Packet sniffer and interpreter... you know for research purposes
I wanted to literally dig into the payloads, frames, packets etc. of what's actually going back and forth over a network. Understanding the breakdown of the structure, byte-for-byte was a good learning experience.
I know, I know, I can just use scapy or use WireShark and dig into them, but where's the fun in that!?
- Example below of how to do the same in scapy
- For a deep dive into ethernet frames, see this great resource
- Listen on different interfaces
- Track statistics (start/end time, counts of frames/packets/etc.)
- All the
thingslisted below underOSI layers
Broken down into the OSI model layers, this tool can process/dump/inspect the following:
- Ethernet frame(s)
- ARP/RARP packet(s)?
- Contention as technically not but also L2.5 depending who you ask lol
- IPv4 packet(s)
- IPv6 packet(s)
- ICMP packets(s)
- ICMPv6 packets(s)
- IGMP packet(s)
- TCP segment(s)
- UDP datagram(s)
Minimum input required is the interface to listen on
sudo python McSniff.py <interface>
# example
sudo python McSniff.py eth0Using the -h flag will output the below for all options and params that can be supplied
~ sudo python McSniff.py -h
usage: McSniff.py [-h] [-p] [-s] [-t] [-2 [{ETH,ARP,RARP} ...]] [-3 [{IPv4,IPv6,ICMP,ICMPv6,IGMP} ...]] [-4 [{TCP,UDP} ...]] interface
Network analyser (packet sniffer)... for you know, research purposes ;)
positional arguments:
interface interface to analyse, run 'ip link' to list
options:
-h, --help show this help message and exit
-p, --payload dump payload output
-s, --stats enable and show statistics for what's been processed
-t, --https include dumps even for 443 port payloads (encrypted traffic)
-2 [{ETH,ARP,RARP} ...], --level2 [{ETH,ARP,RARP} ...]
OSI level 2 filter, by default listens for all, supply no args to ignore level
-3 [{IPv4,IPv6,ICMP,ICMPv6,IGMP} ...], --level3 [{IPv4,IPv6,ICMP,ICMPv6,IGMP} ...]
OSI level 3 filter, by default listens for all, supply no args to ignore level
-4 [{TCP,UDP} ...], --level4 [{TCP,UDP} ...]
OSI level 4 filter, by default listens for all, supply no args to ignore level
What you supply when toggling the levels is what you get, i.e. you supply only IPv4 you get only IPv4. Also a little bit of common sense is required, for example if you specify nothing for -3 you won't get anything for L4 (TCP/UDP) as it's nested within L3!
sudo python McSniff.py eth0 -2 ETHsudo python McSniff.py eth0 -2 ETH -3 IPv4 IPv6sudo python McSniff.py eth0 -2 ETH -3 IPv6 -4 UDP -p -swhile true; clear; echo 'Running...'; do sudo timeout 20 python McSniff.py eth0; echo 'Sleeping...'; sleep 5; done# eth - be connected to a network
# arp
sudo arping <destination>
# rarp - not really seen, can happen during boot but DCHP superseeded it# ICMP (v4)
ping -4 <destination>
ping -4 google.co.uk
# ICMPv6 - need to have IPv6 enabled on interface ofc
ping -6 <destination>
ping -6 google.co.uk# TCP - unsecure HTTP requests are great as you can see the payload, HTTPS is encrypted so you can't see payload (unless you have the certs to decrypt)
curl http://<destination>
# -k means ignore certs/verification, connect anyway
curl -k http://httpforever.com/
# UDP - DNS requests are easiest to trigger
dig <host>
dig google.co.uk
# to force the query to a specific name server, specify the @ flag
dig @<name server like 1.1.1.1> <host>
dig @1.1.1.1 google.co.uk- Python struct formatting
- Python socket docs
- Ethernet frame Wiki
- EtherType Wiki
- IPv4 packet structure Wiki
- IP protocol numbers Wiki
- UDP structure Wiki
- TCP strcuture Wiki
- Ping (ICMP/ICMPv6) structure Wiki
- ARP structure Wiki
from scapy.all import sniff
sniff(iface="eth0", prn=lambda x: x.show())