14 mit kernel: [ 962.416363] Modules linked in: usbstep(OF) parport_pc(F) ppdev(F) bnep rfcomm bluetooth snd_hda_codec_hdmi uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev snd_hda_codec_idt coretemp snd_hda_intel kvm snd_hda_codec snd_hwdep(F) snd_pcm(F) snd_page_alloc(F) joydev(F) snd_seq_midi(F) snd_seq_midi_event(F) snd_rawmidi(F) hp_wmi lib80211_crypt_tkip snd_seq(F) snd_seq_device(F) snd_timer(F) sparse_keymap radeon wl(POF) lib80211 ttm drm_kms_helper cfg80211 drm hp_accel lis3lv02d mei input_polldev wmi i2c_algo_bit video(F) intel_ips mac_hid snd(F) lpc_ich soundcore(F) microcode(F) lp(F) parport(F) psmouse(F) serio_raw(F) r8169 ahci(F) libahci(F) [last unloaded: usbstep]
Dec 30 01:15:14 mit kernel: [ 962.416866] Pid: 2997, comm: mitesh Tainted: PF O 3.8.0-26-generic #38-Ubuntu Hewlett-Packard HP ProBook 4520s/1411
Dec 30 01:15:14 mit kernel: [ 962.416928] EIP: 0060:[] EFLAGS: 00010287 CPU: 2
Dec 30 01:15:14 mit kernel: [ 962.416960] EIP is at skel_write+0xd7/0x360 [usbstep]
Dec 30 01:15:14 mit kernel: [ 962.416989] EAX: f0665b84 EBX: 00000014 ECX: 000000d0 EDX: 00000014
Dec 30 01:15:14 mit kernel: [ 962.417024] ESI: f0665b40 EDI: 00000000 EBP: efddbf40 ESP: efddbf04
Dec 30 01:15:14 mit kernel: [ 962.417059] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Dec 30 01:15:14 mit kernel: [ 962.417089] CR0: 8005003b CR2: 00000000 CR3: 019d1000 CR4: 000007f0
Dec 30 01:15:14 mit kernel: [ 962.417124] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
Dec 30 01:15:14 mit kernel: [ 962.417158] DR6: ffff0ff0 DR7: 00000400
Dec 30 01:15:14 mit kernel: [ 962.417181] Process mitesh (pid: 2997, ti=efdda000 task=f0bed9b0 task.ti=efdda000)
Dec 30 01:15:14 mit kernel: [ 962.417223] Stack:
Dec 30 01:15:14 mit kernel: [ 962.417236] f0665b84 efddbf58 efddbf58 0000000a 00000001 efddbf58 00000000 efddbf40
Dec 30 01:15:14 mit kernel: [ 962.417301] c1609d81 00000002 f06c5d40 00000014 0000000c efddbf58 f1487408 efddbf6c
Dec 30 01:15:14 mit kernel: [ 962.417398] f8585546 00000000 efed1180 efddbf58 0000000b f6eb0032 aa092dff f6eb7ebc
Dec 30 01:15:14 mit kernel: [ 962.417475] Call Trace:
Dec 30 01:15:14 mit kernel: [ 962.417504] [] ? printk+0x4d/0x4f
Dec 30 01:15:14 mit kernel: [ 962.417559] [] tele+0x86/0xc0 [usbstep]
Dec 30 01:15:14 mit kernel: [ 962.417618] [] ? skel_write+0x360/0x360 [usbstep]
Dec 30 01:15:14 mit kernel: [ 962.417691] [] kthread+0x94/0xa0
Dec 30 01:15:14 mit kernel: [ 962.417744] [] ? __hrtimer_start_range_ns+0x2e0/0x460
Dec 30 01:15:14 mit kernel: [ 962.417819] [] ret_from_kernel_thread+0x1b/0x28
Dec 30 01:15:14 mit kernel: [ 962.417886] [] ? kthread_create_on_node+0xc0/0xc0
Dec 30 01:15:14 mit kernel: [ 962.417951] Code: c0 89 c6 0f 84 83 01 00 00 83 c3 0a b8 00 0e 00 00 81 fb 00 0e 00 00 b9 d0 00 00 00 0f 46 c3 89 45 f0 8d 46 44 8b 55 f0 89 04 24 <8b> 07 e8 52 9f ee c8 85 c0 89 45 e4 0f 84 0f 01 00 00 8d 47 54
Dec 30 01:15:14 mit kernel: [ 962.418433] EIP: [] skel_write+0xd7/0x360 [usbstep] SS:ESP 0068:efddbf04
Dec 30 01:15:14 mit kernel: [ 962.418530] CR2: 0000000000000000
Dec 30 01:15:14 mit kernel: [ 962.433930] ---[ end trace 63245eeeb64414aa ]---
Here goes the code : KTHREAD
int tele(void *__tele_data) {
struct tele_data *tele_data = __tele_data;
int i=0;
char *dptr=NULL;
char numb[4];
sprintf(numb,"%d",tele_data->num);
dptr=numb;
for(i=0;i<30;i++) {
is_ioctl_used=1;
printk("file : %p,data : %s,i : %d\n", tele_data->file,dptr,i);
skel_write(tele_data->file,(char *)dptr, 10, 0);
printk("Write over, going for sleep\n");
}
return 0;
}
DEVICE_WRITE -
static ssize_t skel_write(struct file *file, const char *user_buffer,
size_t count, loff_t *ppos)
{
struct usb_skel *dev;
int retval = 0,i = 0,motor_count,dir=0;
struct urb *urb = NULL;
char *buf = NULL;
char *buf1 = NULL;
size_t writesize = min(count+10, (size_t)MAX_TRANSFER);
printk(KERN_INFO "device_write(%p,%s,%d),ioused : %d\n", file, user_buffer, count,is_ioctl_used);
dev = file->private_data;
// verify that we actually have some data to write
if (count == 0)
goto exit;
/*
* limit the number of URBs in flight to stop a user from using up all
* RAM
*/
if (!(file->f_flags & O_NONBLOCK)) {
if (down_interruptible(&dev->limit_sem)) {
retval = -ERESTARTSYS;
goto exit;
}
} else {
if (down_trylock(&dev->limit_sem)) {
retval = -EAGAIN;
goto exit;
}
}
spin_lock_irq(&dev->err_lock);
retval = dev->errors;
if (retval < 0) {
// any error is reported once
dev->errors = 0;
// to preserve notifications about reset
retval = (retval == -EPIPE) ? retval : -EIO;
}
spin_unlock_irq(&dev->err_lock);
if (retval < 0)
goto error;
/* create a urb, and a buffer for it, and copy the data to the urb */
buf1=(char *)kmalloc(sizeof(char)*20,GFP_KERNEL); //Allocate 2nd buffer.
if(is_ioctl_used) { //Whether the write function is called from IOCTL or Directly (echo > /dev/stepper)
sprintf(buf1,user_buffer);
} else {
if (copy_from_user(buf1, user_buffer,count)) {
retval = -EFAULT;
goto error;
}
}
motor_count=simple_strtol(buf1,NULL,10);
if(motor_count<0) { //Rotation counts of stepper motor.
motor_count=motor_count * -1; //If motor_count<0 then rotate in anti-clock direction.
dir=1;
}
urb = usb_alloc_urb(0, GFP_KERNEL);
if (!urb) {
retval = -ENOMEM;
goto error;
}
buf = usb_alloc_coherent(dev->udev, writesize, GFP_KERNEL,
&urb->transfer_dma);
if (!buf) {
retval = -ENOMEM;
goto error;
}
/* this lock makes sure we don't submit URBs to gone devices */
mutex_lock(&dev->io_mutex);
if (!dev->interface) { /* disconnect() was called */
mutex_unlock(&dev->io_mutex);
retval = -ENODEV;
goto error;
}
/* initialize the urb properly */
usb_fill_int_urb(urb, dev->udev,
usb_sndintpipe(dev->udev, dev->bulk_out_endpointAddr),
buf, writesize, skel_write_bulk_callback, dev,dev->bInterval);
urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
usb_anchor_urb(urb, &dev->submitted);
for(i=0;i<motor_count;i++) { //Loop to rotate motor based on counts.
printk("data : %d, motor_cnt : %d, master_counter : %d\n",ptr->data,motor_count,master_counter);
if(dir==0) ptr=ptr->next;
else ptr=ptr->prev;
// Fill the buffers.
buf[0]=0x01;
buf[1]=0;
buf[2]=ptr->data;
/* send the data out the bulk port */
retval = usb_submit_urb(urb, GFP_KERNEL);
if (retval) {
dev_err(&dev->interface->dev,
"%s - failed submitting write urb, error %d\n",
__func__, retval);
mutex_unlock(&dev->io_mutex);
goto error_unanchor;
}
if(++master_counter && master_counter > 47) master_counter=0;
/*
* release our reference to this urb, the USB core will eventually free
* it entirely
*/
mdelay(50); //Delay is required to match with motor speed.
}
mutex_unlock(&dev->io_mutex);
usb_free_coherent(dev->udev, writesize, buf, urb->transfer_dma);
kfree(buf1);
usb_free_urb(urb);
is_ioctl_used=0;
return writesize;
error_unanchor:
usb_unanchor_urb(urb);
error:
if (urb) {
usb_free_coherent(dev->udev, writesize, buf, urb->transfer_dma);
usb_free_urb(urb);
}
up(&dev->limit_sem);
exit:
return retval;
}
I'm new to kernel programming and might be missing out something.

I don't know if this is the root cause of your problem, but it seems like you have a number of issues in your tele() function:
int tele(void *__tele_data) {
struct tele_data *tele_data = __tele_data;
int i=0;
char *dptr=NULL;
char numb[4];
sprintf(numb,"%d",tele_data->num);
Here, you sprintf() the number into the numb buffer. What is the range of tele_data->num? Would it ever take more than 4 characters (including the terminating NUL character)? Also, you're not recording how many bytes were printed in the buffer. Seems like you'd want to know that for use below...
dptr=numb;
Okay, so now dptr point to numb. Which means it points to a character buffer that has a maximum of 4 bytes, but...
for(i=0;i<30;i++) {
is_ioctl_used=1;
printk("file : %p,data : %s,i : %d\n", tele_data->file,dptr,i);
skel_write(tele_data->file,(char *)dptr, 10, 0);
In the skel_write() line above, you're requesting 10 bytes to be written. That's 6 more than is available. So you could be smashing the stack here.
I'm not convinced it's your only issue, but it does appear to be a problem.
Just a couple of other minor things to point out. You don't need the cast on dptr in the skel_write() line... it's already a char *. Be wary of casting as it can hide an unintentional mismatch of types if the type of the variable changes. Also, the indentation in your code is all over the place. I realize you're just learning, but get in the habit of good practices here. It's really hard to read through your skel_write() implementation. The are likely a few other issues there, and something as simple as correct indentation can help readers understand the flow, and potentially see the issue.
Finally, don't give up. Kernel programming is hard: there are lots of moving parts, concurrency, locking, caching, and a very asynchronous style of programming. OTOH, you're down close to the bare metal of your processor and system, and it's quite rewarding.

Mit,
May you need to scrutinize the kthreads behaviour w.r.t operations you are doing from inside it
See: In what context Kernel Thread runs in Linux?

scapy command for defining the data part of udp packet

I had used the following command to generate a GTP packet using sendp
>>>sendp(Ether()/IP(dst="1.1.1.1", proto=17,
len=124)/UDP(sport=2152,dport=2152,len=104)/Raw(load=('32 ff 00 58 00 00 00 01 '
'28 db 00 00 45 00 00 54 00 00 40 00 40 00 5e a5 ca 0b 28 9e c0 a8 28 b2 08 00 '
'be e7 00 00 28 7b 04 11 20 4b f4 3d 0d 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 '
'14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d '
'2e 2f 30 31 32 33 34 35 36 37')), iface="eth1", loop=1, inter=1.0002)
In Wireshark,
Click on the following link for wireshark view :
http://imgur.com/M1Hpl7P
Expecting the Data of UDP packet as -
32 ff 00 58 00 00 00 01 28 db 00 00 45 00 00 54 00 00 40 00 40 00 5e a5 ca 0b 28
9e c0 a8 28 b2 08 00 be e7 00 00 28 7b 04 11 20 4b f4 3d 0d 00 08 09 0a 0b 0c 0d
0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28
29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37
But I found this data at "right most side of the packet description", instead of "Middle portion of the packet description".
Could you please let me know the command to be used to correct this.

I assume you want the above hex values to be the data in the UDP packet.
What you provided to Raw was a string of characters, spaces included, not hex code in Python. We will first convert your string of characters into a valid hex string in Python, then provide that to Scapy so the data will go on the wire as you want it.
I'll also show you some nice functions to preview what you will see in Wireshark.
First we'll put your data into its own variable.
>>> data = ('32 ff 00 58 00 00 00 01 '
... '28 db 00 00 45 00 00 54 00 00 40 00 40 00 5e a5 ca 0b 28 9e c0 a8 28 b2 08 00 '
... 'be e7 00 00 28 7b 04 11 20 4b f4 3d 0d 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 '
... '14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d '
... '2e 2f 30 31 32 33 34 35 36 37')
Then split that up into a nice list.
>>> data_list = data.split(" ")
>>> data_list
['32', 'ff', '00', '58', '00', '00', '00', '01', '28', 'db', '00', '00', '45',
'00', '00', '54', '00', '00', '40', '00', '40', '00', '5e', 'a5', 'ca', '0b',
'28', '9e', 'c0', 'a8', '28', 'b2', '08', '00', 'be', 'e7', '00', '00', '28',
'7b', '04', '11', '20', '4b', 'f4', '3d', '0d', '00', '08', '09', '0a', '0b',
'0c', '0d', '0e', '0f', '10', '11', '12', '13', '14', '15', '16', '17', '18',
'19', '1a', '1b', '1c', '1d', '1e', '1f', '20', '21', '22', '23', '24', '25',
'26', '27', '28', '29', '2a', '2b', '2c', '2d', '2e', '2f', '30', '31', '32',
'33', '34', '35', '36', '37']
Generate the string which can be passed to Raw as the binary data you want to appear in the packet.
>>>data_s = ''.join(data_list).decode('hex')
>>>data_s
'2\xff\x00X\x00\x00\x00\x01(\xdb\x00\x00E\x00\x00T\x00\x00#\x00#\x00^\xa5\xca
\x0b(\x9e\xc0\xa8(\xb2\x08\x00\xbe\xe7\x00\x00({\x04\x11K\xf4=\r\x00\x08\t\n\x0b
\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f
!"#$%&\'()*+,-./01234567'
Use this string for your UDP Payload and build your packet!
>>> packet = IP(dst="1.1.1.1", proto=17,
... len=124)/UDP(sport=2152,dport=2152,len=104)/Raw(load=data_s)
>>> packet.show()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= 124
id= 1
flags=
frag= 0
ttl= 64
proto= udp
chksum= None
src= 0.0.0.0
dst= 1.1.1.1
\options\
###[ UDP ]###
sport= gtp_user
dport= gtp_user
len= 104
chksum= None
###[ Raw ]###
load= '2\xff\x00X\x00\x00\x00\x01(\xdb\x00\x00E\x00\x00T\x00\x00#\x00#
\x00^\xa5\xca\x0b(\x9e\xc0\xa8(\xb2\x08\x00\xbe\xe7\x00\x00({\x04
\x11K\xf4=\r\x00\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14
\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./0
1234567'
This should produce the expected data in Wireshark. Here is a hexdump of what you should see. I excluded the Ethernet layer, was giving Scapy on my machine some trouble for an unknown reason.
>>> hexdump(p)
0000 45 00 00 7C 00 01 00 00 40 11 78 6F 00 00 00 00 E..|....#.xo....
0010 01 01 01 01 08 68 08 68 00 68 90 1A 32 FF 00 58 .....h.h.h..2..X
0020 00 00 00 01 28 DB 00 00 45 00 00 54 00 00 40 00 ....(...E..T..#.
0030 40 00 5E A5 CA 0B 28 9E C0 A8 28 B2 08 00 BE E7 #.^...(...(.....
0040 00 00 28 7B 04 11 20 4B F4 3D 0D 00 08 09 0A 0B ..({.. K.=......
0050 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B ................
0060 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B .... !"#$%&'()*+
0070 2C 2D 2E 2F 30 31 32 33 34 35 36 37 ,-./01234567