Introduction to three common IP packet sending tools

Source: Internet
Author: User
Tags eol posix rfc
Antpower All Rights Reserved 2003 Technical Articles
Http:// 1st pages 14 pages
Antpower-Technical article
Introduction to three common IP packet sending tools
Lang Guojun, an ambitious member of Xiaoyi
Version date revised by description
Antpower All Rights Reserved 2003 Technical Articles
Http:// 2nd pages 14 pages
1. Introduction
When developing network products, especially network security products, we are always facing a problem:
Test the stability or security of the TCP/IP protocol stack to ensure that the development product encounters various irregular IP packets.
It can still work normally and stably and efficiently. We know that in a normal network environment, it is difficult to generate wrong IP packets.
It is difficult to generate the wrong IP package we want. For this reason, to test the product, we must make various
This article describes how to use various packaging tools to create the wrong IP package.
2. Introduction to the IP packet sending Tool
Currently, there are many commonly used tools for generating IP packets, such as sendip, Nessus, ipsend, ippacket, And sniffer,
The following describes three commonly used tools: sendip, Nessus, And sniffer.
2.1. sendip Tool
Sendip is a command line tool in Linux.
IP packet, which has a large number of command line parameters to specify the header formats of various protocols. Currently, NTP, BGP, Rip, ripng,
TCP, UDP, ICMP or raw IPv4 and IPv6 packet formats, and you can add data to the package at will.
Sendip can be run in various Unix or Linux versions. I use slackware 8.0 and
RedHat 9.0.
You can download the latest source code or RPM from your website
Package. The current version is 2.5, and the source package size is only 54 K.
2.1.1. Installation Process
The sendip installation process is very simple. First, download the latest source code package from the website described earlier.
In Linux, run:
# Tar-xzvf sendip-2.5.tar.gz
# Cd sendip-2.5
# Make
# Make install
A sendip command file is generated in the/usr/local/bin directory of the system.
Create a sendip directory, and place protocol-related module files such as,, and TCP. So.
By running this file in the command line, we can generate a variety of IP packages we need, you can also run
The script automatically sends a large number of IP packets.
Antpower All Rights Reserved 2003 Technical Articles
Http:// 3rd pages 14 pages
2.1.2. Packet sending Method
Sendip can send NTP, BGP, Rip, ripng, TCP, UDP, ICMP, IPv4, IPv6, and other formats
The sendip itself sends packets of various protocols in the form of modules, and uses the-p parameter to specify the protocol type.
To send packets of each protocol, you must have a certain understanding of the Protocol's packet format. Usually send
TCP, UDP, and ICMP data packets must be encapsulated with IP packets before they can be sent out. In this section, we use TCP
Data packets are described as an example.
The following describes the command line format of sendip. The output is as follows:
Usage: sendip [-V] [-D data] [-H] [-F datafile] [-P module] [module options] hostname
-D data add this data as a string to the end of the packet
Data can be:
Rn to generate n random (ISH) data bytes;
0x or 0x followed by hex digits;
0 followed by octal digits;
Any other stream of bytes (data segment in the random data filling package with specified bytes)
-F datafile read packet data from file (fill the data segment in the package with the specified data file content)
-H print this message (output help information)
-P module load the specified module (see below) (specify the protocol type)
-V be verbose (detailed running information is output at runtime, if not specified, no information is output at runtime)
(The protocol type is specified in the form of a module, with the-p parameter)
Modules are loaded in the order the-P option appears. The headers from
Each module are put immediately inside the headers from the previos model in
The final packet. For example, to embed BGP inside TCP inside IPv4, do
Sendip-P IPv4-p tcp-p bgp ....
Modules available at compile time:
IPv4 IPv6 icmp tcp udp bgp rip NTP (supported protocol type)
The execution format is as follows:
# Sendip-v-D r64-P IPv4-IV 4-ih 5-il 128-Is tcp-ts 1379-Td 23-TT 8
-V: Output detailed running information during running. If this parameter is not specified, no running information is output.
-D r64: Fill the data segment in the IP package with a 64-byte random Value
-P IPv4: Specify the protocol type as IP protocol (the IP protocol has its own parameters, starting with I)
-IV 4: The Protocol version is 4, that is, IPv4
-Ih 5: the length of the specified IP header is 5 × 4 = 20 bytes.
-Il 128: the total length of the specified IP package is 128 bytes.
-Is Specifies the source address of the IP package.
-ID Specifies the destination IP address of the IP package.
Antpower All Rights Reserved 2003 Technical Articles
Http:// 4th pages 14 pages
-P tcp: Specifies the protocol type of the package encapsulated in the IP package (TCP has its own parameters, starting with T)
-Ts 1379: Source Port 1379 of the TCP packet
-Td 23: the destination port of the TCP packet is 23.
-TT 8: Specifies the offset of the TCP packet, that is, the length of the TCP Header. If there is no TCP option, the offset is 5, that is, 20 words.
When the TCP option is available. Specify the target host for sending packets
The preceding section describes how to use sendip to send a simple TCP data packet.
The packet format details the parameters of IP and TCP.
For details about the packet formats of various protocols, refer to the introduction of various Protocol packet formats in the TCP/IP protocol.
We only introduce the format of IP data packets and the format of TCP data packets:
IP packet format:
According to the IP packet format, sendip has the following command line parameters to specify
Field name
Version 4-IV always 4 (corresponding to "4-bit version", usually 4, indicating IPv4)
Header length 4-ih
IP header length, measured in 32bit words, 5 if there are
No options (corresponding to the "4-bit header length", which indicates to be 32-bit, that is, 4
The length of the IP header in bytes. If there is no IP parameter,
It is usually 5, indicating that the header length is 20 bytes.
To adjust the value)
The service type (ToS) field consists of eight digits, including three
Priority field (ignored now), 4-bit TOS sub-field and 1
Bit unused bit, but must be set to. The ToS sub-field represents the minimum value.
Latency, maximum throughput, maximum reliability, and minimum cost. 4-digit
You can set one of the bits. You only need to calculate 10 after setting the corresponding bits.
The hexadecimal value. To set the maximum throughput (00001000), only
You only need to add the Iy 8 parameter.
Total Length 16-il total length of IP packet including header and data,
Antpower All Rights Reserved 2003 Technical Articles
Http:// 5th pages 14 pages
Measured in octets (specify the total length of the IP package, including the IP Header
And the data part, in 8-bit bytes. The maximum value is 65535)
Identification 16-II
Used to help reassembled fragmented packets (specify the IP address
The ID number of the package to help re-assemble the segment IP package)
-IFR 1 bit: reserved, shoshould be 0
-IFD 1 bit: Don't fragment (you can specify-ifd x, which can be 0, 1, or R) flags 3
-IFM 1 bit: More fragmets (you can specify-ifm x, which can be 0, 1, or R)
Fragment Offset 13-if
Where in the reconstructed datatime this fragment
Belongs, measured in 64bit words starting from 0 (to 8
The byte length is in units and the specified segment offset is used)
Time to Live 8-it
Number of routers the packet can pass through before
Being discarded (the value ranges from 0 to 255, specifying TTL, table
Shows the number of vrouters that the package can pass, which is used to prevent the package from going through the loop
Path Transmission endlessly)
Protocol 8-IP
Protocol associated with the data. See IANA for
Uptodate list of assigned numbers (used to define the IP package
The Protocol Number of the encapsulated upper-layer protocol. For example, if TCP is 6
Obtain the latest Protocol Number table)
Header checksum 16-IC
Checksum of the IP header data (with checksum set
Zero) (you can specify the IP header checksum value, usually from sendip
This parameter is not specified unless an error checksum is sent.
Source Address 32-Is duhh... (Source Address, expressed in dot decimal format)
Destination Address 32-ID cabbage (Destination Address, expressed in dotted decimal format)
Options variable-io...
No options are required. Any number can be added. See
Below for details (define various IP options, if IP
Option, the length value of the preceding IP header must include the length of the IP Option,
This value is 20 if the option is not included. You can set this value when the option is included.
Value. If you want to intentionally create an unmatched package, it does not conform to the specification .)
If you have the IP option, you can also specify the IP option value. The IP Options supported by sendip are shown in the following table.
RFC copy class number
(0 not
EOL-ioeol 791 0 0 0 0 0
Used as padding if needed
(When this option is used, it will automatically go to the IP Address Header
Unused bits complement 0)
Nop-ionop 791 0 0 1 1 0
Do nothing. Often used as padding
So the next option starts on a 32 bit
Antpower All Rights Reserved 2003 Technical Articles
Http:// 6th pages 14 pages
Rr-iorr 791 0 0 7 7 variable
Used to record the route of
0f: FF. ff. ff. FF:, where
Iorr indicates record routing.
Set the IP Option number to 07. 0f indicates
The needle, that is, the record of the last IP Address
Pointer, the system automatically calculates the IP Option
Ts-iots 791 0 2 4 68 variable
Used to record the time at which
Packet was processed by
Intermediate System
LSR-iolsr 791 1 0 3 131 vairable
Loose Source Route-let
Source specify the route for
Sid-iosid 791 1 0 8 136 4
Rarely used, carries the satnet
Stream identifier.
SSR-iossr 791 1 0 9 137 variable
Strict Source Route-same as LSR,
But extra hops are not allowed.
1 0 2 130 variable security, rarely used
E-SEC 1108 1 0 5 133 variable extended security, rarely used
Generally, when the IP option is specified in sendip, the format is special. The following uses the RR record routing option as an example.
To send a packet that records three IP addresses, consider the following:
Including the length of the IP option, but to specify the RR record routing option pointer location and IP address (originally from the system
Dynamically record the IP address and update the pointer location, but must be manually specified now). After recording the three IP packets, the pointer location should be
Is 3 + 4 × 3 + 1 = 16. After creation, the data packet format should be as follows:
IP header 07 15 16 (IP1) (ip2) (IP3) 00 (ioeol) TCP
20b RR Len PTR 4 bytes 4 bytes 4 bytes PTR
The command line is as follows:
# Sendip-D r64-P IPv4-IV 4-ih 10-il 128-Is 0.0.234:
-Ioeol-p tcp-ts 1379-Td 23-TT 8
-Ih 10 indicates that the length of the IP header is 10 × 4 and 40 bytes. The standard length of 20 bytes is removed.
Option reserved to 20 bytes
-In iorr. 0.0.234:, the first 10 represents the pointer in hexadecimal notation.
Location, followed by three IP addresses separated by colons expressed in dotted decimal notation
-Ioeol indicates that the IP address is ended with 00, And the unused IP Address Header position is filled with a random number.
The above section takes the RR Record Route IP option as an example to introduce the method for specifying IP options in sendip. Of course
You can also send packets whose IP option does not comply with the general requirements. Other IP options are the same,
Antpower All Rights Reserved 2003 Technical Articles
Http:// 7th pages 14 pages
You need to know the IP option format in detail before sending the message correctly.
TCP packet format:
According to the TCP packet format, sendip has the following command line parameters that can specify the parameters in the corresponding TCP packet.
Field name
Source Port 16-ts
Source Port number for the connection
(Specify the original TCP port in decimal format)
Destination Port 16-TD
Destination Port Number
(Specify the TCP destination port in decimal format)
Sequence Number 32-TN
Number of the first data octet in this packet. If SYN bit is
Set, this is the number of the first data octet of the stream
Too. (specifies the TCP serial number. If this parameter is not specified, it is randomly generated)
If ack bit is set, the next sequence number the sender is
Expecting to receive.
Data offset 4-TT
Length of TCP Header in 32 bit words (specify the length of the TCP Header
The Unit is 32 bits (4 bytes)
Reserved 4-tr
Shocould be 0. Note, rfc793 defines this as a 6 bit field,
The last 2 are used by rfc2481 for ECN as below.
Flags: ECN 1-TFe
Flags: CWR 1-TFC
ECN extension flags, see rfc2481. (specify the TCP flag,
If you want to open a bit, specify the corresponding bit in the command line parameter
Value. To set the SYN status, you only need to add-TFs 1 to the command line.
Flags: URG 1-TFU Urgent Pointer is significant (same as above)
Flags: ACK 1-TFA acknowledgment field is significant (same as above)
Flags: PSH 1-TFP push function (same as above)
Flags: RST 1-TFR reset the connection (same as above)
Flags: SYN 1-TFs synchronize sequence numbers (same as above)
Antpower All Rights Reserved 2003 Technical Articles
Http:// 8th pages 14 pages
Flags: Fin 1-TFF no more data from sender (same as above)
Window 16-TW
Number of octet starting from the one in
Acknowledgement field that the sender is willing
Checksum 16-TC
Checksum of the TCP Header (with checksum set to 0 ),
Data, and a psuedo-header including the source and
Destination IP addresses, IP protocol field and a 16 Bit
Length of the TCP header and data.
Urgent Pointer 16-tu
If URG bit is set, the offset of the last octet of Urgent Data
In this packet.
Options variable-...
No options are required. Any number can be added. See
Below for details.
If you have TCP options, you can also specify the value of TCP options. The TCP options supported by sendip are shown in the following table.
RFC type
Length (0
EOL-toeol 793 0 0
Used as padding if needed (filled with 00, indicating TCP
Option ends. Fill the position behind the TCP header with a random number)
Nop-tonop 793 1 0
Do nothing. Often used as padding so the next
Option starts on a 32 bit Boundary
MSS-Tom SS 793 2 4
Specify the maximum recieve segment size of
Sender as a 16 bit number. only valid when SYN is
Also set
Wsopt-towscale 1323 3 3
The window size shocould be leftshifted by the value
Of the option (an 8 bit number). Only valid when
SYN is also set.
Sackok-tosackok 2018 4 2
Selective acknowledgement is permitted on this
Sack-tosack 2018 5 variable
Selective acknowledgement of non-contiguous
Blocks of data. The data in the option is a series
(Left edge)-(right edge) pairs giving, respectively,
The first sequence number the has been Recieved and
The first that hasn' t.
Tsopt-tots 1323 8 10
Timestamp. The first 4 bytes (tsval) are the time
That the packet was sent, the remaining 4 (tsecr)
Echo the tsval of a packet that was recieved. tsecr
Is only valid when the ACK bit is set.
As shown in the preceding table, TCP options may have only one single-byte parameter, such as-toeol and-tonop.
The parameter is composed of a type number, a length, and the number of bytes specified by the length.
Sendip automatically calculates the length of the TCP option.
The value of the TCP option.
Antpower All Rights Reserved 2003 Technical Articles
Http:// 9th pages 14 pages
When setting TCP options, the length of the TCP Header must also include the length of the TCP options.
The format of TCP option data packets is roughly as follows:
Kind = 3 Len = 3 data: Shift count
TCP option number TCP Option Length TCP option data occupies one byte, the total length is three bytes
For the specific command line format, refer to the following format:
# Sendip-D r64-P IPv4-IV 4-ih 10-il 128-Is 0.0.234:
-Ioeol-p tcp-ts 1379-Td 23-TT 8-TFA 0-TFs 1-towscale 0-toeol
-Towscale 0: sets TCP option 3 and the length to automatic 3. The value of TCP option is 0.
-Toeol: indicates that the TCP option is over and the TCP header is filled with a random number.
Because the length cannot be set when the TCP option is set with sendip, if you want to set a packet with an incorrect length,
Other tools, such as Sniffer, are also used to capture the packet sent by sendip, and then the corresponding TCP
The length of the option can be changed to an irregular value.
Based on the content described above, we have basically mastered how to use sendip to send various protocol data packets,
Of course, we can also use it to send various non-conforming data packets, such as checksum errors, incorrect length, and status bits.
Incorrect. We recommend that you use it with sniffer to verify sendip.
Whether the sent package is correct and conduct targeted testing.
2.2. Nessus Tool
Nessus is a very large tool that provides comprehensive security scanning services and comprehensive
The packet sending function is used to construct network communication packets in various formats. This article only focuses on the packet sending function of Nessus.
Nessus is composed of two parts, one of which is the server and usually runs on POSIX systems such as Linux/Unix
The system is responsible for scanning, attacking, and collecting data. The other part is the client, which can run on Linux/Unix systems.
Receives and displays data in Windows or windows.
If you only want to send packets, you only need to use the server.
Nessus has a dedicated maintenance site, you can go to the site at any time to download the latest source code,
And get comprehensive help. Currently, the Nessus latest version is 2.0.8a.
2.2.1. Nessus Installation Method
Before installing Nessus, you need to know the supported software packages that Nessus may need. One is GTK, usually POSIX
The Nessus client in the system requires GTK. If your system has installed GTK, you must ensure that
GTK-config program, go to the site to download the latest GTK program, if only
To install the server in Linux/Unix systems, you do not need the GTK package. The other is the OpenSSL package.
Hope that the client and server communication using SSL, You Need To Open SSL package, to the
Download the latest OpenSSL package, which is optional.
There are three ways to install NESSUS: the first is to install it directly from the Internet using the lynx tool in Linux.
Method is easy, but the security is low. We will not detail it here. You can obtain the relevant information from the Nessus website. The
Either way is to use the tool provided by Nessus for direct installation, which is simple and secure
Relatively high. The third method is to obtain the source code package, compile the package separately, and then install the package. The second and third
Antpower All Rights Reserved 2003 Technical Articles
Http:// 10th pages 14 pages installation using
Download the latest file from the Nessus website to the local Linux directory, and then execute
# Sh
The system will automatically install Nessus to your system. In the middle, you will need to provide the relevant prompt information, always press
Press enter. Install using the source code package
If the source code package is used for installation, You need to download four software packages and install them in sequence. Four software packages
They are as follows:
These four packages must be installed in sequence during installation.
Before installation, we must obtain the four software packages mentioned above. The current version is 2.0.8a:
Then start installation.
1. Install Nessus-libraries
# Tar-xzvf nessus-libraries-x.x.tar.gz
# Cd nessus-libraries-x.x
# Make
# Make install
2. Install libnasl-x.x.tar.gz (perform the same operations as above)
3. Install nessus-core.x.tar.gz (perform the same operation as above)
4. Install nessus-plugins.x.x.tar.gz (perform the same operation as above)
5. If you are using a Linux system, make sure that the/usr/local/lib path is in the/etc/lD. So. conf file, as shown in
If it is a Solaris system, you must execute export LD_LIBRARY_PATH =
$ LD_LIBRARY_PATH:/usr/local/lib command.
6. Run the ldconfig command
7. If you do not want or cannot use the GTK client, you can use the command line method forcibly.
You can use the following command to compile Nessus-core:
# Tar-xzvf nessus-libraries-x.x.tar.gz
# Cd nessus-libraries-x.x
#./Configure -- disable-GTK
# Make
# Make install
Antpower All Rights Reserved 2003 Technical Articles
Http:// 11th pages 14 pages
After running the preceding command, Nessus is installed in your system.
2.2.2. Nessus packet sending Method
Nessus usually uses scripts to control the sent packets. Next we will take sending Santa Claus attack packets as an example to introduce
Describes how to use Nessus to send data packets.
Santa Claus packets penetrate the firewall by sending packets with SYN and fin signs in the TCP flag,
To achieve the purpose of the attack.
To use Nessus to send attack packets, you must first define a script to run the VI sendp command in Linux,
Enter the following content:
Srcaddr = this_host (); Note: automatically obtain the IP address of the current host
IP = forge_ip_packet (ip_v: 4, note: the IP protocol version is IPv4
Ip_hl: 5. Note: The length of the IP header is 5 × 4 = 20 bytes.
Ip_tos: 0,
Ip_len: 40, note: Enter the actual length of 40 here, because the IP header and TCP Header are both 20
Ip_id: 0 Xaba,
Ip_p: ipproto_tcp. Note: The internal packet protocol is TCP.
Ip_ttl: 255,
Ip_off: 0,
Ip_src: srcaddr); Note: IP addresses can be directly entered here
Port = get_host_open_port (); note: the available ports on the current host are automatically obtained.
If (! Port) Port = 139; Note: If no port is available, port 139 is automatically used.
Tcpip = forge_tcp_packet (IP: IP, note: the IP layer protocol uses the IP protocol package defined earlier
Th_sport: port. Note: You can directly enter the port here.
Th_dport: port. Note: You can directly enter the port here.
Th_flags: th_syn | th_fin. Note: Set the SYN and fin flags in the TCP status.
Th_seq: 0xf1c,
Th_ack: 0,
Th_x2: 0,
Th_off: 5, note: the length of the TCP header is 5 × 4 = 20 bytes.
Th_win: 512,
Th_urp: 0 );
Result = send_packet (TCPIP, pcap_active: false );
After editing the script, save and exit. Run the following command:
# NASL-T destination IP address test script
For example:
# NASL-T sendp
Antpower All Rights Reserved 2003 Technical Articles
Http:// 12th pages 14 pages
Through sniffer packet capture, you will find the corresponding Santa Claus package.
During my use, I found that Nessus does not seem to support sending packets with IP or TCP options.
For specific packet sending parameters, refer to the
2.3. sniffer Tool
Two methods are available for sending packets using sniffer. One is to directly use the packet Generator tool and use it from 0.
It is difficult to create a data packet in hexadecimal mode because you need to calculate the checksum by yourself unless you need to reproduce it.
A hexadecimal data packet captured on the network. Another method is to use the captured data packet to modify
And then send it out. The specific implementation methods are as follows.
2.3.1. Use packet generator to directly create a package
In sniffer, select Tools | packet generator. The system pop-up window is as follows:
By pressing the button in the red box in the figure, the system will pop up a dialog box that constructs the package content, as shown below:
Antpower All Rights Reserved 2003 Technical Articles
Http:// 13th pages 14 pages
You can enter the package content and specify the number of packages and the package length.
2.3.2. Use captured packets to send packets
You can use the captured package to modify it to avoid a large number of operations and input. You only need to change the location you want to change,
And then send it out.
As shown in, after creating a package with other tools according to the general requirements of the package, use sniffer to capture the package, or directly
Capture the suspicious package on the network, and then click the package by email with the mouse. The shortcut menu shown in is displayed. Select
Select the send current frame menu, and the system will pop up the package sending window as shown in:
Antpower All Rights Reserved 2003 Technical Articles
Http:// 14th pages 14 pages
Change the package content as required to send the package. Note that if the IP address or other content in the header is changed,
You need to update the checksum. You do not need to change the checksum when changing the Mac or options.
3. Summary
By comparing the previous three packet sending tools, we found that each tool has its own advantages and disadvantages.
Small and complete functions, suitable for use in routine testing. sniffer is the most free and can be used
The Nessus tool provides comprehensive functions for any possible data packets, but it is not as good as sendip in packet sending.
If the test is required, sendip and sniffer should be used together.
Scan and other functions. You can use the Nessus tool.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.