Packet sniffer and interpreter... you know for research purposes
I wanted to literally dig into the payloads, frames, packets etc. of what's actually going back and forth over a network. Understanding the breakdown of the structure, byte-for-byte was a good learning experience.
I know, I know, I can just use scapy or use WireShark and dig into them, but where's the fun in that!?
- Example below of how to do the same in scapy
- For a deep dive into ethernet frames, see this great resource
- Listen on different interfaces
- Track statistics (start/end time, counts of frames/packets/etc.)
- All the
things
listed below underOSI layers
Broken down into the OSI model layers, this tool can process/dump/inspect the following:
- Ethernet frame(s)
- ARP/RARP packet(s)?
- Contention as technically not but also L2.5 depending who you ask lol
- IPv4 packet(s)
- IPv6 packet(s)
- ICMP packets(s)
- ICMPv6 packets(s)
- IGMP packet(s)
- TCP segment(s)
- UDP datagram(s)
Minimum input required is the interface to listen on
sudo python McSniff.py <interface>
# example
sudo python McSniff.py eth0
Using the -h
flag will output the below for all options and params that can be supplied
~ sudo python McSniff.py -h
usage: McSniff.py [-h] [-p] [-s] [-t] [-2 [{ETH,ARP,RARP} ...]] [-3 [{IPv4,IPv6,ICMP,ICMPv6,IGMP} ...]] [-4 [{TCP,UDP} ...]] interface
Network analyser (packet sniffer)... for you know, research purposes ;)
positional arguments:
interface interface to analyse, run 'ip link' to list
options:
-h, --help show this help message and exit
-p, --payload dump payload output
-s, --stats enable and show statistics for what's been processed
-t, --https include dumps even for 443 port payloads (encrypted traffic)
-2 [{ETH,ARP,RARP} ...], --level2 [{ETH,ARP,RARP} ...]
OSI level 2 filter, by default listens for all, supply no args to ignore level
-3 [{IPv4,IPv6,ICMP,ICMPv6,IGMP} ...], --level3 [{IPv4,IPv6,ICMP,ICMPv6,IGMP} ...]
OSI level 3 filter, by default listens for all, supply no args to ignore level
-4 [{TCP,UDP} ...], --level4 [{TCP,UDP} ...]
OSI level 4 filter, by default listens for all, supply no args to ignore level
What you supply when toggling the levels is what you get, i.e. you supply only IPv4
you get only IPv4
. Also a little bit of common sense is required, for example if you specify nothing for -3
you won't get anything for L4 (TCP/UDP)
as it's nested within L3!
sudo python McSniff.py eth0 -2 ETH
sudo python McSniff.py eth0 -2 ETH -3 IPv4 IPv6
sudo python McSniff.py eth0 -2 ETH -3 IPv6 -4 UDP -p -s
while true; clear; echo 'Running...'; do sudo timeout 20 python McSniff.py eth0; echo 'Sleeping...'; sleep 5; done
# eth - be connected to a network
# arp
sudo arping <destination>
# rarp - not really seen, can happen during boot but DCHP superseeded it
# ICMP (v4)
ping -4 <destination>
ping -4 google.co.uk
# ICMPv6 - need to have IPv6 enabled on interface ofc
ping -6 <destination>
ping -6 google.co.uk
# TCP - unsecure HTTP requests are great as you can see the payload, HTTPS is encrypted so you can't see payload (unless you have the certs to decrypt)
curl http://<destination>
# -k means ignore certs/verification, connect anyway
curl -k http://httpforever.com/
# UDP - DNS requests are easiest to trigger
dig <host>
dig google.co.uk
# to force the query to a specific name server, specify the @ flag
dig @<name server like 1.1.1.1> <host>
dig @1.1.1.1 google.co.uk
- Python struct formatting
- Python socket docs
- Ethernet frame Wiki
- EtherType Wiki
- IPv4 packet structure Wiki
- IP protocol numbers Wiki
- UDP structure Wiki
- TCP strcuture Wiki
- Ping (ICMP/ICMPv6) structure Wiki
- ARP structure Wiki
from scapy.all import sniff
sniff(iface="eth0", prn=lambda x: x.show())