I have assignment to Read packets from a file and output the details of those packets having.
Do not fragment(DF) flag set for IP header and SYN and ACK flags
set (together) for TCP header (all the three flags should be set). For
packets qualifying the above condition print the following:
Packet number
Source IP address and Source port number
Destination IP address and Destination port number
I have done packet capture but not able to print values matching condition of all 3 flag set from that PCAP file
print("Starting ")
for packet in PcapReader(filename):
if packet[IP].flags == 'DF' and packet[TCP].flags == 'S' and packet[TCP].flags == 'A':
print("Source IP address = {} , source port number = {} , destination IP addr = {} , destination port number = {} ".format(packet[IP].src,packet[TCP].sport,packet[IP].dst,packet[TCP].dport))
else:
print("Finishing. ")
I ran tshark -V > file.log in my terminal and then in a separate terminal I ran curl 'www.google.com'. I then returned to the first terminal, shut off tshark and then looked at file.log. In it there are a number of 'frames'. For example, here is one of them:
Frame 42: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface en0, id 0
Interface id: 0 (en0)
Interface name: en0
Interface description: Wi-Fi
Encapsulation type: Ethernet (1)
Arrival Time: Nov 3, 2020 17:28:15.022217000 PST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1604453295.022217000 seconds
[Time delta from previous captured frame: 0.000244000 seconds]
[Time delta from previous displayed frame: 0.000244000 seconds]
[Time since reference or first frame: 12.164253000 seconds]
Frame Number: 42
Frame Length: 66 bytes (528 bits)
Capture Length: 66 bytes (528 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: *****, Dst: *****
Destination: *****
Address: *****
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Apple_81:82:2f (ac:bc:32:81:82:2f)
Address: Apple_81:82:2f (ac:bc:32:81:82:2f)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: *****, Dst: *****
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 52
Identification: 0x0000 (0)
Flags: 0x40, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0xabe8 [validation disabled]
[Header checksum status: Unverified]
Source Address: 134.87.182.156
Destination Address: 172.217.165.14
Transmission Control Protocol, Src Port: 55888, Dst Port: 80, Seq: 76, Ack: 530, Len: 0
Source Port: 55888
Destination Port: 80
[Stream index: 3]
[TCP Segment Len: 0]
Sequence Number: 76 (relative sequence number)
Sequence Number (raw): 2379446728
[Next Sequence Number: 76 (relative sequence number)]
Acknowledgment Number: 530 (relative ack number)
Acknowledgment number (raw): 278173922
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window: 2048
[Calculated window size: 131072]
[Window size scaling factor: 64]
Checksum: 0xc5b6 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Timestamps: TSval 190086814, TSecr 4203481592
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 190086814
Timestamp echo reply: 4203481592
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 41]
[The RTT to ACK the segment was: 0.000244000 seconds]
[iRTT: 0.064637000 seconds]
[Timestamps]
[Time since first frame in this TCP stream: 0.219685000 seconds]
[Time since previous frame in this TCP stream: 0.000244000 seconds]
I think each frame corresponds to a single request sent or received by my computer. I want to know how to reconstruct the exact request sent by my computer to googles server. Additionally, I want to know how to capture whatever was returned by the server.
During the packet capture you can use the -f (capture filter) option to extract only the packets linked to www.google.com
tshark -a duration:10 -T text -V -f "host www.google.com" > capture.txt
I set the -a (autostop) capture option to 10 seconds, because I was only doing the curl 'www.google.com' once.
The command above will capture all TCP and UDP related to the curl request.
If you want to reassemble the connection after a capture you need to create a pcap file during the capture:
# this is capturing all traffic
tshark -a duration:10 -w capture.pcap
You can query this pcap file in multiple ways:
tshark -r capture.pcap -Y http.request -T fields -e http.host -e http.user_agent
# output
www.google.com curl/7.64.1'
tshark -r capture.pcap -Y "(http.host == www.google.com)"
44 1.631029 192.168.86.35 → 64.233.177.105 HTTP 144 GET / HTTP/1.1
tshark -r capture.pcap -Y "dns.qry.name == www.google.com"
#output
36 1.546800 192.168.86.35 → 192.168.86.1 DNS 74 Standard query 0xe159 A www.google.com
39 1.587633 192.168.86.1 → 192.168.86.35 DNS 170 Standard query response 0xe159 A www.google.com A 64.233.177.105 A 64.233.177.104 A 64.233.177.103 A 64.233.177.99 A 64.233.177.147 A 64.233.177.106
# get the frame details for TCP packets associated with google
tshark -r capture.pcap -T fields -e tcp.stream -Y "tcp contains google"
#output frame number(s)
# get the frame details for UDP packets associated with google
tshark -r capture.pcap -T fields -e udp.stream -Y "udp contains google"
# follow the TCP frame
# this should return the curl request for www.google.com
tshark -r capture.pcap -q -z follow,tcp,ascii,frame_number
# follow the UDP frame
tshark -r capture.pcap -q -z follow,udp,ascii,frame_number
Hopefully, this answer helps solve your question.
I have a large pcap file that I am trying to split, and I have a list of IP addresses. I would like to split the pcap into two smaller pcaps. One pcap will include all the packets with src equal to one of the IP addresses in my list, and one pcap will include everything else (dest equal to one of the listed IP addresses). In other words, one pcap includes all packets flowing into those machines, and one pcap includes all packets flowing out of those machines. All packets will have either src or dest equal to one of the listed IPs. Can this be done using tcpdump? I would really prefer to use tcpdump since it will be a lot of overhead for me to install any other tools on the Linux machine I am using.
Yes you can.
First use tcpdump -w FILE in order to record the packet flow:
$ sudo tcpdump -i eth0 -s0 -n -e -w /tmp/w.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C123 packets captured
126 packets received by filter
0 packets dropped by kernel
Then use tcpdump -r FILE to read it.
$ tcpdump -n -r /tmp/w.pcap | head
20:48:38.498793 IP 192.168.250.10.22 > 192.168.250.1.49434: Flags [P.], seq 240912301:240912433, ack 2683174485, win 724, options [nop,nop,TS val 8711083 ecr 381715459], length 132
20:48:38.498968 IP 192.168.250.1.49434 > 192.168.250.10.22: Flags [.], ack 132, win 8183, options [nop,nop,TS val 381715490 ecr 8711083], length 0
20:48:40.945504 IP 192.168.250.10.68 > 192.168.250.254.67: BOOTP/DHCP, Request from 00:0c:29:48:aa:d6, length 300
20:48:40.946062 IP 192.168.250.254.67 > 192.168.250.10.68: BOOTP/DHCP, Reply, length 300
20:48:41.045549 IP 192.168.250.10.33131 > 109.231.72.179.22: Flags [S], seq 724706181, win 29200, options [mss 1460,sackOK,TS val 8711720 ecr 0,nop,wscale 6], length 0
20:48:42.539655 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [S], seq 3387751538, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 381719336 ecr 0,sackOK,eol], length 0
20:48:42.539703 IP 192.168.250.10.22 > 192.168.250.1.49471: Flags [S.], seq 3352023725, ack 3387751539, win 28960, options [mss 1460,sackOK,TS val 8712093 ecr 381719336,nop,wscale 6], length 0
20:48:42.539782 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [.], ack 1, win 8235, options [nop,nop,TS val 381719336 ecr 8712093], length 0
20:48:42.540066 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [P.], seq 1:22, ack 1, win 8235, options [nop,nop,TS val 381719336 ecr 8712093], length 21
20:48:42.540078 IP 192.168.250.10.22 > 192.168.250.1.49471: Flags [.], ack 22, win 453, options [nop,nop,TS val 8712093 ecr 381719336], length 0
To filter out specific hosts, just use the standard tcpdump command line, e.g.:
$ tcpdump -n -r /tmp/w.pcap host 8.8.8.8 | head
reading from file /tmp/w.pcap, link-type EN10MB (Ethernet)
20:48:47.595511 IP 192.168.250.10 > 8.8.8.8: ICMP echo request, id 10742, seq 1, length 64
20:48:47.603743 IP 8.8.8.8 > 192.168.250.10: ICMP echo reply, id 10742, seq 1, length 64
20:48:48.597758 IP 192.168.250.10 > 8.8.8.8: ICMP echo request, id 10742, seq 2, length 64
20:48:48.606064 IP 8.8.8.8 > 192.168.250.10: ICMP echo reply, id 10742, seq 2, length 64
20:48:49.600303 IP 192.168.250.10 > 8.8.8.8: ICMP echo request, id 10742, seq 3, length 64
20:48:49.610471 IP 8.8.8.8 > 192.168.250.10: ICMP echo reply, id 10742, seq 3, length 64
Or to exclude that host:
$ tcpdump -n -r /tmp/w.pcap not host 8.8.8.8 | head
reading from file /tmp/w.pcap, link-type EN10MB (Ethernet)
20:48:38.498793 IP 192.168.250.10.22 > 192.168.250.1.49434: Flags [P.], seq 240912301:240912433, ack 2683174485, win 724, options [nop,nop,TS val 8711083 ecr 381715459], length 132
20:48:38.498968 IP 192.168.250.1.49434 > 192.168.250.10.22: Flags [.], ack 132, win 8183, options [nop,nop,TS val 381715490 ecr 8711083], length 0
20:48:40.945504 IP 192.168.250.10.68 > 192.168.250.254.67: BOOTP/DHCP, Request from 00:0c:29:48:aa:d6, length 300
20:48:40.946062 IP 192.168.250.254.67 > 192.168.250.10.68: BOOTP/DHCP, Reply, length 300
20:48:41.045549 IP 192.168.250.10.33131 > 109.231.72.179.22: Flags [S], seq 724706181, win 29200, options [mss 1460,sackOK,TS val 8711720 ecr 0,nop,wscale 6], length 0
20:48:42.539655 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [S], seq 3387751538, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 381719336 ecr 0,sackOK,eol], length 0
20:48:42.539703 IP 192.168.250.10.22 > 192.168.250.1.49471: Flags [S.], seq 3352023725, ack 3387751539, win 28960, options [mss 1460,sackOK,TS val 8712093 ecr 381719336,nop,wscale 6], length 0
20:48:42.539782 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [.], ack 1, win 8235, options [nop,nop,TS val 381719336 ecr 8712093], length 0
20:48:42.540066 IP 192.168.250.1.49471 > 192.168.250.10.22: Flags [P.], seq 1:22, ack 1, win 8235, options [nop,nop,TS val 381719336 ecr 8712093], length 21
20:48:42.540078 IP 192.168.250.10.22 > 192.168.250.1.49471: Flags [.], ack 22, win 453, options [nop,nop,TS val 8712093 ecr 381719336], length 0
You can do lists of hosts using tcpdump -n -r /tmp/w.pcap host 8.8.8.8 or host 8.8.4.4 or similar.
when i open a packetsocket on a loopback interface (lo) and listen all the packets are seen twice. why is it so?
But a capture on the interface using tcpdump correctly ignores the duplicate entries. see the 'packets received by filter' (which contains the duplicate packets) and 'packets captured'. How is this filtering done
tcpdump -i lo -s 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
11:00:08.439542 IP 12.0.0.3 > localhost.localdomain: icmp 64: echo request seq 1
11:00:08.439559 IP localhost.localdomain > 12.0.0.3: icmp 64: echo reply seq 1
11:00:09.439866 IP 12.0.0.3 > localhost.localdomain: icmp 64: echo request seq 2
11:00:09.439884 IP localhost.localdomain > 12.0.0.3: icmp 64: echo reply seq 2
11:00:10.439389 IP 12.0.0.3 > localhost.localdomain: icmp 64: echo request seq 3
11:00:10.439410 IP localhost.localdomain > 12.0.0.3: icmp 64: echo reply seq 3
6 packets captured
12 packets received by filter
0 packets dropped by kernel
My code:
int main()
{
int sockFd;
if ( (sockFd=socket(PF_PACKET, SOCK_DGRAM, 0))<0 ) {
perror("socket()");
return -1;
}
/* bind the packet socket */
struct sockaddr_ll addr;
struct ifreq ifr;
strncpy (ifr.ifr_name, "lo", sizeof(ifr.ifr_name));
if(ioctl(sockFd, SIOCGIFINDEX, &ifr) == -1)
{
perror("iotcl");
return -1;
}
memset(&addr, 0, sizeof(addr));
addr.sll_family=AF_PACKET;
addr.sll_protocol=htons(ETH_P_ALL);
addr.sll_ifindex=ifr.ifr_ifindex;
if ( bind(sockFd, (struct sockaddr *)&addr, sizeof(addr)) ) {
perror("bind()");
return -1;
}
char buffer[MAX_BUFFER+1];
int tmpVal = 1;
while(tmpVal > 0)
{
tmpVal = recv (sockFd, buffer, MAX_BUFFER, 0);
cout<<"Received Pkt with Bytes "<<tmpVal <<endl;
}
}
Figured out the problem.
from libcaps code:
* - The loopback device gives every packet twice; on 2.2[.x] kernels,
* if we use PF_PACKET, we can filter out the transmitted version
* of the packet by using data in the "sockaddr_ll" returned by
* "recvfrom()", but, on 2.0[.x] kernels, we have to use
* PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a
* "sockaddr_pkt" which doesn't give us enough information to let
* us do that.
the listening entity needs to filter the duplicate packet using the if_index got from recvfrom api.
After reading this answer, I want to understand if the same applies to the calls to gen_tcp:recv(Socket, Length). My understanding of the documentation is that this if more than Length bytes are available in the buffer, they remain there; if there is less than Length bytes, the call blocks until enough is available or connection closes.
In particular, this should work when packets are prefixed by 2 bytes holding packet length in little-endian order:
receive_packet(Socket) ->
{ok, <<Length:16/integer-little>>} = gen_tcp:recv(Socket, 2),
gen_tcp:recv(Socket, Length).
Is this correct?
Yes (or No, see comments for details).
Consider:
Shell 1:
1> {ok, L} = gen_tcp:listen(8080, [binary, {packet, 0}, {active, false}]).
{ok,#Port<0.506>}
2> {ok, C} = gen_tcp:accept(L). %% Blocks
...
Shell 2:
1> {ok, S} = gen_tcp:connect("localhost", 8080, [binary, {packet, 0}]).
{ok,#Port<0.516>}
2> gen_tcp:send(S, <<0,2,72,105>>).
ok
3>
Shell 1 cont:
...
{ok,#Port<0.512>}
3> {ok, <<Len:16/integer>>} = gen_tcp:recv(C, 2).
{ok,<<0,2>>}
4> Len.
2
5> {ok, Data} = gen_tcp:recv(C, Len).
{ok,<<"Hi">>}
6>
However this is useful if you only want to confirm the behaviour. In reality you would change the {packet, N} option to define how many bytes that should be the packet length (on big-endian systems).
Same as before but without extracting length explicitly (note packet length = 2 in shell 1):
Shell 1:
1> {ok, L} = gen_tcp:listen(8080, [binary, {packet, 2}, {active, false}]).
{ok,#Port<0.506>}
2> {ok, C} = gen_tcp:accept(L). %% Blocks
...
In this case Erlang will strip the first 2 bytes and recv/2 will block until as many bytes it needs. In this case read-length must be 0 in recv/2.
Shell 2:
1> {ok, S} = gen_tcp:connect("localhost", 8080, [binary, {packet, 0}]).
{ok,#Port<0.516>}
2> gen_tcp:send(S, <<0,2,72,105>>).
ok
3>
Shell 1:
...
{ok,#Port<0.512>}
3> {ok, Data} = gen_tcp:recv(C, 0).
{ok,<<"Hi">>}
In this case I don't specify the {packet, N} option in shell 2 just to show the idea but normally it is not 0. If the packet option is set then gen_tcp will automatically append/strip that many bytes from the package.
If you specify packet 0 then you must do a recv/2 with a length >= 0 and the behaviour is the same as in C. You can simulate non-blocking receives by giving a short time out when doing the receive and this will return {error, timeout} in that case.
More on that can be read here:
http://www.erlang.org/doc/man/gen_tcp.html
http://www.erlang.org/doc/man/inet.html#setopts-2
Hope this clears things up.