#! /usr/bin/env python ############################################################################# ## ## ## scapy.py --- Interactive packet manipulation tool ## ## see http://www.secdev.org/projects/scapy/ ## ## for more informations ## ## ## ## Copyright (C) 2003 Philippe Biondi ## ## ## ## This program is free software; you can redistribute it and/or modify it ## ## under the terms of the GNU General Public License version 2 as ## ## published by the Free Software Foundation; version 2. ## ## ## ## This program is distributed in the hope that it will be useful, but ## ## WITHOUT ANY WARRANTY; without even the implied warranty of ## ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## ## General Public License for more details. ## ## ## ############################################################################# # # $Log: scapy.py,v $ # Revision 1.0.5.20 2006/12/12 15:33:25 pbi # - changed default conf.checkIPID value to 0 # # Revision 1.0.5.19 2006/12/12 15:32:59 pbi # - added ESNinfo tag to Dot11Elt() # # Revision 1.0.5.18 2006/11/30 07:29:38 pbi # - removed forgotten print in PacketList.sr() # # Revision 1.0.5.17 2006/11/29 09:28:10 pbi # - added RandOID() # # Revision 1.0.5.16 2006/11/29 09:20:05 pbi # - added RandNumGamma(), RandNumGauss() and RandNumExpo() to change a bit from linear distributions # # Revision 1.0.5.15 2006/11/29 08:57:33 pbi # - added RandChoice() volatile value # # Revision 1.0.5.14 2006/11/28 14:08:55 pbi # - fixed 802.3 decoded as Ethernet if length is 1500 # # Revision 1.0.5.13 2006/11/27 09:19:47 pbi # - fixed bug in Ether_Dot3_Dispatcher() (P. Lalet) # # Revision 1.0.5.12 2006/11/20 13:36:28 pbi # - fixed bug in IncrementalValue() # # Revision 1.0.5.11 2006/11/17 14:23:28 pbi # - argl. Forgot a print. # # Revision 1.0.5.10 2006/11/16 22:16:30 pbi # - have L3PacketSocket work when sending packets on tun interfaces # # Revision 1.0.5.9 2006/11/16 17:33:33 pbi # - added wireshark() function to lauch wireshark on a packet list # # Revision 1.0.5.8 2006/11/16 17:05:27 pbi # - added ISAKMP flags decoding # - do not try to decode payload if ISAKMP says payload is encrypted # # Revision 1.0.5.7 2006/11/09 12:35:54 pbi # - fixed EAP # # Revision 1.0.5.6 2006/11/09 07:18:46 pbi # - new split/bind_layer() semantic : bind_layer(IP, UDP, frag=0, proto=17) # Still compatible with old one. # # Revision 1.0.5.5 2006/10/25 13:52:31 pbi # - PacketList() constructor's list parameter is now optionnal # # Revision 1.0.5.4 2006/10/23 12:08:21 pbi # - replaced PacketListField equality test in Packet.show() by a more generic # islist=1 and holds_packets=1 # # Revision 1.0.5.3 2006/10/23 11:55:57 pbi # - removed references to class name into Ether.mysummary() # # Revision 1.0.5.2 2006/10/23 11:11:28 pbi # - added restart parameter to IncrementalValue to provide a value after which to restart # # Revision 1.0.5.1 2006/10/19 15:56:43 pbi # Release 1.0.5 # # Revision 1.0.4.106 2006/10/17 16:50:19 pbi # - fixed ScapyFreqFilter (ticket #19) # # Revision 1.0.4.105 2006/10/17 16:12:03 pbi # - added 'count' parameter to send()/sendp() and __gen_send() to send the same set of # packets a given number of times # # Revision 1.0.4.104 2006/10/17 16:06:26 pbi # - added alternative 'n' parameter to corrupt_bits() and corrupt_bytes() # to specify how much bits/bytes to corrupt, instead of working with percentages # # Revision 1.0.4.103 2006/10/06 17:33:53 pbi # - added doc strings to Field class (ticket #14) # # Revision 1.0.4.102 2006/10/06 17:17:08 pbi # - added my_globals parameter to autorun_commands() and all autorun_get_*() (ticket #15) # # Revision 1.0.4.101 2006/10/06 17:09:10 pbi # - used get_it() in get_if_raw_addr() # - made interfaces with no IP return 0.0.0.0 (ticket #16) # # Revision 1.0.4.100 2006/10/06 16:59:24 pbi # - removed all inconsistencies (ticket #17) # # Revision 1.0.4.99 2006/10/06 16:33:08 pbi # - fixed typo in ISAKMPAttributeTypes (ticket #13) # # Revision 1.0.4.98 2006/10/06 16:31:41 pbi # - added additionnal DHCP Options (ticket #11) # # Revision 1.0.4.97 2006/10/06 15:34:38 pbi # - fixed DHCPtypes value (ticket #10) # - added new DHCPtypes values # # Revision 1.0.4.96 2006/10/06 14:53:59 pbi # - fixed WEP building (broken since 1.0.4.86) # # Revision 1.0.4.95 2006/10/06 14:53:19 pbi # - moved payload building call into a hookable method outside Packet.do_build() # # Revision 1.0.4.94 2006/10/06 14:02:24 pbi # - now import Set object to have it on hand # # Revision 1.0.4.93 2006/10/06 14:01:55 pbi # - moved field initialization from default valies from Packet.__init__() # to Packet.init_fields() # # Revision 1.0.4.92 2006/10/06 14:00:31 pbi # - WARNING: internal API change. Packet.do_dissect() now only dissects current layer. # Pre/post_dissect hooks and payload dissection are called from Packet.dissect(). # # Revision 1.0.4.91 2006/10/06 12:24:56 pbi # - added fragmentation informations in IP.summary() # # Revision 1.0.4.90 2006/10/06 12:24:11 pbi # - Packet.name is now automatically set to the class name if not specified # # Revision 1.0.4.89 2006/10/06 12:22:47 pbi # - fixed StrFixedLenField.i2len() to return field actual length instead of fixed length that # is already known # # Revision 1.0.4.88 2006/10/06 12:20:50 pbi # - replaced type(x) is type by more correct isinstance(x, type) # # Revision 1.0.4.87 2006/10/06 12:15:24 pbi # - fix corrupt_bits() probability computation # # Revision 1.0.4.86 2006/09/23 19:36:30 pbi # - moved payload building from Packet.do_build() to Packet.build() # - added post build transform logic so that transformation functions can be applied # to a freshly assembled layer # # Revision 1.0.4.85 2006/09/23 06:54:37 pbi # - modified MutatedBytes/MutatedBits way of working # - renamed them CorruptedBytes/CorruptedBits # - added corrupt_bytes() and corrupt_bits() functions # # Revision 1.0.4.84 2006/09/23 06:52:46 pbi # - improved import_hexcap() to handle more hexdump outputs # # Revision 1.0.4.83 2006/09/11 15:50:32 pbi # - fixed some glurks is_promisc() # - added promiscping() function (A. Brodin) # # Revision 1.0.4.82 2006/09/11 15:36:35 pbi # - added conf.autofragment paramter (default to 1) # - added auto IP fragmentation code into L3PacketSocket() to handle "Message Too Long" exceptions # # Revision 1.0.4.81 2006/09/11 15:35:29 pbi # - changed sane() to sane_color() and added sane() that does not use color themes # - added hexstr() that returns a one line hexdump string from a string # # Revision 1.0.4.80 2006/09/11 15:23:40 pbi # - fixed ISAKMPTransformSetField() to manage fields that should not use TLV encoding but need it # - changed N and D ISAKMP payload types to more explicit identifiers: Notification and Delete # # Revision 1.0.4.79 2006/09/11 15:22:50 pbi # - renamed PacketList.hexdump() to PacketList.rawhexdump() # - added PacketList.hexdump() to print and hexdump of all packets topped by a summary of the dumped packet # # Revision 1.0.4.78 2006/09/11 15:22:03 pbi # - added MutateBytes() volatile to randomly alter bytes in a string # - added MutateBits() volatile class to do random bitflips on a string # # Revision 1.0.4.77 2006/09/11 15:20:47 pbi # - added IncrementalValue() volatile class for sequence number fields # # Revision 1.0.4.76 2006/09/11 12:53:52 pbi # - Use random.randrange() instead of random.randint() for RandNum() # - RandInt() now reaches 2**32-1 # - added RandSInt() and RandSLong() for signed values # # Revision 1.0.4.75 2006/09/11 12:51:10 pbi # - Entries in arp_cache are now permanent if they have 0 or None instead of timeout # # Revision 1.0.4.74 2006/08/27 17:36:08 pbi # - tweaked make_*_table() to add horizontal separation lines # # Revision 1.0.4.73 2006/08/27 16:11:06 pbi # - added multiplot to plot many series from the same packet list. The function must returns # a couple whose first element is the label of a serie and the second is the data to plot. # # Revision 1.0.4.72 2006/08/27 15:13:36 pbi # - WARNING: API change. crc32() is now the zlib function. # crc32(0xffffffffL, s) --> ~crc32(z)&0xffffffffL # # Revision 1.0.4.71 2006/08/27 14:16:47 pbi # - fixed possible failures in DNS.summary() # # Revision 1.0.4.70 2006/08/27 14:11:38 pbi # - improved L3PacketSocket to build the list of interfaces only when needed (promisc=1) # # Revision 1.0.4.69 2006/08/27 14:10:05 pbi # - added gz parameter to PcapWriter (and thus wrpcap()) to gzip captures # - added abilty to read gzipped pcap files in PcapReader (and thus rdpcap()) # # Revision 1.0.4.68 2006/08/27 13:59:20 pbi # - changed Net representation for it to work with Packet.command() # # Revision 1.0.4.67 2006/08/27 13:58:48 pbi # - added diffplot() to PacketList to plot a function of couples (l[i],l[i+delay]) # # Revision 1.0.4.66 2006/08/27 12:52:13 pbi # - added prototype to psdump() and pdfdump() docstring # # Revision 1.0.4.65 2006/08/27 12:47:32 pbi # - have srloop() and srploop() return results of all probes # # Revision 1.0.4.64 2006/08/11 12:24:31 pbi # - patched getmacbyip() to handle IP multicast and return the right MAC multicast # # Revision 1.0.4.63 2006/08/11 12:13:45 pbi # - fixed lambda filtering in PacketList.plot() # # Revision 1.0.4.62 2006/08/11 12:12:51 pbi # - fixed reinstantiation of a PacketList as parameter to another PacketList # # Revision 1.0.4.61 2006/08/11 12:11:10 pbi # - added docstring to route.delt() # # Revision 1.0.4.60 2006/08/11 12:10:41 pbi # - fixed /proc/net/route parsing to handle reject routes # # Revision 1.0.4.59 2006/08/05 15:38:50 pbi # - added ActionField(): a wrapper to put arround a field that will trigger the call of a method # each time a value is manually set into a field # # Revision 1.0.4.58 2006/08/05 15:37:31 pbi # - fix: moved call to superclass' constructor in EnumField's constructor # # Revision 1.0.4.57 2006/07/28 21:57:19 pbi # - fixed get_if_hwaddr() exception catching in SourceMACField and ARPSourceMACField # # Revision 1.0.4.56 2006/07/28 17:24:39 pbi # - fixed typo in inet_pton # # Revision 1.0.4.55 2006/07/19 17:23:30 pbi # - fix: ls() look for Packet subclasses in both globals() and __builtin__ # # Revision 1.0.4.54 2006/07/19 17:13:25 pbi # - forced _ special variable initisalization to None in autorun_commands() # # Revision 1.0.4.53 2006/07/17 17:35:48 pbi # - replaced getattr() by Packet.getfieldval() in FieldLenField.i2m() # # Revision 1.0.4.52 2006/07/17 17:28:20 pbi # - improved MACField.i2m() # # Revision 1.0.4.51 2006/07/17 17:27:40 pbi # - changed Packet.__iter__() to clone unrolled packets without transforming fields values through i2h() and h2i() # # Revision 1.0.4.50 2006/07/17 15:18:06 pbi # - added Packet.getfieldval() and NoPayload.getfieldval() to return the internal value of a field # - changed Packet.__getattr__() to use Packet.getfieldval() # - changed do_build, do_build_ps, guess_payload_class, __eq__, haslayer, getlayer to use Packet.getfieldval() # # Revision 1.0.4.49 2006/07/17 14:00:53 pbi # - fixed little endian fields for big endian machines (replaced @ by <) # # Revision 1.0.4.48 2006/07/17 13:43:04 pbi # - simplified PacketListField.addfield() # # Revision 1.0.4.47 2006/07/17 13:42:09 pbi # - simplified Dot11SCField.is_applicable() # # Revision 1.0.4.46 2006/07/17 13:40:55 pbi # - added __nonzero__() methods to Packet and Payload for the first to be true and the second # to be false without assembling the packet # # Revision 1.0.4.45 2006/07/17 13:37:19 pbi # - fixed Ether_Dot3_Dispatcher() to make it work with no arguments # # Revision 1.0.4.44 2006/07/13 09:52:57 pbi # - Fixed 3BytesField assembling (N. Bareil, ticket #6) # # Revision 1.0.4.43 2006/07/12 16:07:11 pbi # - fixed docstring of Packet.post_dissection() # # Revision 1.0.4.42 2006/07/12 13:36:01 pbi # - added Packet.from_hexcap() class method # # Revision 1.0.4.41 2006/07/12 13:35:37 pbi # - added a Packet.pre_dissect() hook # # Revision 1.0.4.40 2006/07/12 13:23:19 pbi # - Added a Ether/802.3 dispatcher for "Ethernet" linktype # - 802.1q use LLC payload if type < 1500 # - enhanced Dot3.mysummary() # # Revision 1.0.4.39 2006/07/11 22:40:37 pbi # - fixed Dot11.answers() behaviour for management frames (L. Butti, ticket #5) # # Revision 1.0.4.38 2006/07/11 22:37:36 pbi # - fixed endianness of some 802.11 fields (L. Butti, ticket #3) # # Revision 1.0.4.37 2006/07/11 22:36:06 pbi # - removed SC field from 802.11 control frames (L. Butti, ticket #4) # # Revision 1.0.4.36 2006/07/11 22:10:01 pbi # - fixed TCPOptionsField to support SAck option (P. Lindholm, ticket #3) # - strengthened TCPOptionsField against bad options # # Revision 1.0.4.35 2006/07/11 21:57:37 pbi # - fix typo # # Revision 1.0.4.34 2006/06/23 17:35:43 pbi # - improved error message details for get_if_hwaddr() # # Revision 1.0.4.33 2006/06/23 17:33:38 pbi # - arping() function can update ARP cache if parameter cache=1 (D. Schuster, ticket #2) # # Revision 1.0.4.32 2006/06/23 16:27:44 pbi # - fixed: overloaded volatile fields were not fixed for sending # # Revision 1.0.4.31 2006/05/27 23:04:41 pbi # - fixed possible loop in TCP options # # Revision 1.0.4.30 2006/05/25 18:00:40 pbi # - added split_layers(), split_top_down() and split_bottom_up() to undo the # effects of bind_layers(), bind_top_down() and bind_bottom_up() # # Revision 1.0.4.29 2006/05/25 10:25:32 pbi # - added missing SPI field for ISAKMP_payload_Proposal # # Revision 1.0.4.28 2006/05/25 09:23:16 pbi # - almost reversed Field.h2i() removal patch (1.0.4.25) (changed my mind :)) # - had Field.any2i() use Field.h2i() # # Revision 1.0.4.27 2006/05/24 21:15:22 pbi # - enhanced Packet.__getattr__ prettiness # # Revision 1.0.4.26 2006/05/24 20:50:47 pbi # - enhanced prettiness of DNSRRCountField # # Revision 1.0.4.25 2006/05/24 20:49:44 pbi # - removed h2i() methods from Field API # # Revision 1.0.4.24 2006/04/29 13:52:35 pbi # - added next_payload value overloading for ISAKMP layers # # Revision 1.0.4.23 2006/04/29 13:31:18 pbi # - removed forgotten debug prints.. # # Revision 1.0.4.22 2006/04/29 13:20:30 pbi # - fixed ISAKMPTransformSetField # - fixed ISAKMP_payload_Transform length calculation # # Revision 1.0.4.21 2006/04/29 12:48:13 pbi # - WARNING: Field API changed. parameter shift must be now provided to the # length-varying field and not to the length field. # - added Field.i2len() method to return the length of a field (the number of # bytes in the raw packet string) # # Revision 1.0.4.20 2006/04/28 21:53:24 pbi # - fixed some problems with Packet.haslayer()/getlayer() for empty and list fields # - reduced Packet.haslayer()/getlayer() speed overhead to the same level as older versions # # Revision 1.0.4.19 2006/04/26 14:55:18 pbi # - fixed (again) filter attaching on linux/amd64 (W. Robinet) # # Revision 1.0.4.18 2006/04/26 12:55:29 pbi # - fixed Dot11WEP default icv value # # Revision 1.0.4.17 2006/04/26 12:55:01 pbi # - ATTENTION: API change: Packet.post_build() now takes current # assembled layer and assembled payload separately. Thus the # new prototype: post_build(self, pkt payload) -> pkt. post_build() # is in charge to join current layer and payload. # Old API will work for a small transition time. # # Revision 1.0.4.16 2006/04/25 15:23:49 pbi # - added internal _iterpacket parameter to SetGen to prevent iteration over Packet instances # - bugfix: prevented iteration over Packet instances in Packet.getlayer/haslayer/show() # # Revision 1.0.4.15 2006/04/24 12:27:35 pbi # - added NetFlow v1 protocol layer (M. Geli) # # Revision 1.0.4.14 2006/04/24 11:08:53 pbi # - big ISAKMPAttributeTypes update (W. McVey) # - changed ISAKMPTransformSetField to dissectTLV attributes (W. McVey) # - changed ISAKMPTransformSetField to assemble TLV attributes # - fixed ISAKMPTransformSetField to handle broken packets # # Revision 1.0.4.13 2006/04/23 21:12:08 pbi # - big p0f update (P. Lalet) # # Revision 1.0.4.12 2006/04/20 13:10:13 pbi # - fixed a bug with alias_type in Packet.guess_payload_class() when a field exists only # in the alias class # # Revision 1.0.4.11 2006/04/20 13:07:15 pbi # - enhanced LaTeXTheme2: used \bfseries and added colors to styles fail, success and even # # Revision 1.0.4.10 2006/04/20 09:13:49 pbi # - fixed SetGen to better test int couples for intervals # # Revision 1.0.4.9 2006/04/10 05:31:11 pbi # - use None value to specify timeout must be calculated in __sr_loop() # # Revision 1.0.4.8 2006/04/09 05:40:19 pbi # - added PacketListField.do_copy() # - modified fuzz() to handle PacketListField # # Revision 1.0.4.7 2006/04/08 16:05:24 pbi # - added PacketListField whose length come from another fiekd # - changed Packet.haslayer(), Packet.getlayer() and Packet.show() to handle PacketListField # # Revision 1.0.4.6 2006/04/02 14:49:28 pbi # - modified getlayer() to accept "LAYER.field" parameters to enable format strings' % # operator to work : "dst=%(IP.dst)s dport=%(TCP.dport)04i" % pkt # # Revision 1.0.4.5 2006/04/02 13:12:10 pbi # - added __mul__() and __rmul__() operators to handle multiplication with an int # # Revision 1.0.4.4 2006/03/27 13:32:50 pbi # - added missing fileno() to PcapReader and PcapWriter # # Revision 1.0.4.3 2006/03/22 12:59:35 pbi # - use binary mode to open files (Windows needs that...) # # Revision 1.0.4.2 2006/03/22 12:42:46 pbi # - replicated packet creation time when unrolling an implicit packet # # Revision 1.0.4.1 2006/03/17 12:48:28 pbi # Release 1.0.4 # # Revision 1.0.3.34 2006/03/17 12:48:02 pbi # - added docstring for TracerouteResult.trace3D() # # Revision 1.0.3.33 2006/03/14 19:05:05 pbi # - added equality tests between two packets. # # Revision 1.0.3.32 2006/03/14 18:35:41 pbi # - added a timeout parameter to sniff() # # Revision 1.0.3.31 2006/03/14 17:48:30 pbi # - removed deprecated Packet.send() # # Revision 1.0.3.30 2006/03/14 17:46:03 pbi # - fix indentation quirk # # Revision 1.0.3.29 2006/03/14 15:12:59 pbi # - removed forgotten print in Packet.trace3D() # # Revision 1.0.3.28 2006/03/12 18:00:42 pbi # - made Packet.getlayer() and Packet.haslayer() also work with class names # - got rid of Packet.haslayer_str() # # Revision 1.0.3.27 2006/03/12 17:56:14 pbi # - improved Packet.getlayer(), Packet.haslayer() and Packet.haslayer_str() # to look into PacketFields. # # Revision 1.0.3.26 2006/03/09 22:25:00 pbi # - removed bad loop in L3PacketSocket and L2Socket when discarding outgoing packets (W. McVey) # # Revision 1.0.3.25 2006/03/09 22:15:38 pbi # - added Ctrl-Click to TracerouteResult.trace3D() to scan an IP # # Revision 1.0.3.24 2006/02/28 18:33:32 pbi # - added a "trans" parameter to colgen to handle automatic specific conversions into color object # - used colgen() in Packet.canvas_dump() # # Revision 1.0.3.23 2006/02/28 18:24:27 pbi # - removed makecol() from TracerouteResult.graph() # # Revision 1.0.3.22 2006/02/28 18:23:46 pbi # - turned makecol() TracerouteResult.graph()' internal function into colgen() generator tool # # Revision 1.0.3.21 2006/02/28 18:04:10 pbi # - added TracerouteResult.trace3D() to have a 3D traceroute visualization with VPython # # Revision 1.0.3.20 2006/02/27 18:03:46 pbi # - added get_trace() method to TraceouteResult() to extract traceroute data # # Revision 1.0.3.19 2006/02/27 15:13:36 pbi # - Fixed Dot11Beacon's fields' endianness (G. Lukas) # # Revision 1.0.3.18 2006/02/27 15:08:25 pbi # - factorised tex_escape() function from ps/pdfdump() # - added LatexTheme2 for autorun_get_latex_interactive_session() # - escape stuff in autorun_get_latex_interactive_session() # # Revision 1.0.3.17 2006/02/22 11:33:34 pbi # - added config.prog to reference external program pathes # # Revision 1.0.3.16 2006/02/22 11:19:26 pbi # - added afterglow clone attempt (http://sourceforge.net/projects/afterglow) # # Revision 1.0.3.15 2006/02/22 11:14:39 pbi # - added prog parameter to do_graph() # # Revision 1.0.3.15 2006/02/21 12:45:00 pbi # - added prog paramter to do_graph() # # Revision 1.0.3.14 2006/02/21 12:21:44 pbi # - removed hard dependancy on libreadline. Now works even if no libreadline is installed # # Revision 1.0.3.13 2006/02/19 14:06:28 pbi # - fixed show()'s indentation # # Revision 1.0.3.12 2006/02/19 13:49:18 pbi # - many docstrings corrections # # Revision 1.0.3.11 2006/02/17 16:29:38 pbi # - improved show() to use an exploded view for fields which hold packets # - added show_indent flag to Packet() that can be overloaded to 0 for layers that are followed by peers # and for whom indentation in show() is not desired # # Revision 1.0.3.10 2006/02/17 11:14:16 pbi # - changed conversation parameter to group getsrc/getdst into getsrcdst # # Revision 1.0.3.9 2006/02/17 10:57:53 pbi # - added docstrings for PacketList # # Revision 1.0.3.8 2006/02/16 15:45:51 pbi # - added docstrings to sr*(), wrpcap(), rdpcap() # # Revision 1.0.3.7 2006/02/16 15:37:44 pbi # - fixed conf.BTsocket assignment BluetoothSocket BluetoothL2CAPSocket # # Revision 1.0.3.6 2006/02/16 15:11:13 pbi # - added docstrings to many methods of Packet # # Revision 1.0.3.5 2006/02/16 14:09:07 pbi # - added BluetoothHCIsocket # - added L2socket to sniff # - added HCI_Hdr, L2CAP_Hdr layers, moved L2CAP to L2CAP_HdrCmd # # Revision 1.0.3.4 2006/02/12 01:06:52 pbi # - initialize payload's underlayer before payload's dissection # # Revision 1.0.3.3 2006/01/29 00:06:48 pbi # - added shortcut to PacketList to extract a given protocol with []. ex : lst[ICMP] # # Revision 1.0.3.2 2006/01/28 23:52:21 pbi # - removed useless (and racy) __del__() methods from PcapReader and PcapWriter # # Revision 1.0.3.1 2006/01/28 14:32:55 pbi # Release 1.0.3 # # Revision 1.0.2.37 2006/01/28 13:14:25 pbi # - tweaked ls() for add-on classes to appear in the listing # # Revision 1.0.2.36 2006/01/28 13:02:15 pbi # - replaced remaining occurences of use of display() [deprecated, use show()] # - removed URL from dummy IPv6 classes names # # Revision 1.0.2.35 2006/01/17 18:02:42 pbi # - finished Packet.canvas_dup() escape() function. Every char is correctly translated into TeX # # Revision 1.0.2.34 2006/01/15 13:15:57 pbi # -added information-request and information-response to ICMP types (J. Bowie) # # Revision 1.0.2.33 2006/01/15 13:15:16 pbi # - fixed NetBIOSNameField incorrect length calculation (J. Bowie) # # Revision 1.0.2.32 2006/01/14 16:54:29 pbi # - added missing _IPv6optionHearder dummy class # - removed useless IPv6_instace() function # # Revision 1.0.2.31 2006/01/12 11:02:51 pbi # - fixed 1.0.2.29 collision fix (s/mtu/mtu_present/) # # Revision 1.0.2.30 2006/01/11 17:45:45 pbi # - fixed endianness problems in PcapReader() # - fixed PcapReader.read_all() # - added missing try/except to PcapReader.read_packet() # - removed PcapReader.read_PacketList() (read_all() already returns a PacketList) # - removed debug "print" from PcapWriter() # - added endianness parameter in PcapWriter() # # Revision 1.0.2.29 2006/01/11 17:00:01 pbi # - added Solaris support (wit help from S. Despret) # - added Solaris missing IPPROTO_GRE # - changed read_routes() to work with Solaris netstat # - fixed read_route() local variable collision (mtu became mtu_present) # - changed variable fl to flg # # Revision 1.0.2.28 2006/01/05 17:49:17 pbi # - re-added indentation in Packet.show(). Can be tweaked with "indent" parameter # # Revision 1.0.2.27 2006/01/04 15:04:17 pbi # - added missing try/except arround dissection in rdpcap() # # Revision 1.0.2.26 2005/12/23 00:51:51 pbi # - strengthened DNS disassembly # # Revision 1.0.2.25 2005/12/23 00:11:09 pbi # - have scapy work if Python IPv6 support is not compiled in socketmodule # # Revision 1.0.2.24 2005/12/23 00:08:50 pbi # - aliased socket.inet_ntoa into local namespace for consistency with other ?to? # # Revision 1.0.2.23 2005/12/22 17:58:08 pbi # - fixed and enhanced autorun_commands() # # Revision 1.0.2.22 2005/12/21 23:00:16 pbi # - fixed bug introduced by fix 1.0.2.19 on _ # # Revision 1.0.2.21 2005/12/21 22:58:45 pbi # - added Packet.get_field() to get a field instance from its name # - modified some fields to use Packet.get_field() instead of a complex operation # # Revision 1.0.2.20 2005/12/19 12:43:52 pbi # - added FieldListField to create arrays of fields whose number is given in a FieldLenField # # Revision 1.0.2.19 2005/12/18 22:46:35 pbi # - fixed uninitialized _ in autorun_commands() # # Revision 1.0.2.18 2005/12/17 11:27:05 pbi # - Changed ColorTheme class be usable # - Added NoTheme class # - added autorun_get_text_interactive_session() # - added autorun_get_ansi_interactive_session() # - added autorun_get_latex_interactive_session() (miss some special chars filtering) # # Revision 1.0.2.17 2005/12/15 15:13:58 pbi # - IPv6 migration step 1: integrate some IPv6 routing stuff for IPv6 fork to work # as an add-on # # Revision 1.0.2.16 2005/12/07 18:02:26 pbi # - added fallbacks if tcpdump can't be run and libpcap is not used # # Revision 1.0.2.15 2005/12/07 17:44:11 pbi # - fixed socket filter pushing for x86_64 arch. (W. Robinet) # # Revision 1.0.2.14 2005/12/06 16:41:30 pbi # - added conf.check_TCPerror_seqack (default 0) to relax ICMP error matching for TCP # packets (some broken PIX play with sequence numbers and forget to tidy them up) # # Revision 1.0.2.13 2005/11/27 00:09:30 pbi # - added code to run interactive sessions automatically # # Revision 1.0.2.12 2005/11/26 11:33:55 pbi # - catch exceptions in ColorPrompt from bad color theme to avoid # program termination # # Revision 1.0.2.11 2005/11/26 11:10:44 pbi # - added class HTMLTheme2 with trigram instead of '<' and '>' to easily convert others into < and > # # Revision 1.0.2.10 2005/11/20 16:23:01 pbi # - improved a bit error handling of import dnet/pcap # - made INFO messages for missing files a bit more clear # # Revision 1.0.2.9 2005/11/19 08:39:09 pbi # - handle API change between pylibpcap 0.4 and 0.5 # # Revision 1.0.2.8 2005/11/17 11:05:56 pbi # - changed Packet.sprintf() format string specificator to accept only the # field name and take the currend layer # # Revision 1.0.2.7 2005/11/17 10:24:53 pbi # - added onlyasc parameter to linehexdump() # - added onlyasc parameter to fragleak() and fragleak2() # # Revision 1.0.2.6 2005/11/15 04:55:11 pbi # - added Packet.command() to go from a packet instance to the Scapy command to generate it # # Revision 1.0.2.5 2005/11/15 03:04:51 pbi # - write history in an atexit registered function # # Revision 1.0.2.4 2005/11/15 02:58:44 pbi # - fixed Enum fields for them to work with lists of values # # Revision 1.0.2.3 2005/11/09 19:56:42 pbi # - added a ColorTheme.__repr__() to fix objects that used it, like conf object! # # Revision 1.0.2.2 2005/11/09 18:26:57 pbi # - fixed itom() to return positive values even for big endian platforms # - fixed RandIP default __init__ parameter to be 0.0.0.0/0 instead of 0/0 # # Revision 1.0.2.1 2005/11/07 14:04:39 pbi # release 1.0.2 # # Revision 1.0.1.13 2005/11/07 14:00:54 pbi # - fixed Dot11Auth.seqnum to be little endian # - added Dot11Auth.answers() # # Revision 1.0.1.12 2005/11/07 13:39:31 pbi # - fixed some stuff in the LaTeX color theme # # Revision 1.0.1.11 2005/11/07 13:38:36 pbi # - added timeout parameter to fragleak() # - created fragleak2() # # Revision 1.0.1.10 2005/11/07 13:37:20 pbi # - fixed LLC/SNAP binding to overload LLC.ctrl with 3 # # Revision 1.0.1.9 2005/11/07 13:35:12 pbi # - changed Dot11.summary() to show src > dst # - added Dot11.answers() # # Revision 1.0.1.8 2005/11/07 13:33:43 pbi # - added DNS.answsers() # # Revision 1.0.1.7 2005/11/07 13:33:19 pbi # - added SignedIntField() and LESignedIntField # - converted PrismHeader's "signal" field to signed # # Revision 1.0.1.6 2005/11/01 12:22:02 pbi # - added hint_iface parameter to sendp() # - used hint_iface in arpcachepoison() # # Revision 1.0.1.5 2005/10/31 12:29:09 pbi # - added ConditionalField to wrap a field and apply a condition to its presense # - added NewDefaultValues metaclass to create new Packet classes from old ones # with new default default values # - added GRE protocol from rfc2784. (need more work for rfc1701) # # Revision 1.0.1.4 2005/10/27 15:12:32 pbi # - created VolatileValue class to handle volatile values like RandomField # - redesigned inheritence of random fields arround VolatileValue # - added DelayedEval() volatile value # # Revision 1.0.1.3 2005/10/27 14:59:11 pbi # - Changed color themes handling. Now LatexTheme and HTMLTheme are not ugly hacks anymore. # # Revision 1.0.1.2 2005/10/26 16:15:06 pbi # - added CharEnumField() # - declared s2i and i2s in EnumField before calling superclass' contructor # # Revision 1.0.1.1 2005/10/25 07:49:35 pbi # Release 1.0.1 # # Revision 1.0.0.61 2005/10/25 07:48:48 pbi # - added rebuild option to Packet.p{s|df}dump() to dump a packet as-is # # Revision 1.0.0.60 2005/10/23 18:20:30 pbi # - PacketList.sr() return ( (matched couples), (unmatched packets) ) from the packet list # # Revision 1.0.0.59 2005/10/23 17:15:34 pbi # - added layer_shift option to every p{s|df}dump() method to explode hexa dump by layers # # Revision 1.0.0.58 2005/10/23 17:09:29 pbi # - return a loopback route when no default route is present. XXX: linux specific! # # Revision 1.0.0.57 2005/10/23 17:07:59 pbi # - split bind_layers() into bind_top_down() and bind_bottom_up() # # Revision 1.0.0.56 2005/10/23 16:57:26 pbi # - fixed dissection errors exception management when conf.debug_dissector is true # # Revision 1.0.0.55 2005/10/23 16:56:00 pbi # - made MACField's default value to be "00:00:00:00:00:00" # - fixed DestMACField's default value to be "ff:ff:ff:ff:ff:ff" # # Revision 1.0.0.54 2005/10/23 16:54:00 pbi # - fixed Field.randval() to work with string formats and modifiers # - fixed fuzz() not to overload default value if field's proposed randval is None # # Revision 1.0.0.53 2005/10/17 16:03:36 pbi # - uniformized to "lfilter" the paramter name for lambda expressions used as filters # - removed a superfluous line in crc32() # # Revision 1.0.0.52 2005/10/15 13:17:18 pbi # - AutoTime() and IntAutoTime() classes that give a field a time dependant value # - PacketList.timeskew_graph() should work on SndRcvList() # # Revision 1.0.0.51 2005/10/08 20:52:45 pbi # - added StreamSocket supersocket to emulate a datagram socket on a stream # socket that supports MSG_PEEK and whose base layer class knows its own size # and put the remaining in Padding() # # Revision 1.0.0.50 2005/10/08 12:46:56 pbi # - remove useless routes in netstat -rn output (P. Lalet) # # Revision 1.0.0.49 2005/10/08 12:41:23 pbi # - fixed netmask calculations (P. Lalet) # # Revision 1.0.0.48 2005/10/08 11:21:28 pbi # - use color for packet numbering in nsummary() et al. # # Revision 1.0.0.47 2005/10/06 12:57:25 pbi # - fixed MAC addresses calculation when IP is a Gen() instance (G. Valadon) # # Revision 1.0.0.46 2005/10/06 12:44:51 pbi # - added route.get_if_bcast() to get interface's broadcast address (F. Raynal) # - added a check in getmacbyip() to give a broadcast MAC for a broadcast IP # - added sndrcv() (thus sr*() family) "multi" parameter to accept many answers # from one stimulus. (If stimulus uses a broadcast dst address, you'll need # to set conf.checkIPaddr=0) # # Revision 1.0.0.45 2005/10/06 12:03:46 pbi # - changed sys.exit() into os._exit() in sndrcv() to prevent children to flush files buffers # that would be written a second time by the parent (SJ Murdoch) # # Revision 1.0.0.44 2005/10/06 11:44:48 pbi # - worked arround (I hope) all FreeBSD/MacOS/pcap issues (look at pcap_get_selectable_fd() note of pcap8 manpage). # Thus no more active waits or unseen packets. Still problems to interrupt a capture with ^C on some FreeBSD kernels :( # # Revision 1.0.0.43 2005/10/05 11:51:33 pbi # - added nofilter option to supersockets to handle ethertype filtering for non-linux stuff # and for ARP resolution to bypass conf.except_filter # # Revision 1.0.0.42 2005/10/05 11:28:14 pbi # - added RandMAC() # - added early support for fuzzing # - added fuzz() # # Revision 1.0.0.41 2005/10/05 11:14:57 pbi # - modified Packet.__iter__ to also evaluate random defaults fields # # Revision 1.0.0.40 2005/10/05 11:11:56 pbi # - filtered more characters for LaTeX in ps/pdf dump # - removed character that has magically appeared in DHCP_am # # Revision 1.0.0.39 2005/10/05 11:08:32 pbi # - fixed StrFixedLenField.addfield() # # Revision 1.0.0.38 2005/10/05 11:06:51 pbi # - overloaded RandFields repr() to give the class name # - added RandLong() # - added RandBin() to be RandString() for all chars # - added RandTermString() # - added RandIP default template to be "0/0" # # Revision 1.0.0.37 2005/10/05 11:01:20 pbi # - more tests in DHCP_am.make_reply() to handle garbage in # # Revision 1.0.0.36 2005/09/24 14:37:51 pbi # - added a "padding" option to TracerouteResult.graph() to show routers that pad # # Revision 1.0.0.35 2005/09/24 14:32:40 pbi # - added Packet.psdump() and Packet.pdfdump() # - added PacketList.psdump() and PacketList.pdfdump() # # Revision 1.0.0.34 2005/09/24 14:30:15 pbi # - ability to change the BPF filter in traceroute() # # Revision 1.0.0.33 2005/09/24 14:29:30 pbi # - completed PrismHeader layer # # Revision 1.0.0.32 2005/09/24 14:27:27 pbi # - deprecated "packet.haslayer(l)" by "l in Packet" # - deprecated "Packet.getlayer(l)" by "Packet[l]" # # Revision 1.0.0.31 2005/09/24 14:25:01 pbi # - better error message if gnuplot wrapper is missing # - fixed subclass test in dissection error treatment # - fixed Dot11Elt summary # - fixed __sr_loop() to prevent stats calc if no packet have been received # - fixed sniff() to break loop at the end of reading a file (offline optoin) # # Revision 1.0.0.30 2005/09/13 16:03:47 pbi # - added Dot11Elt.mysummary() for SSID displaying # - fixed Enum*.i2repr() # # Revision 1.0.0.29 2005/09/13 16:02:35 pbi # - fix build of packets with more than one padding # # Revision 1.0.0.28 2005/09/12 16:14:41 pbi # - new hexdump() which displays offsets # # Revision 1.0.0.27 2005/09/12 14:56:31 pbi # - new summary() and mysummary() semantic (backward compatible!) to enable more than one class to be expanded. # The higher gives its dependances along with its own summary # # Revision 1.0.0.26 2005/09/12 14:03:10 pbi # - added ip.dst in ICMP summary() # # Revision 1.0.0.25 2005/09/12 13:25:22 pbi # - added post_dissection() method, called at the end of the dissection, when the packet is ready # - added default_payload_class() called when layer bonds are not sufficient # - improved/fixed conf.debug_dissector() which failed when guess_payload_class() returned None # # Revision 1.0.0.24 2005/09/08 14:13:36 pbi # - added RandIP() # # Revision 1.0.0.23 2005/09/08 05:29:23 pbi # - added conf.debug_dissecto checks where it was missing in SuperSockets # - Slice pcap object only once we know its not None ! (N. Peterson) # # Revision 1.0.0.22 2005/09/06 17:08:47 pbi # - made AnsweringMachine() callable instead of using the run() method # # Revision 1.0.0.21 2005/09/06 17:05:19 pbi # - new logging/warning facility using the logging module # # Revision 1.0.0.20 2005/08/28 18:01:12 pbi # - 802.11 tweaks # # Revision 1.0.0.19 2005/08/28 18:00:14 pbi # - added Packet.decode_payload_as() # # Revision 1.0.0.18 2005/08/28 17:51:05 pbi # - Added XShortEnumField() # # Revision 1.0.0.17 2005/08/17 18:11:13 pbi # - fixed crc32() computation for big endian systems # # Revision 1.0.0.16 2005/08/17 12:54:47 pbi # - fix regression introduced in 1.0.0.4 (netstat parsing) # # Revision 1.0.0.15 2005/08/16 17:00:35 pbi # - fixed socket creation/attach filter race condition for L2Socket and L3PacketSocket. # No more packets shoud go through the filter. # # Revision 1.0.0.14 2005/08/16 16:58:59 pbi # - don't return outgoing packets in L2Socket and L3PacketSocket # - L2Socket and L3PacketSocket don't catch the exception if conf.dissector=1 # # Revision 1.0.0.13 2005/08/16 16:56:09 pbi # - enhanced Packet.summary() code # # Revision 1.0.0.12 2005/08/16 16:53:31 pbi # - keep tcp/udp ports numeric in traceroute result # # Revision 1.0.0.11 2005/08/15 09:27:45 pbi # - added NTP.mysummary() # # Revision 1.0.0.10 2005/08/15 09:18:56 pbi # - fixed Ether.summary() (P. Lalet) # # Revision 1.0.0.9 2005/08/10 22:18:25 pbi # - moved code to build answering machines' functions into a metaclass # # Revision 1.0.0.8 2005/08/10 20:05:45 pbi # - added MobileIP protocol (rfc3344 and friends) (B. Andersson) # # Revision 1.0.0.7 2005/08/10 20:01:56 pbi # - changed Ether.mysummary() (P. Lalet) # - Update of Sebek protocols (P. Lalet) # # Revision 1.0.0.6 2005/08/10 19:53:19 pbi # - fix problem in declaraion of answering machine functions # # Revision 1.0.0.5 2005/08/10 15:43:03 pbi # - added resolution of numbers from /etc/ethertypes, /etc/protocols and # /etc/services (P. Lalet) # - tweaked some mysummary() accordingly # # Revision 1.0.0.4 2005/08/10 14:48:06 pbi # - Better netstat parsing for OpenBSD (P. Lalet) # # Revision 1.0.0.3 2005/08/10 14:41:21 pbi # - fixed regression introduced by previous patch : Gen and Packet are not # classes anymore but types. # # Revision 1.0.0.2 2005/08/09 21:40:57 pbi # - added ChangeDefaultValues metaclass to easily make a variant of a protocol # # Revision 1.0.0.1 2005/08/09 18:30:10 pbi # Release 1.0.0 # # Revision 1.0 2005/08/09 18:26:09 pbi # 1.0 release # # Revision 0.9.17.110 2005/08/09 18:19:17 pbi # - nothing # # Revision 0.9.17.109 2005/08/08 13:57:16 pbi # - replaced use of __builtins__ by globals() # - promiscuous mode is now default mode # - added HTML color theme # # Revision 0.9.17.108 2005/08/05 14:12:48 pbi # - fix: IP fragmentation offset needs to be 0 for payload to be decoded # (actually fixed in 0.9.17.106) # # Revision 0.9.17.107 2005/08/05 14:04:03 pbi # - added 'filter' parameter to PacketList.padding() # - added PacketList.nzpadding() method # - added 'lfilter' parameter to sniff() # # Revision 0.9.17.106 2005/08/05 14:02:19 pbi # - removed scapy module reloading to prepare interactive mode # - tweaked interact() function, now fully functionnal # # Revision 0.9.17.105 2005/07/20 16:24:06 pbi # - small fix nmap database class # # Revision 0.9.17.104 2005/07/20 16:22:51 pbi # - modified Packet.guess_payload_class() semantic : added the payload as parameter # - fixed TCP.answers() to take in account length of payload # - added timeout arg to arping() # # Revision 0.9.17.103 2005/06/07 10:18:27 pbi # - added a try/catch for get_if_hw_addr # - fixed the netstat parsing for OpenBSD # - changed Dot11WEP's key ID field from "key" to "keyid" # # Revision 0.9.17.102 2005/06/07 09:54:51 pbi # - added LEShortEnumField # - added L2CAP layer # - added Bluetooth supersocket # - added srbt() and srbt1() # # Revision 0.9.17.101 2005/05/30 17:21:48 pbi # - Fixes for 0.9.17.100 # # Revision 0.9.17.100 2005/05/30 17:08:41 pbi # - added NetBIOS, SMB & Co support (Sebastien Chenevot & Sylvain Sarmejeanne) # # Revision 0.9.17.99 2005/05/28 14:28:40 pbi # - WEP support and ICV computation # # Revision 0.9.17.98 2005/05/27 23:05:35 pbi # -fixed a smlal bug in graphic traceroute # # Revision 0.9.17.97 2005/05/27 19:53:04 pbi # - added WEP ciphering to Dot11WEP # # Revision 0.9.17.96 2005/05/25 15:15:10 pbi # - ability to give a WEP key as an argument to unwep() # # Revision 0.9.17.95 2005/05/25 15:05:03 pbi # - fixed pcap supersockets warnings # # Revision 0.9.17.94 2005/05/25 15:01:24 pbi # - fixed/cleaned ISAKMP # # Revision 0.9.17.93 2005/05/25 15:00:34 pbi # - fixed Packet.remove_underlayer() args # - fixed FieldLenField # - added Atheros Prism Header linktype # # Revision 0.9.17.92 2005/05/18 16:59:32 pbi # - some voip_play() stuff # # Revision 0.9.17.91 2005/05/18 16:59:01 pbi # - added BIOCIMMEDIATE option to fix BSD's BPF/pcap/select() behaviour issues # - made PCAP/DNET the default mode, even for Linux (it seems quicker) # # Revision 0.9.17.90 2005/05/18 16:57:07 pbi # - purge ARP cache when changing IP address of an interface # - fixed loopback interface detection get_if_raw_hwaddr() for dnet # - changed a bit Dot11PacketList behaviour # - fixed build() overload by EAP class # - fixed close()/recv() mix up in L2pcapListenSocket # # Revision 0.9.17.89 2005/05/03 19:18:22 pbi # - DNET/PCAP stuff reordering # # Revision 0.9.17.88 2005/05/03 00:10:12 pbi # - made Padding not be seen as a payload # # Revision 0.9.17.87 2005/04/29 22:37:39 pbi # - added L2 recognition for L2pcapListenSocket # - workarround for a bug in libpcap/wrapper?. .next() sometimes returns None # - added consistant get_if_addr() and get_if_raw_addr() # - added ifadd(), ifdel() and ifchange() methods to Route class # # Revision 0.9.17.86 2005/04/27 21:14:24 pbi # - small code cleaning # # Revision 0.9.17.85 2005/04/27 13:53:32 pbi # - early BSD port with libdnet and libpcap wrappers # # Revision 0.9.17.84 2005/04/24 14:57:45 pbi # - added a usable geolocation database from GeoIP. # # Revision 0.9.17.83 2005/04/24 10:34:57 pbi # - fixed fragment() (Peter Hardy) # # Revision 0.9.17.82 2005/04/23 15:29:21 pbi # - fixed sndrcv() when given an empty set of packets # # Revision 0.9.17.81 2005/04/23 13:55:32 pbi # - Some Sebek layers fixes (Pierre Lalet) # # Revision 0.9.17.80 2005/04/23 13:43:16 pbi # - Early IrDA support (Pierre Lalet) # # Revision 0.9.17.79 2005/04/23 13:42:34 pbi # - fixed SebekV1 and SebekV2 (Pierre Lalet) # # Revision 0.9.17.78 2005/04/23 13:41:33 pbi # - fixed BitField (Pierre Lalet) # # Revision 0.9.17.77 2005/04/23 13:36:15 pbi # - added threshold for warnings # # Revision 0.9.17.76 2005/04/23 11:27:51 pbi # - Renamed SndRcvAns into SndRcvList # # Revision 0.9.17.75 2005/04/23 11:26:12 pbi # - added color display in srloop() # # Revision 0.9.17.74 2005/04/22 13:30:10 pbi # - fixed dhcp_request() # - changed make_table semantic : take one lambda instead of 3 # - fixed import_hexcap() # - fixed StrLenField # - changed traceroute() and arping() to also return unanswered packets # - ls() now sorts its output alphabetically # - LaTeX color theme for straight copy/paste into your doc. # # Revision 0.9.17.73 2005/04/15 15:56:08 pbi # - fixed ARP.answers()' return value # - made TracerouteResult.graph() use both ASN information source # # Revision 0.9.17.72 2005/04/09 22:25:23 pbi # - fix route.route() to handle extended IP sets (ex. 192.168.*.1-5) # - generalised statistics in packet lists # - added Dot11PacketList() # - added some DHCP options # - fixes in DHCP options building # - modified unwep() to decrypt a WEP packet if it was not already done # # Revision 0.9.17.71 2005/04/06 10:49:11 pbi # - forgotten debug msg in Net() # # Revision 0.9.17.70 2005/04/04 17:58:15 pbi # - modified Net() to recognize things like 172.16.*.1-10 # # Revision 0.9.17.69 2005/04/04 14:24:00 pbi # - fix DHCP # - added dhcp_request() # # Revision 0.9.17.68 2005/03/28 22:18:04 pbi # - first attempt with time skew graphing # # Revision 0.9.17.67 2005/03/28 22:17:44 pbi # - use gzip compression for load_object/save_object # - made RandNum() and Emph() pickable # - changed prompt color in default color theme # # Revision 0.9.17.66 2005/03/28 14:30:01 pbi # - more DHCP work # # Revision 0.9.17.65 2005/03/28 14:29:03 pbi # - first attempt to generate libnet C code from a packet # # Revision 0.9.17.64 2005/03/28 14:28:20 pbi # - forgot to delete temporary variables in scapy's global scope # # Revision 0.9.17.63 2005/03/28 14:22:38 pbi # - added colors, color themes, colored prompt # # Revision 0.9.17.62 2005/03/24 16:19:33 pbi # - made it possible to use a PacketList as a parameter for send* or sr* # # Revision 0.9.17.61 2005/03/23 18:27:06 pbi # - used init_cookie for ISAKMP.answers() # - raised an exception in route.make_route if parameters are incomplete # # Revision 0.9.17.60 2005/03/23 17:07:56 pbi # - fixed session loading with -s # - prevented save_session() to trash current session # - changed AnsweringMachine to make send_reply() a bit more generic # # Revision 0.9.17.59 2005/03/22 16:52:44 pbi # - added _elt2show() to PacketList # - changed PacketList.show() to use _elt2show() # # Revision 0.9.17.58 2005/03/22 16:21:39 pbi # - added conversation() to PacketList # - added padding() to PacketList # - fixed StrNullField # - added haslayer_str() to Packet # - changed Packet.sprintf() to use haslayer_str # - changed answers() to ask payload if same class as other # - add count parameter to rdpcap # # Revision 0.9.17.57 2005/03/16 14:18:28 pbi # - added StrNullField # # Revision 0.9.17.56 2005/03/14 18:14:28 pbi # - LLNumTypes fix # - Added linktype recognition to PcapWriter class # # Revision 0.9.17.55 2005/03/14 17:59:23 pbi # - indentation cosmetic fix # # Revision 0.9.17.54 2005/03/14 17:53:56 pbi # - wrpcap() now writes the correct linktype in the pcap file # # Revision 0.9.17.53 2005/03/14 17:22:23 pbi # - added ISAKMP transforms decoding # # Revision 0.9.17.52 2005/03/14 16:40:58 pbi # - added ikescan() # - added ISAKMPTransformField # - fixed PacketList's private methods names do begin only with one "_" # # Revision 0.9.17.51 2005/03/14 13:03:11 pbi # - added a prn parameter to PacketList's summary() and nsummary() # # Revision 0.9.17.50 2005/03/14 12:56:24 pbi # - make internal methods of PacketResult begins with __ # # Revision 0.9.17.49 2005/03/14 12:52:41 pbi # - Deprecated display() method (for all objects). Use show() instead. # # Revision 0.9.17.48 2005/03/14 12:48:29 pbi # - Modified PacketField to stop at Padding instead of Raw # - Added PacketLenField # - More ISAKMP rework. Almost working. # # Revision 0.9.17.47 2005/03/14 10:20:49 pbi # - added unwep() method to Dot11 packets # - fixed 4 missing bytes in Dot11WEP # # Revision 0.9.17.46 2005/03/08 17:56:49 pbi # - added a possibility to give a hint for srp() to choose the intended interface # - added is_promisc() to find boxes in promisc mode (will not always work) (Javier Merino) # # Revision 0.9.17.45 2005/03/08 17:21:14 pbi # - added PacketField # - ISAKMP work # # Revision 0.9.17.44 2005/03/06 17:50:06 pbi # - changed PCAP and DNET defaults # # Revision 0.9.17.43 2005/03/03 17:15:26 pbi # - ISAKMP work # # Revision 0.9.17.42 2005/03/02 18:09:00 pbi # - added make_world_trace() method to TracerouteResult for a xtraceroute-like # # Revision 0.9.17.41 2005/02/20 22:33:55 pbi # - Sebek protocol definitions enhancements (Pierre Lalet) # # Revision 0.9.17.40 2005/02/20 22:31:49 pbi # - added ARP answering machine (farpd) (Pierre Lalet) # # Revision 0.9.17.39 2005/02/20 22:22:23 pbi # - Graphic traceroute enhanced to cope with TCP, UDP, ICMP or other traceroutes # - ASN clustering in graphic traceroute can be controlled with the "ASN" parameter # # Revision 0.9.17.38 2005/02/18 21:03:26 pbi # - MGCP early support # - RandString() # # Revision 0.9.17.37 2005/02/10 22:33:13 pbi # - export_object()/import_object() to copy/paste base64 gzipped pickled objects # - prevent save_session from deleting unpicklable objects # - added hexdump() and hexraw() methods to PacketList object # - Raw packet answers any Raw packet # - added conf.checkIPaddr to recognize broadcast replies (BOOTP/DHCP) # # Revision 0.9.17.36 2005/02/02 22:39:48 pbi # - added GPRS dummy packet class # # Revision 0.9.17.35 2005/01/29 00:29:25 pbi # - added l4 parameter to traceroute() for UDP, ICMP and other layer 4 traceroutes # - tweaked TracerouteResult display() # # Revision 0.9.17.34 2005/01/26 23:43:19 pbi # - removed some outdated functions # # Revision 0.9.17.33 2005/01/26 23:41:58 pbi # - small simplification of TracerouteResult display() thanks to new sprintf() # conditionnal statement # # Revision 0.9.17.32 2005/01/26 23:12:59 pbi # - added conditionnal statements in format strings # # Revision 0.9.17.31 2005/01/26 22:30:36 pbi # - removed an uneeded "else" in sprintf() # # Revision 0.9.17.30 2005/01/22 22:25:24 pbi # - re-added node coloring lost code line in traceroute graphing code # # Revision 0.9.17.29 2005/01/22 21:48:55 pbi # - fixed need for warning() before it was declared # # Revision 0.9.17.28 2005/01/22 21:47:11 pbi # - added ARPingResult to handle arping() results # - moved ARPing displaying logic to ARPing object # # Revision 0.9.17.27 2005/01/22 21:42:59 pbi # - added args todo_graph() # - added TracerouteResults object to handle traceroute results # - moved traceroute displaying logic to TracerouteResult object # - moved traceroute graphing logic to TracerouteResult object # # Revision 0.9.17.26 2005/01/20 22:59:07 pbi # - graph_traceroute : added AS clustering, colors, tweaks # # Revision 0.9.17.25 2005/01/17 22:10:58 pbi # - added do_graph() to draw GraphViz graphs using SVG output, displayed with ImageMagick # - added graph_traceroute() to make a graph from multiple traceroutes # - added timeout parameter to traceroute() # # Revision 0.9.17.24 2005/01/13 14:25:00 pbi # - added Sebek v1 and v2 protocols (Pierre Lalet) # # Revision 0.9.17.23 2005/01/10 21:55:14 pbi # - addded promisc and iface parameters to L3RawSocket # # Revision 0.9.17.22 2004/12/26 18:07:43 pbi # - Improved PacketList with stability by addition and slicing # - Added plot() to PacketList using Gnuplot # - Added StrStopField # - Added conf.debug_disssector to prevent dissector's exception from being catched # - Added CookedLinux packet type # - Show linktype number when it is unknown # # Revision 0.9.17.21 2004/12/26 16:04:57 pbi # - removed strace in soxmix command line # - DHCP support (from Mattias Wadman) # - added missing make_table to PacketList class # - have UDP class asks its payload for answers() # # Revision 0.9.17.20 2004/12/01 17:13:28 pbi # - Early WEP support # - voip_play() tweaks # - Added LEShortField for Dot11 SC field # # Revision 0.9.17.19 2004/10/18 13:42:50 pbi # - HSRP early support # - Cisco CSSP Skinny early support # - added Little Endian IntEnumField # - added filter() method to PacketList # - some voip_play() work # - loop parameter value in send*() is used as the time to sleep between 2 loops # # Revision 0.9.17.18 2004/09/21 21:45:20 pbi # - added recv() method to PcapReader to emulate a SuperSocket # - added "offline" parameter to sniff() to use sniff on pcap files # - removed voip_play_offline() and renamed voip_play_sniff() to voip_play() # which is now available to play offline # # Revision 0.9.17.17 2004/09/21 21:32:41 pbi # - added early PPPoE support (Ralf Ertzinger) # - fixed DNS summary() to handle empty queries or answers # # Revision 0.9.17.16 2004/09/21 14:58:15 pbi # - added VOIP playing functions (not tested) # # Revision 0.9.17.15 2004/09/17 22:00:47 pbi # - transfert traceroute() and arping() options to sndrcv() ("retry", etc.) # - fixed retry option in sndrcv() # - tweaked AnweringMachine class # - rewrited airpwn to use AnsweringMachine # # Revision 0.9.17.14 2004/09/13 16:57:01 pbi # - added loopback routing # # Revision 0.9.17.13 2004/09/12 21:44:45 pbi # - AnsweringMachine working as I wanted! # # Revision 0.9.17.12 2004/09/10 16:54:46 pbi # - AnsweringMachine twaking # - added DNS spoofing answering machine # # Revision 0.9.17.11 2004/09/08 13:42:38 pbi # - renamed ScapyPcapWriter class to PcapWriter # - added linktype parameter to PcapWriter (William McVey) # - added PcapReader class (William McVey) # # Revision 0.9.17.10 2004/09/08 13:06:01 pbi # - added some text correspondances to Radius code field # # Revision 0.9.17.9 2004/09/06 14:28:02 pbi # - early radius support # # Revision 0.9.17.8 2004/09/06 14:17:11 pbi # - added "store" parameter to sniff() # - added AnsweringMachine class to handle request/response protocols # - replaced bootpd by a AnsweringMachine subclass # - created DHCP answering machine draft # # Revision 0.9.17.7 2004/09/03 22:11:35 pbi # - finished airpwn() # # Revision 0.9.17.6 2004/08/13 16:49:51 pbi # - added first version of airpwn() clone # # Revision 0.9.17.5 2004/08/11 15:25:08 pbi # - added RIP protocol # # Revision 0.9.17.4 2004/08/09 14:00:20 pbi # - added gzip support to sessions saving # - can force pickle protocol to inferior values for pickle backward compatility # # Revision 0.9.17.3 2004/08/07 10:59:34 pbi # - fixed self reloading when launched from a different directory # - fixed session reloading problems with PacketList() and SndRcvAns() # - added load_session(), save_session(), update_session() # # Revision 0.9.17.2 2004/07/28 21:16:12 pbi # - added nsummary() method to SndRcvList() class # # Revision 0.9.17.1 2004/07/26 19:52:55 pbi # Release 0.9.17 # # Revision 0.9.16.18 2004/07/26 19:50:16 pbi # - added ScapyPcapWriter class (William McVey) # # Revision 0.9.16.17 2004/07/26 19:24:48 pbi # - do not need to be named 'scapy.py' anymore # - use of PacketList() for rdpcap() and sniff() # - fixed a bug in StrFixedLenField # - early IKE and ISAKMP support # # Revision 0.9.16.16 2004/07/16 15:39:37 pbi # - small fix on bootpd # # Revision 0.9.16.15 2004/07/10 13:13:25 pbi # - finished testing ethertype in supersockets to decide wether or not to apply BPF filters # # Revision 0.9.16.14 2004/07/10 13:06:38 pbi # - do not apply any BPF filter if ethertype is given to a supersocket (so that ARP requests will work # whatever the conf.except_filter value is) # # Revision 0.9.16.13 2004/07/09 09:11:15 pbi # - changed the header and blocked the licence to GPLv2 only # # Revision 0.9.16.12 2004/07/09 09:07:41 pbi # - added an independant routing table (conf.route) and methods to manipulate it # - tweaked results stats # # Revision 0.9.16.11 2004/07/05 22:43:49 pbi # - wrapper classes for results presentations and manipulation # - sndrcv() retry auto adjustment when giving a negative value # # Revision 0.9.16.10 2004/07/05 08:53:41 pbi # - added retry option to sndrcv() # - improved debug class # - added ottl() and hops() methods for IPTools class # - improved UDP and ICMP summary() # # Revision 0.9.16.9 2004/06/07 16:09:21 pbi # - fix again TCP.answers() and TCPerror.answers() # # Revision 0.9.16.8 2004/06/07 16:06:27 pbi # - fixed conf.checkIPsrc behaviour of answers() and hashret() for TCP/UDP/TCPerror/UDPerror # - added conf.debug_match to keep track of unanswered packets in debug.sent and debug.recv # # Revision 0.9.16.7 2004/06/07 09:20:43 pbi # - added LEIntField and StrFixedLenField # - added partial PrismHeader support # # Revision 0.9.16.6 2004/04/29 15:46:19 pbi # - fixed fragment() # # Revision 0.9.16.5 2004/03/31 09:24:43 pbi # - fix nmap fingerprint db parsing to handle the new format (Jochen Bartl) # # Revision 0.9.16.4 2004/03/23 08:45:10 pbi # - Support for reading big endian pcap files (Pekka Pietikainen) # # Revision 0.9.16.3 2004/02/28 11:12:12 pbi # - got rid of some future warnings (N. Bareil ) # - improved BitField() for arbitrary length bit fields (N. Bareil ) # - NTP protocol (N. Bareil ) # # Revision 0.9.16.2 2004/02/22 17:49:51 pbi # added first sketch of a bootp daemon: bootpd() # # Revision 0.9.16.1 2004/01/26 18:01:00 pbi # Release 0.9.16 # # Revision 0.9.15.15 2004/01/26 18:00:08 pbi # - added more text for DNS codes # # Revision 0.9.15.14 2004/01/15 13:24:48 pbi # - fixed the case where IP field is a list of nets # - randomize IPID in traceroute() to work better with conf.checkIPsrc=0 # - added make_tex_table() and make_lined_table() # - added IPID_count() to identify machines with their IPID # - added sport and dport args to fragleak() # # Revision 0.9.15.13 2004/01/11 11:47:07 pbi # - srploop() and srloop() improvements # # Revision 0.9.15.12 2004/01/11 01:28:21 pbi # - srloop() and srploop() improvements # # Revision 0.9.15.11 2004/01/11 01:07:05 pbi # - srloop() and srploop() improvements # # Revision 0.9.15.10 2004/01/10 23:42:58 pbi # - added srloop() and srploop() functions # # Revision 0.9.15.9 2004/01/10 23:40:51 pbi # - added # # Revision 0.9.15.8 2004/01/09 16:42:42 pbi # - improved send() and sendp() with parameters loop and verbose # # Revision 0.9.15.7 2004/01/09 16:04:07 pbi # - fixed ARP opcodes values # # Revision 0.9.15.6 2004/01/09 15:53:46 pbi # - added RARP and IARP req/resp description in ARP operation Enum field # # Revision 0.9.15.5 2003/12/19 15:54:30 pbi # - added checkIPID and checkIPsrc options in conf to recognize IP in ICMP errors from broken IP stacks (see conf.__doc__) # - changed default TCP source port to 20 (Muahahahah!) # - tweaked TCP summary # - changed default UDP source and destination ports to 53 # - created import_hexcap() to copy-paste an hexcap from tcpdump -xX, and get a string to feed IP() or ARP() or whatever # - created make_table() to present results in a table from a list, and functions that map the list to x,y and z=f(x,y). # # Revision 0.9.15.4 2003/10/30 16:11:41 pbi # - little enhancements to the DNS packets # - added dyndns_add() and dyndns_del() (rfc2136) # - fixed a format string error (3 times) # # Revision 0.9.15.3 2003/10/16 10:41:42 biondi # - redesign summary() method # - fixed Dot11 addresses fields # # Revision 0.9.15.2 2003/10/15 14:41:09 biondi # - caching format size (calcsize()) in Field main class # - allow first packet desassembly to fail in SuperSockets, falling back to Raw # # Revision 0.9.15.1 2003/10/02 15:24:29 pbi # Release 0.9.15 # # Revision 0.9.14.8 2003/10/02 15:16:26 pbi # - small fix for p0f_base # - lazy loading for p0f, queso and nmap knowledge databases # # Revision 0.9.14.7 2003/10/02 14:14:17 pbi # - added a LongField # - added classes and bonds for 802.11 # - added error handling and magic checks for rdpcap() # # Revision 0.9.14.6 2003/09/12 14:45:35 pbi # - had Dot11 working # # Revision 0.9.14.5 2003/09/12 10:04:05 pbi # - added summary() method to Packet objects # # Revision 0.9.14.4 2003/09/12 09:28:28 pbi # - added SNAP protocol # - catched broken pipe exception when shild die in sndrcv() # - fixed default L2socket type in srp() and srp1() (ETH_P_ALL) # - fixed format string in attach_filter() # # Revision 0.9.14.3 2003/09/10 08:47:41 pbi # - fixed the fact that bpf filters were generated in cooked mode, and thus did # not work # - filter on socket type ETH_P_ARP instead of using a bpf filter for ARP replies # - fixed the way of handling the SuperSocket close. # - uniformised the naming for interface parameter : iface instead of iff # - fixed the FutureWarning for long integers # - fixed a typo in 3 format strings (%*i instead of %i) # # Revision 0.9.14.2 2003/07/20 00:12:04 pbi # -added "-i any" for tcpdump to compile filters even if they don't work on main interface # - put PPP special case before layer 2 general case in a super socket # - added th filter parameter to L3RawSocket # - added a special case in getmacbyip() when loopback interface is concernet # - added value for RAWIP linktype in pcap capture files # # Revision 0.9.14.1 2003/06/25 13:18:23 pbi # Release 0.9.14, from 0.9.13.4 # # Revision 0.9.13.4 2003/06/25 12:35:57 pbi # - fixed a regression in L3PacketSocket for ppp links # # Revision 0.9.13.3 2003/05/31 14:01:12 biondi # - more tweaks on Packet.sprintf(). Added __doc__. # # Revision 0.9.13.2 2003/05/31 13:17:42 biondi # - small tweaks in Packet.sprintf() # # Revision 0.9.13.1 2003/05/16 13:34:30 pbi # Release 0.9.13 # # Revision 0.9.12.9 2003/05/16 13:32:38 pbi # - fixed verbose parameter in nmap_fp() # # Revision 0.9.12.8 2003/05/16 13:28:49 pbi # - small enhancements in self-documentation # - added early experiemental support for BOOTP and 802.11 # # Revision 0.9.12.7 2003/05/16 11:25:48 pbi # - added workarroung python bug 643005 (socket.inet_aton("255.255.255.255")) # - use answers() method instead of operator # - added hashret() method : returns a hash that is invariant for a packet and its reply # - use hashret() in sndrcv() for dramatic improvements for matching replies on big set of packets # - change report_ports() to return a string instead of printing # # Revision 0.9.12.6 2003/05/16 09:28:40 pbi # - improved the __repr__() method of Packet class # # Revision 0.9.12.5 2003/05/12 15:15:02 pbi # - added minttl parameter to traceroute() # # Revision 0.9.12.4 2003/05/06 13:39:21 pbi # - Improved random number object (thanks to O. Poyen) # # Revision 0.9.12.3 2003/05/06 10:45:27 pbi # - fixed a name overlap on "type" in L2ListenSocket and L3PacketSocket (thanks to E. M. Hopper) # # Revision 0.9.12.2 2003/05/06 10:41:58 pbi # - externalized conversion from probes to signature with nmap_probes2sig() use probe results from, say, a pcap file # # Revision 0.9.12.1 2003/04/27 10:07:30 pbi # Release 0.9.12 # # Revision 0.9.11.5 2003/04/27 10:04:03 pbi # - Fixed long int conversion in attach_filter() # # Revision 0.9.11.4 2003/04/27 10:00:57 pbi # - rectification in SetGen to unroll Gen instances in lists # - Completed DNS types and qtypes names # - Small tuning in nmap_match_one_sig() # - Parallelized nmap_sig() # # Revision 0.9.11.3 2003/04/24 12:47:49 pbi # - removed 4 byte IP string autorecognition. Never used and broken for 4 byte names # - added "islist" flag to fields to distinguish a list value from a list of values # - changed TCP options from dict to list to preserve order and redundancy # - added conf.except_filter, to have every command ignore your own traffic (BPF filter) # - worked in progress for nmap OS fingerprint. Added PU test. Fixed other tests. # - added nmap_sig2txt() to transform a signature to its text form, suitable for nmap base # # Revision 0.9.11.2 2003/04/23 21:23:30 pbi # - small fixes in init_queso() # - experimental support of nmap fingerprinting (not complete yet) # # Revision 0.9.11.1 2003/04/22 14:38:16 pbi # Release 0.9.11 # # Revision 0.9.10.8 2003/04/22 14:37:32 pbi # - fixed bug in getmacbyip() using dnet module # - deactivated getmacbyip() using dnet module because it did not resolve unknown IPs # - added some commands listed by lsc() # # Revision 0.9.10.7 2003/04/22 13:55:01 pbi # - some getattr/setattr/delattr enhancements # # Revision 0.9.10.6 2003/04/22 13:52:00 pbi # - added experimental support for QueSO OS fingerprinting. Has someone a *recent* database ? # # Revision 0.9.10.5 2003/04/18 17:45:15 pbi # - improved the completer to complete with protocol fields # - small fix in get_working_if() # # Revision 0.9.10.4 2003/04/16 14:53:36 pbi # - added option to include padding or not # # Revision 0.9.10.3 2003/04/16 14:35:32 pbi # - added L2dnetSocket() # - improved arping() # # Revision 0.9.10.2 2003/04/16 12:40:40 pbi # - fixed the case when the history file does not exist # # Revision 0.9.10.1 2003/04/14 15:43:45 pbi # Release 0.9.10 # # Revision 0.9.9.15 2003/04/14 15:42:47 pbi # - added L3pcapListenSocket # - fixed L3ListenSocket to use ETH_P_ALL instead of ETH_P_IP by default # # Revision 0.9.9.14 2003/04/14 14:57:53 pbi # - reworked L3dnetSocket # # Revision 0.9.9.13 2003/04/14 13:53:28 pbi # - added completion (rlcompleter) and history support # # Revision 0.9.9.12 2003/04/14 10:05:42 pbi # - bugfixed the close() method of some supersockets # # Revision 0.9.9.11 2003/04/13 21:41:01 biondi # - added get_working_if() # - use get_working_if() for default interface # # Revision 0.9.9.10 2003/04/12 23:33:42 biondi # - add DNS layer (do not compress when assemble, answers() is missing) # # Revision 0.9.9.9 2003/04/12 22:15:40 biondi # - added EnumField # - used EnumField for ARP(), ICMP(), IP(), EAPOL(), EAP(),... # # Revision 0.9.9.8 2003/04/11 16:52:29 pbi # - better integration of libpcap and libdnet, if available # # Revision 0.9.9.7 2003/04/11 15:49:31 pbi # - some tweaks about supersockets close() and __del__() (not satisfied) # - added L3dnetSocket, that use libdnet and libpcap if available # # Revision 0.9.9.6 2003/04/11 13:46:49 pbi # - fixed a regression in bitfield dissection # - tweaked and fixed a lot of small things arround supersockets # # Revision 0.9.9.5 2003/04/10 14:50:22 pbi # - clean session only if it is to be saved # - forgot to give its name to Padding class # - fixed the NoPayload comparison tests so that they work on reloaded sessions # # Revision 0.9.9.4 2003/04/10 13:45:22 pbi # - Prepared the configuration of L2/L3 supersockets # # Revision 0.9.9.3 2003/04/08 18:34:48 pbi # - little fix in L2ListenSocket.__del__() # - added doc and options in Conf class # - added promisc support for L3PacketSocket, so that you can get answers to spoofed packets # # Revision 0.9.9.2 2003/04/08 17:42:19 pbi # - added extract_padding() method to UDP # # Revision 0.9.9.1 2003/04/08 17:23:33 pbi # Release 0.9.9 # # Revision 0.9.8.9 2003/04/08 17:22:25 pbi # - use cPickle instead of pickle (quicker and works with __getattr__() recursion) # - small fixes on send() and sendp() # # Revision 0.9.8.8 2003/04/08 16:48:04 pbi # - EAPOL overload Ether dst with PAE_GROUP_ADDR # - tuning in ports_report() # - tuning in fragleak # # Revision 0.9.8.7 2003/04/07 15:32:10 pbi # - uses /usr/bin/env invocation # # Revision 0.9.8.6 2003/04/07 14:57:12 pbi # - catch error during payload dissection and consider payload as raw data # # Revision 0.9.8.5 2003/04/07 14:43:13 pbi # - srp() becomes srp1() and sr() equivalent for L2 is called srp() # - hastype() Packet methods renamed to haslayer() # - added getlayer() Packet method # - added padding detection for layers that have a length field # - added fragment() that fragment an IP packet # - added report_ports() to scan a machine and output LaTeX report # # Revision 0.9.8.4 2003/04/01 11:19:06 pbi # - added FlagsField(), used for TCP and IP # - rfc3514 compliance # # Revision 0.9.8.3 2003/03/28 14:55:18 pbi # Added pkt2uptime() : uses TCP timestamp to predict when the machine was booted # # Revision 0.9.8.2 2003/03/27 15:58:54 pbi # - fixed sprintf() regression to use attributes from a packet that are not fields (eg: payload) # # Revision 0.9.8.1 2003/03/27 15:43:20 pbi # Release 0.9.8 # # Revision 0.9.7.9 2003/03/27 15:07:42 pbi # - add filter support for sr(), sr1() and srp() # - use filters for getmacbyip() and traceroute() for better reliability under heavy load # # Revision 0.9.7.8 2003/03/27 14:45:11 pbi # - better timeout management in sndrcv # - bugfixed sys.exit() imbrication issues # - some self documentation # - added lsc()command # # Revision 0.9.7.7 2003/03/26 17:51:33 pbi # - Added IPTool class, to add commands like whois() to IP layer. # - Have unknown class attributes be asked to payload before raising an exception. # # Revision 0.9.7.6 2003/03/26 17:35:36 pbi # More powerful sprintf format string : %[fmt[r],][cls[:nb].]field% where fmt is a classic one, r can be # appended for raw substitution (ex: IP.flags=0x18 instead of SA), nb is the number of the layer we want # (ex: for IP/IP packets, IP:2.src is the src of the upper IP layer). Special case : "%.time" is the creation time. # Ex : p.sprintf("%.time% %-15s,IP.src% -> %-15s,IP.dst% %IP.chksum% %03xr,IP.proto% %r,TCP.flags%") # # Revision 0.9.7.5 2003/03/26 14:47:39 pbi # Added creation time packet. Supported by read/write pcap. # # Revision 0.9.7.4 2003/03/26 14:25:09 pbi # Added the NoPayload terminal class # # Revision 0.9.7.3 2003/03/26 13:31:11 pbi # Fixed RCS Id # # Revision 0.9.7.2 2003/03/26 13:30:05 pbi # Adding RCS Id # # from __future__ import generators RCSID="$Id: scapy.py,v 1.0.5.20 2006/12/12 15:33:25 pbi Exp $" VERSION = RCSID.split()[2]+"beta" def usage(): print "Usage: scapy.py [-s sessionfile]" sys.exit(0) ##########[XXX]#=-- ## # Next things to do : # # - fields to manage variable length hw addr (ARP, BOOTP, etc.) # - improve pcap capture file support # - better self-doc # ## ##########[XXX]#=-- ############################# ##### Logging subsystem ##### ############################# import logging,traceback,time class ScapyFreqFilter(logging.Filter): def __init__(self): logging.Filter.__init__(self) self.warning_table = {} def filter(self, record): wt = conf.warning_threshold if wt > 0: stk = traceback.extract_stack() caller=None for f,l,n,c in stk: if n == 'warning': break caller = l tm,nb = self.warning_table.get(caller, (0,0)) ltm = time.time() if ltm-tm > wt: tm = ltm nb = 0 else: if nb < 2: nb += 1 if nb == 2: record.msg = "more "+record.msg else: return 0 self.warning_table[caller] = (tm,nb) return 1 log_scapy = logging.getLogger("scapy") console_handler = logging.StreamHandler() console_handler.setFormatter(logging.Formatter("%(levelname)s: %(message)s")) log_scapy.addHandler(console_handler) log_runtime = logging.getLogger("scapy.runtime") # logs at runtime log_runtime.addFilter(ScapyFreqFilter()) log_interactive = logging.getLogger("scapy.interactive") # logs in interactive functions log_loading = logging.getLogger("scapy.loading") # logs when loading scapy if __name__ == "__main__": log_scapy.setLevel(1) ################## ##### Module ##### ################## import socket, sys, getopt, string, struct, random, os, code import cPickle, copy, types, gzip, base64, re, zlib, array from sets import Set from select import select from fcntl import ioctl import fcntl import warnings warnings.filterwarnings("ignore","tempnam",RuntimeWarning, __name__) try: import Gnuplot GNUPLOT=1 except ImportError: log_loading.info("did not find python gnuplot wrapper . Won't be able to plot") GNUPLOT=0 try: import pyx PYX=1 except ImportError: log_loading.info("Can't import PyX. Won't be able to use psdump() or pdfdump()") PYX=0 LINUX=sys.platform.startswith("linux") OPENBSD=sys.platform.startswith("openbsd") FREEBSD=sys.platform.startswith("freebsd") DARWIN=sys.platform.startswith("darwin") BIG_ENDIAN= struct.pack("H",1) == "\x00\x01" X86_64 = (os.uname()[4] == 'x86_64') SOLARIS=sys.platform.startswith("sunos") if LINUX: DNET=PCAP=0 else: DNET=PCAP=1 if PCAP: try: import pcap PCAP = 1 except ImportError: if LINUX: log_loading.warning("did not find pcap module. Fallback to linux primitives") PCAP = 0 else: if __name__ == "__main__": log_loading.error("did not find pcap module") raise SystemExit else: raise if DNET: try: import dnet DNET = 1 except ImportError: if LINUX: log_loading.warning("did not find dnet module. Fallback to linux primitives") DNET = 0 else: if __name__ == "__main__": log_loading.error("did not find dnet module") raise SystemExit else: raise if not PCAP: f = os.popen("tcpdump -V 2> /dev/null") if f.close() >> 8 == 0x7f: log_loading.warning("Failed to execute tcpdump. Check it is installed and in the PATH") TCPDUMP=0 else: TCPDUMP=1 try: from Crypto.Cipher import ARC4 except ImportError: log_loading.info("Can't find Crypto python lib. Won't be able to decrypt WEP") # Workarround bug 643005 : https://sourceforge.net/tracker/?func=detail&atid=105470&aid=643005&group_id=5470 try: socket.inet_aton("255.255.255.255") except socket.error: def inet_aton(x): if x == "255.255.255.255": return "\xff"*4 else: return socket.inet_aton(x) else: inet_aton = socket.inet_aton inet_ntoa = socket.inet_ntoa try: inet_ntop = socket.inet_ntop inet_pton = socket.inet_pton except AttributeError: log_loading.info("inet_ntop/pton functions not found. Python IPv6 support not present") if SOLARIS: # GRE is missing on Solaris socket.IPPROTO_GRE = 47 ############ ## Consts ## ############ ETHER_ANY = "\x00"*6 ETHER_BROADCAST = "\xff"*6 ETH_P_ALL = 3 ETH_P_IP = 0x800 ETH_P_ARP = 0x806 # From net/if_arp.h ARPHDR_ETHER = 1 ARPHDR_METRICOM = 23 ARPHDR_PPP = 512 ARPHDR_LOOPBACK = 772 ARPHDR_TUN = 65534 # From bits/ioctls.h SIOCGIFHWADDR = 0x8927 # Get hardware address SIOCGIFADDR = 0x8915 # get PA address SIOCGIFNETMASK = 0x891b # get network PA mask SIOCGIFNAME = 0x8910 # get iface name SIOCSIFLINK = 0x8911 # set iface channel SIOCGIFCONF = 0x8912 # get iface list SIOCGIFFLAGS = 0x8913 # get flags SIOCSIFFLAGS = 0x8914 # set flags SIOCGIFINDEX = 0x8933 # name -> if_index mapping SIOCGIFCOUNT = 0x8938 # get number of devices # From if.h IFF_UP = 0x1 # Interface is up. IFF_BROADCAST = 0x2 # Broadcast address valid. IFF_DEBUG = 0x4 # Turn on debugging. IFF_LOOPBACK = 0x8 # Is a loopback net. IFF_POINTOPOINT = 0x10 # Interface is point-to-point link. IFF_NOTRAILERS = 0x20 # Avoid use of trailers. IFF_RUNNING = 0x40 # Resources allocated. IFF_NOARP = 0x80 # No address resolution protocol. IFF_PROMISC = 0x100 # Receive all packets. # From netpacket/packet.h PACKET_ADD_MEMBERSHIP = 1 PACKET_DROP_MEMBERSHIP = 2 PACKET_RECV_OUTPUT = 3 PACKET_RX_RING = 5 PACKET_STATISTICS = 6 PACKET_MR_MULTICAST = 0 PACKET_MR_PROMISC = 1 PACKET_MR_ALLMULTI = 2 # From bits/socket.h SOL_PACKET = 263 # From asm/socket.h SO_ATTACH_FILTER = 26 SOL_SOCKET = 1 # From net/route.h RTF_UP = 0x0001 # Route usable RTF_REJECT = 0x0200 # From BSD net/bpf.h #BIOCIMMEDIATE=0x80044270 BIOCIMMEDIATE=-2147204496 MTU = 1600 # file parsing to get some values : spaces = re.compile("[ \t]+|\n") IP_PROTOS={} try: f=open("/etc/protocols") for l in f: try: if l[0] in ["#","\n"]: continue lt = tuple(re.split(spaces, l)) if len(lt) < 3: continue IP_PROTOS.update({lt[2]:int(lt[1])}) except: log_loading.info("Couldn't parse one line from protocols file (" + l + ")") f.close() except IOError: log_loading.info("Can't open /etc/protocols file") ETHER_TYPES={} try: f=open("/etc/ethertypes") for l in f: try: if l[0] in ["#","\n"]: continue lt = tuple(re.split(spaces, l)) if len(lt) < 2: continue ETHER_TYPES.update({lt[0]:int(lt[1], 16)}) except: log_loading.info("Couldn't parse one line from ethertypes file (" + l + ")") f.close() except IOError,msg: log_loading.info("Can't open /etc/ethertypes file") TCP_SERVICES={} UDP_SERVICES={} try: f=open("/etc/services") for l in f: try: if l[0] in ["#","\n"]: continue lt = tuple(re.split(spaces, l)) if len(lt) < 2: continue if lt[1].endswith("/tcp"): TCP_SERVICES.update({lt[0]:int(lt[1].split('/')[0])}) elif lt[1].endswith("/udp"): UDP_SERVICES.update({lt[0]:int(lt[1].split('/')[0])}) except: log_loading.warning("Couldn't parse one line from /etc/services file (" + l + ")") f.close() except IOError: log_loading.info("Can't open /etc/services file") ########### ## Tools ## ########### def sane_color(x): r="" for i in x: j = ord(i) if (j < 32) or (j >= 127): r=r+conf.color_theme.not_printable(".") else: r=r+i return r def sane(x): r="" for i in x: j = ord(i) if (j < 32) or (j >= 127): r=r+"." else: r=r+i return r def hexdump(x): x=str(x) l = len(x) i = 0 while i < l: print "%04x " % i, for j in range(16): if i+j < l: print "%02X" % ord(x[i+j]), else: print " ", if j%16 == 7: print "", print " ", print sane_color(x[i:i+16]) i += 16 def linehexdump(x, onlyasc=0, onlyhex=0): x = str(x) l = len(x) if not onlyasc: for i in range(l): print "%02X" % ord(x[i]), print "", if not onlyhex: print sane_color(x) def hexstr(x, onlyasc=0, onlyhex=0): s = [] if not onlyasc: s.append(" ".join(map(lambda x:"%02x"%ord(x), x))) if not onlyhex: s.append(sane(x)) return " ".join(s) if BIG_ENDIAN: CRCPOLY=0x04c11db7L else: CRCPOLY=0xedb88320L crc32 = zlib.crc32 def checksum(pkt): pkt=str(pkt) s=0 if len(pkt) % 2 == 1: pkt += "\0" for i in range(len(pkt)/2): s = s + (struct.unpack("!H",pkt[2*i:2*i+2])[0]) s = (s >> 16) + (s & 0xffff) s += s >> 16 return ~s & 0xffff def warning(x): log_runtime.warning(x) def mac2str(mac): return "".join(map(lambda x: chr(int(x,16)), mac.split(":"))) def str2mac(s): return ("%02x:"*6)[:-1] % tuple(map(ord, s)) def strxor(x,y): return "".join(map(lambda x,y:chr(ord(x)^ord(y)),x,y)) def atol(x): try: ip = inet_aton(x) except socket.error: ip = inet_aton(socket.gethostbyname(x)) return struct.unpack("I", ip)[0] def ltoa(x): return inet_ntoa(struct.pack("I", x)) def itom(x): return socket.ntohl((0xffffffff00000000L>>x)&0xffffffffL)&0xffffffffL def do_graph(graph,prog=None,type="svg",target=None): """do_graph(graph, prog=conf.prog.dot, type="svg",target="| conf.prog.display"): graph: GraphViz graph description type: output type (svg, ps, gif, jpg, etc.), passed to dot's "-T" option target: filename or redirect. Defaults pipe to Imagemagick's display program prog: which graphviz program to use""" if prog is None: prog = conf.prog.dot if target is None: target = "| %s" % conf.prog.display w,r = os.popen2("%s -T %s %s" % (prog,type,target)) w.write(graph) w.close() _TEX_TR = { "{":"{\\tt\\char123}", "}":"{\\tt\\char125}", "\\":"{\\tt\\char92}", "^":"\\^{}", "$":"\\$", "#":"\\#", "~":"\\~", "_":"\\_", "&":"\\&", "%":"\\%", "|":"{\\tt\\char124}", "~":"{\\tt\\char126}", "<":"{\\tt\\char60}", ">":"{\\tt\\char62}", } def tex_escape(x): s = "" for c in x: s += _TEX_TR.get(c,c) return s def colgen(*lstcol,**kargs): """Returns a generator that mixes provided quantities forever trans: a function to convert the three arguments into a color. lambda x,y,z:(x,y,z) by default""" if len(lstcol) < 2: lstcol *= 2 trans = kargs.get("trans", lambda x,y,z: (x,y,z)) while 1: for i in range(len(lstcol)): for j in range(len(lstcol)): for k in range(len(lstcol)): if i != j or j != k or k != i: yield trans(lstcol[(i+j)%len(lstcol)],lstcol[(j+k)%len(lstcol)],lstcol[(k+i)%len(lstcol)]) ############################## ## Session saving/restoring ## ############################## def save_session(fname, session=None, pickleProto=-1): if session is None: session = scapy_session to_be_saved = session.copy() if to_be_saved.has_key("__builtins__"): del(to_be_saved["__builtins__"]) for k in to_be_saved.keys(): if type(to_be_saved[k]) in [types.TypeType, types.ClassType, types.ModuleType]: log_interactive.error("[%s] (%s) can't be saved." % (k, type(to_be_saved[k]))) del(to_be_saved[k]) try: os.rename(fname, fname+".bak") except OSError: pass f=gzip.open(fname,"wb") cPickle.dump(to_be_saved, f, pickleProto) f.close() def load_session(fname): try: s = cPickle.load(gzip.open(fname,"rb")) except IOError: s = cPickle.load(open(fname,"rb")) scapy_session.clear() scapy_session.update(s) def update_session(fname): try: s = cPickle.load(gzip.open(fname,"rb")) except IOError: s = cPickle.load(open(fname,"rb")) scapy_session.update(s) def export_object(obj): print base64.encodestring(gzip.zlib.compress(cPickle.dumps(obj,2),9)) def import_object(obj=None): if obj is None: obj = sys.stdin.read() return cPickle.loads(gzip.zlib.decompress(base64.decodestring(obj.strip()))) def save_object(fname, obj): cPickle.dump(obj,gzip.open(fname,"wb")) def load_object(fname): return cPickle.load(gzip.open(fname,"rb")) ################# ## Debug class ## ################# class debug: recv=[] sent=[] match=[] #################### ## IP Tools class ## #################### class IPTools: """Add more powers to a class that have a "src" attribute.""" def whois(self): os.system("whois %s" % self.src) def ottl(self): t = [32,64,128,255]+[self.ttl] t.sort() return t[t.index(self.ttl)+1] def hops(self): return self.ottl()-self.ttl-1 ############################## ## Routing/Interfaces stuff ## ############################## class Route: def __init__(self): self.resync() self.s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM) def resync(self): self.routes = read_routes() def __repr__(self): rt = "Network Netmask Gateway Iface Output IP\n" for net,msk,gw,iface,addr in self.routes: rt += "%-15s %-15s %-15s %-15s %-15s\n" % (ltoa(net), ltoa(msk), gw, iface, addr) return rt def make_route(self, host=None, net=None, gw=None, dev=None): if host is not None: thenet,msk = host,32 elif net is not None: thenet,msk = net.split("/") msk = int(msk) else: raise Exception("make_route: Incorrect parameters. You should specify a host or a net") if gw is None: gw="0.0.0.0" if dev is None: if gw: nhop = gw else: nhop = thenet dev,ifaddr,x = self.route(nhop) else: ifaddr = get_if_addr(dev) return (atol(thenet), itom(msk), gw, dev, ifaddr) def add(self, *args, **kargs): """Ex: add(net="192.168.1.0/24",gw="1.2.3.4") """ self.routes.append(self.make_route(*args,**kargs)) def delt(self, *args, **kargs): """delt(host|net, gw|dev)""" route = self.make_route(*args,**kargs) try: i=self.routes.index(route) del(self.routes[i]) except ValueError: warning("no matching route found") def ifchange(self, iff, addr): the_addr,the_msk = (addr.split("/")+["32"])[:2] the_msk = itom(int(the_msk)) the_rawaddr, = struct.unpack("I",inet_aton(the_addr)) the_net = the_rawaddr & the_msk for i in range(len(self.routes)): net,msk,gw,iface,addr = self.routes[i] if iface != iff: continue if gw == '0.0.0.0': self.routes[i] = (the_net,the_msk,gw,iface,the_addr) else: self.routes[i] = (net,msk,gw,iface,the_addr) for i in arp_cache.keys(): del(arp_cache[i]) def ifdel(self, iff): new_routes=[] for rt in self.routes: if rt[3] != iff: new_routes.append(rt) self.routes=new_routes def ifadd(self, iff, addr): the_addr,the_msk = (addr.split("/")+["32"])[:2] the_msk = itom(int(the_msk)) the_rawaddr, = struct.unpack("I",inet_aton(the_addr)) the_net = the_rawaddr & the_msk self.routes.append((the_net,the_msk,'0.0.0.0',iff,the_addr)) def route(self,dst): # Transform "192.168.*.1-5" to one IP of the set dst = dst.split("/")[0] dst = dst.replace("*","0") while 1: l = dst.find("-") if l < 0: break m = (dst[l:]+".").find(".") dst = dst[:l]+dst[l+m:] try: dst=inet_aton(dst) except socket.error: dst=inet_aton(socket.gethostbyname(dst)) dst,=struct.unpack("I",dst) pathes=[] for d,m,gw,i,a in self.routes: aa, = struct.unpack("I",inet_aton(a)) if aa == dst: pathes.append((0xffffffffL,("lo",a,"0.0.0.0"))) if (dst & m) == (d & m): pathes.append((m,(i,a,gw))) if not pathes: warning("No route found (no default route?)") return "lo","0.0.0.0","0.0.0.0" #XXX linux specific! # Choose the more specific route (greatest netmask). # XXX: we don't care about metrics pathes.sort() return pathes[-1][1] def get_if_bcast(self, iff): for net, msk, gw, iface, addr in self.routes: if (iff == iface and net != 0L): bcast = atol(addr)|(~msk&0xffffffffL); # FIXME: check error in atol() return ltoa(bcast); warning("No broadcast address found for iface %s\n" % iff); if DNET: def get_if_raw_hwaddr(iff): if iff[:2] == "lo": return (772, '\x00'*6) try: l = dnet.intf().get(iff) l = l["link_addr"] except: raise Exception("Error in attempting to get hw address for interface [%s]" % iff) return l.type,l.data def get_if_raw_addr(ifname): i = dnet.intf() return i.get(ifname)["addr"].data else: def get_if_raw_hwaddr(iff): return struct.unpack("16xh6s8x",get_if(iff,SIOCGIFHWADDR)) def get_if_raw_addr(iff): try: return get_if(iff, SIOCGIFADDR)[20:24] except IOError: return "\0\0\0\0" if PCAP: def get_if_list(): # remove 'any' interface return map(lambda x:x[0],filter(lambda x:x[1] is None,pcap.findalldevs())) def get_working_if(): try: return pcap.lookupdev() except pcap.pcapc.EXCEPTION: return 'lo' def attach_filter(s, filter): warning("attach_filter() should not be called in PCAP mode") def set_promisc(s,iff,val=1): warning("set_promisc() should not be called in DNET/PCAP mode") else: def get_if_list(): f=open("/proc/net/dev","r") lst = [] f.readline() f.readline() for l in f: lst.append(l.split(":")[0].strip()) return lst def get_working_if(): for i in get_if_list(): if i == 'lo': continue ifflags = struct.unpack("16xH14x",get_if(i,SIOCGIFFLAGS))[0] if ifflags & IFF_UP: return i return "lo" def attach_filter(s, filter): # XXX We generate the filter on the interface conf.iface # because tcpdump open the "any" interface and ppp interfaces # in cooked mode. As we use them in raw mode, the filter will not # work... one solution could be to use "any" interface and translate # the filter from cooked mode to raw mode # mode if not TCPDUMP: return try: f = os.popen("%s -i %s -ddd -s 1600 '%s'" % (conf.prog.tcpdump,conf.iface,filter)) except OSError,msg: log_interactive.warning("Failed to execute tcpdump: (%s)") return lines = f.readlines() if f.close(): raise Exception("Filter parse error") nb = int(lines[0]) bpf = "" for l in lines[1:]: bpf += struct.pack("HBBI",*map(long,l.split())) # XXX. Argl! We need to give the kernel a pointer on the BPF, # python object header seems to be 20 bytes. 36 bytes for x86 64bits arch. if X86_64: bpfh = struct.pack("HL", nb, id(bpf)+36) else: bpfh = struct.pack("HI", nb, id(bpf)+20) s.setsockopt(SOL_SOCKET, SO_ATTACH_FILTER, bpfh) def set_promisc(s,iff,val=1): mreq = struct.pack("IHH8s", get_if_index(iff), PACKET_MR_PROMISC, 0, "") if val: cmd = PACKET_ADD_MEMBERSHIP else: cmd = PACKET_DROP_MEMBERSHIP s.setsockopt(SOL_PACKET, cmd, mreq) if not LINUX: def new_read_routes(): rtlst = [] def addrt(rt,lst): dst,gw = rt lst.append(rt) r = dnet.route() print r.loop(addrt, rtlst) return rtlst def read_routes(): if SOLARIS: f=os.popen("netstat -rvn") # -f inet else: f=os.popen("netstat -rn") # -f inet ok = 0 mtu_present = False routes = [] for l in f.readlines(): if not l: break l = l.strip() if l.find("----") >= 0: # a separation line continue if l.find("Destination") >= 0: ok = 1 if l.find("Mtu") >= 0: mtu_present = True continue if ok == 0: continue if not l: break if SOLARIS: dest,mask,gw,netif,mxfrg,rtt,ref,flg = l.split()[:8] else: if mtu_present: dest,gw,flg,ref,use,mtu,netif = l.split()[:7] else: dest,gw,flg,ref,use,netif = l.split()[:6] if flg.find("Lc") >= 0: continue if dest == "default": dest = 0L netmask = 0L else: if SOLARIS: netmask, = struct.unpack("I",inet_aton(mask)) elif "/" in dest: dest,netmask = dest.split("/") netmask = itom(int(netmask)) else: netmask = itom((dest.count(".") + 1) * 8) dest += ".0"*(3-dest.count(".")) dest, = struct.unpack("I",inet_aton(dest)) if not "G" in flg: gw = '0.0.0.0' ifaddr = get_if_addr(netif) routes.append((dest,netmask,gw,netif,ifaddr)) f.close() return routes def read_interfaces(): i = dnet.intf() ifflist = {} def addif(iff,lst): if not iff.has_key("addr"): return if not iff.has_key("link_addr"): return rawip = iff["addr"].data ip = inet_ntoa(rawip) rawll = iff["link_addr"].data ll = str2mac(rawll) lst[iff["name"]] = (rawll,ll,rawip,ip) i.loop(addif, ifflist) return ifflist else: def read_routes(): f=open("/proc/net/route","r") routes = [] s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ifreq = ioctl(s, SIOCGIFADDR,struct.pack("16s16x","lo")) addrfamily = struct.unpack("h",ifreq[16:18])[0] if addrfamily == socket.AF_INET: ifreq2 = ioctl(s, SIOCGIFNETMASK,struct.pack("16s16x","lo")) msk = struct.unpack("I",ifreq2[20:24])[0] dst = struct.unpack("I",ifreq[20:24])[0] & msk ifaddr = inet_ntoa(ifreq[20:24]) routes.append((dst, msk, "0.0.0.0", "lo", ifaddr)) else: warning("Interface lo: unkownn address family (%i)"% addrfamily) for l in f.readlines()[1:]: iff,dst,gw,flags,x,x,x,msk,x,x,x = l.split() flags = int(flags,16) if flags & RTF_UP == 0: continue if flags & RTF_REJECT: continue ifreq = ioctl(s, SIOCGIFADDR,struct.pack("16s16x",iff)) addrfamily = struct.unpack("h",ifreq[16:18])[0] if addrfamily == socket.AF_INET: ifaddr = inet_ntoa(ifreq[20:24]) else: warning("Interface %s: unkownn address family (%i)"%(iff, addrfamily)) continue routes.append((long(dst,16), long(msk,16), inet_ntoa(struct.pack("I",long(gw,16))), iff, ifaddr)) f.close() return routes def get_if(iff,cmd): s=socket.socket() ifreq = ioctl(s, cmd, struct.pack("16s16x",iff)) s.close() return ifreq def get_if_index(iff): return int(struct.unpack("I",get_if(iff, SIOCGIFINDEX)[16:20])[0]) def get_if_addr(iff): return inet_ntoa(get_if_raw_addr(iff)) def get_if_hwaddr(iff): addrfamily, mac = get_if_raw_hwaddr(iff) if addrfamily in [ARPHDR_ETHER,ARPHDR_LOOPBACK]: return str2mac(mac) else: raise Exception("Unsupported address family (%i) for interface [%s]" % (addrfamily,iff)) ##################### ## ARP cache stuff ## ##################### ARPTIMEOUT=120 # XXX Fill arp_cache with /etc/ether and arp cache arp_cache={} if 0 and DNET: ## XXX Can't use this because it does not resolve IPs not in cache dnet_arp_object = dnet.arp() def getmacbyip(ip): tmp = map(ord, inet_aton(ip)) if (tmp[0] & 0xf0) == 0xe0: # mcast @ return "01:00:5e:%.2x:%.2x:%.2x" % (tmp[1]&0x7f,tmp[2],tmp[3]) iff,a,gw = conf.route.route(ip) if iff == "lo": return "ff:ff:ff:ff:ff:ff" if gw != "0.0.0.0": ip = gw res = dnet_arp_object.get(dnet.addr(ip)) if res is None: return None else: return res.ntoa() else: def getmacbyip(ip): tmp = map(ord, inet_aton(ip)) if (tmp[0] & 0xf0) == 0xe0: # mcast @ return "01:00:5e:%.2x:%.2x:%.2x" % (tmp[1]&0x7f,tmp[2],tmp[3]) iff,a,gw = conf.route.route(ip) if ( (iff == "lo") or (ip == conf.route.get_if_bcast(iff)) ): return "ff:ff:ff:ff:ff:ff" if gw != "0.0.0.0": ip = gw if arp_cache.has_key(ip): mac, timeout = arp_cache[ip] if not timeout or (time.time()-timeout < ARPTIMEOUT): return mac res = srp1(Ether(dst=ETHER_BROADCAST)/ARP(op="who-has", pdst=ip), type=ETH_P_ARP, iface = iff, timeout=2, verbose=0, nofilter=1) if res is not None: mac = res.payload.hwsrc arp_cache[ip] = (mac,time.time()) return mac return None #################### ## Random numbers ## #################### class VolatileValue: def __repr__(self): return "<%s>" % self.__class__.__name__ def __getattr__(self, attr): return getattr(self._fix(),attr) def _fix(self): return None class RandField(VolatileValue): pass class RandNum(RandField): min = 0 max = 0 def __init__(self, min, max): self.min = min self.max = max def _fix(self): # XXX: replace with sth that guarantee unicity return random.randrange(self.min, self.max) class RandNumGamma(RandField): def __init__(self, alpha, beta): self.alpha = alpha self.beta = beta def _fix(self): return int(round(random.gammavariate(self.alpha, self.beta))) class RandNumGauss(RandField): def __init__(self, mu, sigma): self.mu = mu self.sigma = sigma def _fix(self): return int(round(random.gauss(self.mu, self.sigma))) class RandNumExpo(RandField): def __init__(self, lambd): self.lambd = lambd def _fix(self): return int(round(random.expovariate(self.lambd))) class RandByte(RandNum): def __init__(self): RandNum.__init__(self, 0, 2L**8) class RandShort(RandNum): def __init__(self): RandNum.__init__(self, 0, 2L**16) class RandInt(RandNum): def __init__(self): RandNum.__init__(self, 0, 2L**32) class RandSInt(RandNum): def __init__(self): RandNum.__init__(self, -2L**31, 2L**31) class RandLong(RandNum): def __init__(self): RandNum.__init__(self, 0, 2L**64) class RandSLong(RandNum): def __init__(self): RandNum.__init__(self, -2L**63, 2L**63) class RandChoice(RandField): def __init__(self, *args): self._choice = args def _fix(self): return random.choice(self._choice) class RandString(RandField): def __init__(self, size, chars="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"): self.chars = chars self.size = size def _fix(self): s = "" for i in range(self.size): s += random.choice(self.chars) return s class RandBin(RandString): def __init__(self, size): RandString.__init__(self, size, "".join(map(chr,range(256)))) class RandTermString(RandString): def __init__(self, size, term): RandString.__init__(self, size, "".join(map(chr,range(1,256)))) self.term = term def _fix(self): return RandString._fix(self)+self.term class RandIP(RandString): def __init__(self, iptemplate="0.0.0.0/0"): self.ip = Net(iptemplate) def _fix(self): return self.ip.choice() class RandMAC(RandString): def __init__(self, template="*"): template += ":*:*:*:*:*" template = template.split(":") self.mac = () for i in range(6): if template[i] == "*": v = RandByte() elif "-" in template[i]: x,y = template[i].split("-") v = RandNum(int(x,16), int(y,16)) else: v = int(template[i],16) self.mac += (v,) def _fix(self): return "%02x:%02x:%02x:%02x:%02x:%02x" % self.mac class RandOID(RandString): def __init__(self, depth=RandNumExpo(0.1), idnum=RandNumExpo(0.01)): self.depth = depth self.idnum = idnum def _fix(self): return ".".join(map(str, [self.idnum for i in xrange(1+self.depth)])) # Automatic timestamp class AutoTime(VolatileValue): def __init__(self, base=None): if base == None: self.diff = 0 else: self.diff = time.time()-base def _fix(self): return time.time()-self.diff class IntAutoTime(AutoTime): def _fix(self): return int(AutoTime.current_val(self)) class DelayedEval(VolatileValue): """ Exemple of usage: DelayedEval("time.time()") """ def __init__(self, expr): self.expr = expr def _fix(self): return eval(self.expr) class IncrementalValue(VolatileValue): def __init__(self, start=0, step=1, restart=-1): self.start = self.val = start self.step = step self.restart = restart def _fix(self): v = self.val if self.val == self.restart : self.val = self.start else: self.val += self.step return v def corrupt_bytes(s, p=0.01, n=None): s = array.array("B",str(s)) l = len(s) if n is None: n = max(1,int(l*p)) for i in random.sample(xrange(l), n): s[i] = random.randint(0,255) return s.tostring() def corrupt_bits(s, p=0.01, n=None): s = array.array("B",str(s)) l = len(s)*8 if n is None: n = max(1,int(l*p)) for i in random.sample(xrange(l), n): s[i/8] ^= 1 << (i%8) return s.tostring() class CorruptedBytes(VolatileValue): def __init__(self, s, p=0.01, n=None): self.s = s self.p = p self.n = n def _fix(self): return corrupt_bytes(self.s, self.p, self.n) class CorruptedBits(CorruptedBytes): def _fix(self): return corrupt_bits(self.s, self.p, self.n) ################ ## Generators ## ################ class Gen(object): def __iter__(self): return iter([]) class SetGen(Gen): def __init__(self, set, _iterpacket=1): self._iterpacket=_iterpacket if type(set) is list: self.set = set elif isinstance(set, PacketList): self.set = list(set) else: self.set = [set] def transf(self, element): return element def __iter__(self): for i in self.set: if (type(i) is tuple) and (len(i) == 2) and type(i[0]) is int and type(i[1]) is int: if (i[0] <= i[1]): j=i[0] while j <= i[1]: yield j j += 1 elif isinstance(i, Gen) and (self._iterpacket or not isinstance(i,Packet)): for j in i: yield j else: yield i def __repr__(self): return "" % self.set.__repr__() class Net(Gen): """Generate a list of IPs from a network address or a name""" name = "ip" ipaddress = re.compile(r"^(\*|[0-2]?[0-9]?[0-9](-[0-2]?[0-9]?[0-9])?)\.(\*|[0-2]?[0-9]?[0-9](-[0-2]?[0-9]?[0-9])?)\.(\*|[0-2]?[0-9]?[0-9](-[0-2]?[0-9]?[0-9])?)\.(\*|[0-2]?[0-9]?[0-9](-[0-2]?[0-9]?[0-9])?)(/[0-3]?[0-9])?$") def __init__(self, net): self.repr=net tmp=net.split('/')+["32"] if not self.ipaddress.match(net): tmp[0]=socket.gethostbyname(tmp[0]) netmask = int(tmp[1]) def parse_digit(a,netmask): netmask = min(8,max(netmask,0)) if a == "*": a = (0,256) elif a.find("-") >= 0: x,y = map(int,a.split("-")) if x > y: y = x a = (x & (0xffL<>(8-netmask))))+1) else: a = (int(a) & (0xffL<>(8-netmask)))+1) return a self.parsed = map(lambda x,y: parse_digit(x,y), tmp[0].split("."), map(lambda x,nm=netmask: x-nm, (8,16,24,32))) def __iter__(self): for d in xrange(*self.parsed[3]): for c in xrange(*self.parsed[2]): for b in xrange(*self.parsed[1]): for a in xrange(*self.parsed[0]): yield "%i.%i.%i.%i" % (a,b,c,d) def choice(self): ip = [] for v in self.parsed: ip.append(str(random.randint(v[0],v[1]-1))) return ".".join(ip) def __repr__(self): return "Net(%r)" % self.repr ############# ## Results ## ############# class PacketList: res = [] def __init__(self, res=None, name="PacketList", stats=None): """create a packet list from a list of packets res: the list of packets stats: a list of classes that will appear in the stats (defaults to [TCP,UDP,ICMP])""" if stats is None: stats = [ TCP,UDP,ICMP ] self.stats = stats if res is None: res = [] if isinstance(res, PacketList): res = res.res self.res = res self.listname = name def _elt2pkt(self, elt): return elt def _elt2sum(self, elt): return elt.summary() def _elt2show(self, elt): return self._elt2sum(elt) def __repr__(self): # stats=dict.fromkeys(self.stats,0) ## needs python >= 2.3 :( stats = dict(map(lambda x: (x,0), self.stats)) other = 0 for r in self.res: f = 0 for p in stats: if self._elt2pkt(r).haslayer(p): stats[p] += 1 f = 1 break if not f: other += 1 s = "" ct = conf.color_theme for p in stats: s += " %s%s%s" % (ct.packetlist_proto(p.name), ct.punct(":"), ct.packetlist_value(stats[p])) s += " %s%s%s" % (ct.packetlist_proto("Other"), ct.punct(":"), ct.packetlist_value(other)) return "%s%s%s%s%s" % (ct.punct("<"), ct.packetlist_name(self.listname), ct.punct(":"), s, ct.punct(">")) def __getattr__(self, attr): return getattr(self.res, attr) def __getitem__(self, item): if isinstance(item,type) and issubclass(item,Packet): return self.__class__(filter(lambda x: item in self._elt2pkt(x),self.res), name="%s from %s"%(item.__name__,self.listname)) if type(item) is slice: return self.__class__(self.res.__getitem__(item), name = "mod %s" % self.listname) return self.res.__getitem__(item) def __getslice__(self, *args, **kargs): return self.__class__(self.res.__getslice__(*args, **kargs), name="mod %s"%self.listname) def __add__(self, other): return self.__class__(self.res+other.res, name="%s+%s"%(self.listname,other.listname)) def summary(self, prn=None, lfilter=None): """prints a summary of each packet prn: function to apply to each packet instead of lambda x:x.summary() lfilter: truth function to apply to each packet to decide whether it will be displayed""" for r in self.res: if lfilter is not None: if not lfilter(r): continue if prn is None: print self._elt2sum(r) else: print prn(r) def nsummary(self,prn=None, lfilter=None): """prints a summary of each packet with the packet's number prn: function to apply to each packet instead of lambda x:x.summary() lfilter: truth function to apply to each packet to decide whether it will be displayed""" for i in range(len(self.res)): if lfilter is not None: if not lfilter(self.res[i]): continue print conf.color_theme.id(i,"%04i"), if prn is None: print self._elt2sum(self.res[i]) else: print prn(self.res[i]) def display(self): # Deprecated. Use show() """deprecated. is show()""" self.show() def show(self, *args, **kargs): """Best way to display the packet list. Defaults to nsummary() method""" return self.nsummary(*args, **kargs) def filter(self, func): """Returns a packet list filtered by a truth function""" return self.__class__(filter(func,self.res), name="filtered %s"%self.listname) def make_table(self, *args, **kargs): """Prints a table using a function that returs for each packet its head column value, head row value and displayed value ex: p.make_table(lambda x:(x[IP].dst, x[TCP].dport, x[TCP].sprintf("%flags%")) """ return make_table(self.res, *args, **kargs) def make_lined_table(self, *args, **kargs): """Same as make_table, but print a table with lines""" return make_lined_table(self.res, *args, **kargs) def make_tex_table(self, *args, **kargs): """Same as make_table, but print a table with LaTeX syntax""" return make_tex_table(self.res, *args, **kargs) def plot(self, f, lfilter=None,**kargs): """Applies a function to each packet to get a value that will be plotted with GnuPlot. A gnuplot object is returned lfilter: a truth function that decides whether a packet must be ploted""" g=Gnuplot.Gnuplot() l = self.res if lfilter is not None: l = filter(lfilter, l) l = map(f,l) g.plot(Gnuplot.Data(l, **kargs)) return g def diffplot(self, f, delay=1, lfilter=None, **kargs): """diffplot(f, delay=1, lfilter=None) Applies a function to couples (l[i],l[i+delay])""" g = Gnuplot.Gnuplot() l = self.res if lfilter is not None: l = filter(lfilter, l) l = map(f,l[:-delay],l[delay:]) g.plot(Gnuplot.Data(l, **kargs)) return g def multiplot(self, f, lfilter=None, **kargs): """Uses a function that returns a label and a value for this label, then plots all the values label by label""" g=Gnuplot.Gnuplot() l = self.res if lfilter is not None: l = filter(lfilter, l) d={} for e in l: k,v = f(e) if k in d: d[k].append(v) else: d[k] = [v] data=[] for k in d: data.append(Gnuplot.Data(d[k], title=k, **kargs)) g.plot(*data) return g def rawhexdump(self): """Prints an hexadecimal dump of each packet in the list""" for p in self: hexdump(self._elt2pkt(p)) def hexraw(self, lfilter=None): """Same as nsummary(), except that if a packet has a Raw layer, it will be hexdumped lfilter: a truth function that decides whether a packet must be displayed""" for i in range(len(self.res)): p = self._elt2pkt(self.res[i]) if lfilter is not None and not lfilter(p): continue print "%s %s %s" % (conf.color_theme.id(i,"%04i"), p.sprintf("%.time%"), self._elt2sum(self.res[i])) if p.haslayer(Raw): hexdump(p.getlayer(Raw).load) def hexdump(self, lfilter=None): """Same as nsummary(), except that packets are also hexdumped lfilter: a truth function that decides whether a packet must be displayed""" for i in range(len(self.res)): p = self._elt2pkt(self.res[i]) if lfilter is not None and not lfilter(p): continue print "%s %s %s" % (conf.color_theme.id(i,"%04i"), p.sprintf("%.time%"), self._elt2sum(self.res[i])) hexdump(p) def padding(self, lfilter=None): """Same as hexraw(), for Padding layer""" for i in range(len(self.res)): p = self._elt2pkt(self.res[i]) if p.haslayer(Padding): if lfilter is None or lfilter(p): print "%s %s %s" % (conf.color_theme.id(i,"%04i"), p.sprintf("%.time%"), self._elt2sum(self.res[i])) hexdump(p.getlayer(Padding).load) def nzpadding(self, lfilter=None): """Same as padding() but only non null padding""" for i in range(len(self.res)): p = self._elt2pkt(self.res[i]) if p.haslayer(Padding): pad = p.getlayer(Padding).load if pad == pad[0]*len(pad): continue if lfilter is None or lfilter(p): print "%s %s %s" % (conf.color_theme.id(i,"%04i"), p.sprintf("%.time%"), self._elt2sum(self.res[i])) hexdump(p.getlayer(Padding).load) def conversations(self, getsrcdst=None,**kargs): """Graphes a conversations between sources and destinations and display it (using graphviz and imagemagick) getsrcdst: a function that takes an element of the list and return the source and dest by defaults, return source and destination IP type: output type (svg, ps, gif, jpg, etc.), passed to dot's "-T" option target: filename or redirect. Defaults pipe to Imagemagick's display program prog: which graphviz program to use""" if getsrcdst is None: getsrcdst = lambda x:(x[IP].src, x[IP].dst) conv = {} for p in self.res: p = self._elt2pkt(p) try: c = getsrcdst(p) except: #XXX warning() continue conv[c] = conv.get(c,0)+1 gr = 'digraph "conv" {\n' for s,d in conv: gr += '\t "%s" -> "%s"\n' % (s,d) gr += "}\n" do_graph(gr, **kargs) def afterglow(self, src=None, event=None, dst=None, **kargs): """Experimental clone attempt of http://sourceforge.net/projects/afterglow each datum is reduced as src -> event -> dst and the data are graphed. by default we have IP.src -> IP.dport -> IP.dst""" if src is None: src = lambda x: x[IP].src if event is None: event = lambda x: x[IP].dport if dst is None: dst = lambda x: x[IP].dst sl = {} el = {} dl = {} for i in self.res: try: s,e,d = src(i),event(i),dst(i) if s in sl: n,l = sl[s] n += 1 if e not in l: l.append(e) sl[s] = (n,l) else: sl[s] = (1,[e]) if e in el: n,l = el[e] n+=1 if d not in l: l.append(d) el[e] = (n,l) else: el[e] = (1,[d]) dl[d] = dl.get(d,0)+1 except: continue import math def normalize(n): return 2+math.log(n)/4.0 def minmax(x): m,M = min(x),max(x) if m == M: m = 0 if M == 0: M = 1 return m,M mins,maxs = minmax(map(lambda (x,y): x, sl.values())) mine,maxe = minmax(map(lambda (x,y): x, el.values())) mind,maxd = minmax(dl.values()) gr = 'digraph "afterglow" {\n\tedge [len=2.5];\n' gr += "# src nodes\n" for s in sl: n,l = sl[s]; n = 1+float(n-mins)/(maxs-mins) gr += '"src.%s" [label = "%s", shape=box, fillcolor="#FF0000", style=filled, fixedsize=1, height=%.2f,width=%.2f];\n' % (`s`,`s`,n,n) gr += "# event nodes\n" for e in el: n,l = el[e]; n = n = 1+float(n-mine)/(maxe-mine) gr += '"evt.%s" [label = "%s", shape=circle, fillcolor="#00FFFF", style=filled, fixedsize=1, height=%.2f, width=%.2f];\n' % (`e`,`e`,n,n) for d in dl: n = dl[d]; n = n = 1+float(n-mind)/(maxd-mind) gr += '"dst.%s" [label = "%s", shape=triangle, fillcolor="#0000ff", style=filled, fixedsize=1, height=%.2f, width=%.2f];\n' % (`d`,`d`,n,n) gr += "###\n" for s in sl: n,l = sl[s] for e in l: gr += ' "src.%s" -> "evt.%s";\n' % (`s`,`e`) for e in el: n,l = el[e] for d in l: gr += ' "evt.%s" -> "dst.%s";\n' % (`e`,`d`) gr += "}" open("/tmp/aze","w").write(gr) do_graph(gr, **kargs) def timeskew_graph(self, ip, **kargs): """Tries to graph the timeskew between the timestamps and real time for a given ip""" res = map(lambda x: self._elt2pkt(x), self.res) b = filter(lambda x:x.haslayer(IP) and x.getlayer(IP).src == ip and x.haslayer(TCP), res) c = [] for p in b: opts = p.getlayer(TCP).options for o in opts: if o[0] == "Timestamp": c.append((p.time,o[1][0])) if not c: warning("No timestamps found in packet list") return d = map(lambda (x,y): (x%2000,((x-c[0][0])-((y-c[0][1])/1000.0))),c) g = Gnuplot.Gnuplot() g.plot(Gnuplot.Data(d,**kargs)) return g def _dump_document(self, **kargs): d = pyx.document.document() l = len(self.res) for i in range(len(self.res)): elt = self.res[i] c = self._elt2pkt(elt).canvas_dump(**kargs) cbb = c.bbox() c.text(cbb.left(),cbb.top()+1,r"\font\cmssfont=cmss12\cmssfont{Frame %i/%i}" % (i,l),[pyx.text.size.LARGE]) if conf.verb >= 2: os.write(1,".") d.append(pyx.document.page(c, paperformat=pyx.document.paperformat.A4, margin=1*pyx.unit.t_cm, fittosize=1)) return d def psdump(self, filename = None, **kargs): """Creates a multipage poscript file with a psdump of every packet filename: name of the file to write to. If empty, a temporary file is used and conf.prog.psreader is called""" d = self._dump_document(**kargs) if filename is None: filename = "/tmp/scapy.psd.%i" % os.getpid() d.writePSfile(filename) os.system("%s %s.ps &" % (conf.prog.psreader,filename)) else: d.writePSfile(filename) print def pdfdump(self, filename = None, **kargs): """Creates a PDF file with a psdump of every packet filename: name of the file to write to. If empty, a temporary file is used and conf.prog.pdfreader is called""" d = self._dump_document(**kargs) if filename is None: filename = "/tmp/scapy.psd.%i" % os.getpid() d.writePDFfile(filename) os.system("%s %s.pdf &" % (conf.prog.pdfreader,filename)) else: d.writePDFfile(filename) print def sr(self,multi=0): """sr([multi=1]) -> (SndRcvList, PacketList) Matches packets in the list and return ( (matched couples), (unmatched packets) )""" remain = self.res[:] sr = [] i = 0 while i < len(remain): s = remain[i] j = i while j < len(remain)-1: j += 1 r = remain[j] if r.answers(s): sr.append((s,r)) if multi: remain[i]._answered=1 remain[j]._answered=2 continue del(remain[j]) del(remain[i]) i -= 1 break i += 1 if multi: remain = filter(lambda x:not hasattr(x,"_answered"), remain) return SndRcvList(sr),PacketList(remain) class Dot11PacketList(PacketList): def __init__(self, res, name="Dot11List", stats=None): if stats is None: stats = [Dot11WEP, Dot11Beacon, UDP, ICMP, TCP] PacketList.__init__(self, res, name, stats) def toEthernet(self): data = map(lambda x:x.getlayer(Dot11), filter(lambda x : x.haslayer(Dot11) and x.type == 2, self.res)) r2 = [] for p in data: q = p.copy() q.unwep() r2.append(Ether()/q.payload.payload.payload) #Dot11/LLC/SNAP/IP return PacketList(r2,name="Ether from %s"%self.listname) class SndRcvList(PacketList): def __init__(self, res, name="Results", stats=None): PacketList.__init__(self, res, name, stats) def _elt2pkt(self, elt): return elt[1] def _elt2sum(self, elt): return "%s ==> %s" % (elt[0].summary(),elt[1].summary()) class ARPingResult(SndRcvList): def __init__(self, res, name="ARPing", stats=None): PacketList.__init__(self, res, name, stats) def show(self): for s,r in self.res: print r.sprintf("%Ether.src% %ARP.psrc%") class TracerouteResult(SndRcvList): def __init__(self, res, name="Traceroute", stats=None): PacketList.__init__(self, res, name, stats) self.graphdef = None self.graphASN = 0 self.padding = 0 self.hloc = None self.nloc = None def show(self): return self.make_table(lambda (s,r): (s.sprintf("%IP.dst%:{TCP:tcp%ir,TCP.dport%}{UDP:udp%ir,UDP.dport%}{ICMP:ICMP}"), s.ttl, r.sprintf("%-15s,IP.src% {TCP:%TCP.flags%}{ICMP:%ir,ICMP.type%}"))) def get_trace(self): trace = {} for s,r in self.res: if IP not in s: continue d = s[IP].dst if d not in trace: trace[d] = {} trace[d][s[IP].ttl] = r[IP].src, ICMP not in r for k in trace.values(): m = filter(lambda x:k[x][1], k.keys()) if not m: continue m = min(m) for l in k.keys(): if l > m: del(k[l]) return trace def trace3D(self): """Give a 3D representation of the traceroute. right button: rotate the scene middle button: zoom left button: move the scene left button on a ball: toggle IP displaying ctrl-left button on a ball: scan ports 21,22,23,25,80 and 443 and display the result""" trace = self.get_trace() import visual class IPsphere(visual.sphere): def __init__(self, ip, **kargs): visual.sphere.__init__(self, **kargs) self.ip=ip self.label=None self.setlabel(self.ip) def setlabel(self, txt,visible=None): if self.label is not None: if visible is None: visible = self.label.visible self.label.visible = 0 elif visible is None: visible=0 self.label=visual.label(text=txt, pos=self.pos, space=self.radius, xoffset=10, yoffset=20, visible=visible) def action(self): self.label.visible ^= 1 visual.scene = visual.display() visual.scene.exit_on_close(0) start = visual.box() rings={} tr3d = {} for i in trace: tr = trace[i] tr3d[i] = [] ttl = tr.keys() for t in range(1,max(ttl)+1): if t not in rings: rings[t] = [] if t in tr: if tr[t] not in rings[t]: rings[t].append(tr[t]) tr3d[i].append(rings[t].index(tr[t])) else: rings[t].append(("unk",-1)) tr3d[i].append(len(rings[t])-1) for t in rings: r = rings[t] l = len(r) for i in range(l): if r[i][1] == -1: col = (0.75,0.75,0.75) elif r[i][1]: col = visual.color.green else: col = visual.color.blue s = IPsphere(pos=((l-1)*visual.cos(2*i*visual.pi/l),(l-1)*visual.sin(2*i*visual.pi/l),2*t), ip = r[i][0], color = col) for trlst in tr3d.values(): if t <= len(trlst): if trlst[t-1] == i: trlst[t-1] = s forecol = colgen(0.625, 0.4375, 0.25, 0.125) for trlst in tr3d.values(): col = forecol.next() start = (0,0,0) for ip in trlst: visual.cylinder(pos=start,axis=ip.pos-start,color=col,radius=0.2) start = ip.pos movcenter=None while 1: if visual.scene.kb.keys: k = visual.scene.kb.getkey() if k == "esc": break if visual.scene.mouse.events: ev = visual.scene.mouse.getevent() if ev.press == "left": o = ev.pick if o: if ev.ctrl: if o.ip == "unk": continue savcolor = o.color o.color = (1,0,0) a,b=sr(IP(dst=o.ip)/TCP(dport=[21,22,23,25,80,443]),timeout=2) o.color = savcolor if len(a) == 0: txt = "%s:\nno results" % o.ip else: txt = "%s:\n" % o.ip for s,r in a: txt += r.sprintf("{TCP:%IP.src%:%TCP.sport% %TCP.flags%}{TCPerror:%IPerror.dst%:%TCPerror.dport% %IP.src% %ir,ICMP.type%}\n") o.setlabel(txt, visible=1) else: if hasattr(o, "action"): o.action() elif ev.drag == "left": movcenter = ev.pos elif ev.drop == "left": movcenter = None if movcenter: visual.scene.center -= visual.scene.mouse.pos-movcenter movcenter = visual.scene.mouse.pos def world_trace(self): ips = {} rt = {} ports_done = {} for s,r in self.res: ips[r.src] = None if s.haslayer(TCP) or s.haslayer(UDP): trace_id = (s.src,s.dst,s.proto,s.dport) elif s.haslayer(ICMP): trace_id = (s.src,s.dst,s.proto,s.type) else: trace_id = (s.src,s.dst,s.proto,0) trace = rt.get(trace_id,{}) if not r.haslayer(ICMP) or r.type != 11: if ports_done.has_key(trace_id): continue ports_done[trace_id] = None trace[s.ttl] = r.src rt[trace_id] = trace trt = {} for trace_id in rt: trace = rt[trace_id] loctrace = [] for i in range(max(trace.keys())): ip = trace.get(i,None) if ip is None: continue loc = locate_ip(ip) if loc is None: continue # loctrace.append((ip,loc)) # no labels yet loctrace.append(loc) if loctrace: trt[trace_id] = loctrace tr = map(lambda x: Gnuplot.Data(x,with="lines"), trt.values()) g = Gnuplot.Gnuplot() world = Gnuplot.File(conf.gnuplot_world,with="lines") g.plot(world,*tr) return g def make_graph(self,ASN,padding): self.graphASN = ASN self.graphpadding = padding ips = {} rt = {} ports = {} ports_done = {} for s,r in self.res: ips[r.src] = None if s.haslayer(TCP) or s.haslayer(UDP): trace_id = (s.src,s.dst,s.proto,s.dport) elif s.haslayer(ICMP): trace_id = (s.src,s.dst,s.proto,s.type) else: trace_id = (s.src,s.dst,s.proto,0) trace = rt.get(trace_id,{}) if not r.haslayer(ICMP) or r.type != 11: if ports_done.has_key(trace_id): continue ports_done[trace_id] = None p = ports.get(r.src,[]) if r.haslayer(TCP): p.append(r.sprintf(" %TCP.sport%: %TCP.flags%")) trace[s.ttl] = r.sprintf('"%IP.src%":T%ir,TCP.sport%') elif r.haslayer(UDP): p.append(r.sprintf(" %UDP.sport%")) trace[s.ttl] = r.sprintf('"%IP.src%":U%ir,UDP.sport%') elif r.haslayer(ICMP): p.append(r.sprintf(" ICMP %ICMP.type%")) trace[s.ttl] = r.sprintf('"%IP.src%":I%ir,ICMP.type%') else: p.append(r.sprintf(" IP %IP.proto%")) trace[s.ttl] = r.sprintf('"%IP.src%":P%ir,IP.proto%') ports[r.src] = p else: trace[s.ttl] = r.sprintf('"%IP.src%"') rt[trace_id] = trace # Fill holes with unk%i nodes unk = 0 blackholes = [] bhip = {} for rtk in rt: trace = rt[rtk] k = trace.keys() for n in range(min(k), max(k)): if not trace.has_key(n): trace[n] = "unk%i" % unk unk += 1