Scapy Study Notes (2) -- Definition of packages and packages

Source: Internet
Author: User
Tags nameserver

Reprint Please note: @ small Wuyi: http://www.cnblogs/xiaowuyi

I. Package

A Packet is a data unit in TCP/IP communication. It is also called a "Packet ". It is mainly composed of "Destination IP address", "source IP address", and "net carrying data", including headers and packages. The headers are fixed lengths and the length of the packages is not fixed, the length of each field is fixed. The headers of request packets and response packets are consistent. The difference is the definition of the packet body. The structure of the data packet is very similar to what we usually write. The destination IP address is the recipient's address, and the source IP address is the source of the data packet, it is equivalent to the sender's address, while the net data is equivalent to the content of the letter. Packages are transmitted in one or more networks along different paths and combined at the destination.

2. Common keywords

ICMP: Internet Control Message Protocol (Internet Control Message Protocol. It is a sub-Protocol of the TCP/IP protocol family. It is used to transmit control messages between IP hosts and routers. A message control refers to a message of the network itself, such as network connectivity, host accessibility, and routing availability. Although these control messages do not transmit user data, they play an important role in transferring user data.

DST: Destination Address

SRC: Source Address

TTL: (Time To Live) specifies the number of CIDR blocks allowed To pass before data packets are discarded by the router. TTL is a value in the IP protocol package. It tells the network whether the packet is discarded because the time in the network is too long. There are many reasons that the package cannot be delivered to the destination within a certain period of time. The solution is to discard the packet after a period of time and then send the packet to the sender, which determines whether to resend the packet. The initial value of TTL is usually the default value of the system, which is the 8-bit domain in the header. The original assumption of TTL is to determine a time range and discard the package after this time. Since each vro must at least reduce the TTL domain by one, TTL usually indicates the maximum number of vrouters that can pass the packet before it is discarded. When the Count reaches 0, the router decides to discard the packet and send an ICMP packet to the original sender.

Iii. Several Common commands in scapy

1. ls (): it is also used to display all supported data packet objects. Ls () can be included without or without parameters. The parameter is a specific package. Some results are listed below:

>>> From scapy. all import * WARNING: No route found for IPv6 destination: (no default route?) >>> Ls () ARP: ARPASN1_Packet: NoneBOOTP: BOOTPCookedLinux: cooked linuxDHCP: DHCP optionsDHCP6: DHCPv6 Generic Message) DHCP6OptAuth: DHCP6 Option-Protocol: DHCP6 Option-BCMCS Domain Name restart: DHCP6 Option-BCMCS Addresses ListDHCP6OptClientFQDN: DHCP6 Option-Client Identifier: DHCP6 Client Identifier: DHCP6 Option-Domain Search List comment: DHCP6 Option-DNS Recursive Name comment: DHCP6 Elapsed Time stamp:

List all TCP objects:
>>> from scapy.all import *WARNING: No route found for IPv6 destination :: (no default route?)>>> ls(TCP)sport      : ShortEnumField       = (20)dport      : ShortEnumField       = (80)seq        : IntField             = (0)ack        : IntField             = (0)dataofs    : BitField             = (None)reserved   : BitField             = (0)flags      : FlagsField           = (2)window     : ShortField           = (8192)chksum     : XShortField          = (None)urgptr     : ShortField           = (0)options    : TCPOptionsField      = ({})

List any packages, for example:

>>> a=IP(ttl=5)>>> a.src'127.0.0.1'>>> a<IP  ttl=5 |>>>> a.dst'127.0.0.1'>>> a.dst="192.168.0.1">>> a<IP  ttl=5 dst=192.168.0.1 |>>>> ls(a)version    : BitField             = 4               (4)ihl        : BitField             = None            (None)tos        : XByteField           = 0               (0)len        : ShortField           = None            (None)id         : ShortField           = 1               (1)flags      : FlagsField           = 0               (0)frag       : BitField             = 0               (0)ttl        : ByteField            = 5               (64)proto      : ByteEnumField        = 0               (0)chksum     : XShortField          = None            (None)src        : Emph                 = '27.214.7.85'   (None)dst        : Emph                 = '192.168.0.1'   ('127.0.0.1')options    : PacketListField      = []              ([])>>>

2. lsc () lists all functions. For example:

>>> lsc()arpcachepoison      : Poison target's cache with (your MAC,victim's IP) couplearping              : Send ARP who-has requests to determine which hosts are upbind_layers         : Bind 2 layers on some specific fields' valuescorrupt_bits        : Flip a given percentage or number of bits from a stringcorrupt_bytes       : Corrupt a given percentage or number of bytes from a stringdefrag              : defrag(plist) -> ([not fragmented], [defragmented],defragment          : defrag(plist) -> plist defragmented as much as possible dyndns_add          : Send a DNS add message to a nameserver for "name" to have a new "rdata"dyndns_del          : Send a DNS delete message to a nameserver for "name"etherleak           : Exploit Etherleak flawfragment            : Fragment a big IP datagramfuzz                : Transform a layer into a fuzzy layer by replacing some default values by random objectsgetmacbyip          : Return MAC address corresponding to a given IP addresshexdiff             : Show differences between 2 binary stringshexdump             : --hexedit             : --is_promisc          : Try to guess if target is in Promisc mode. The target is provided by its ip.linehexdump         : --ls                  : List  available layers, or infos on a given layerpromiscping         : Send ARP who-has requests to determine which hosts are in promiscuous moderdpcap              : Read a pcap file and return a packet listsend                : Send packets at layer 3sendp               : Send packets at layer 2sendpfast           : Send packets at layer 2 using tcpreplay for performancesniff               : Sniff packetssplit_layers        : Split 2 layers previously boundsr                  : Send and receive packets at layer 3sr1                 : Send packets at layer 3 and return only the first answersrbt                : send and receive using a bluetooth socketsrbt1               : send and receive 1 packet using a bluetooth socketsrflood             : Flood and receive packets at layer 3srloop              : Send a packet at layer 3 in loop and print the answer each timesrp                 : Send and receive packets at layer 2srp1                : Send and receive packets at layer 2 and return only the first answersrpflood            : Flood and receive packets at layer 2srploop             : Send a packet at layer 2 in loop and print the answer each timetraceroute          : Instant TCP traceroutetshark              : Sniff packets and print them calling pkt.show(), a bit like text wiresharkwireshark           : Run wireshark on a list of packetswrpcap              : Write a list of packets to a pcap file

3. The hide_defaults () method is used to delete some projects provided by users with the same default value.

>>> a=IP()/TCP()>>> b=IP(str(a))>>> b<IP  version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=64 proto=tcp chksum=0x7ccd src=127.0.0.1 dst=127.0.0.1 options=[] |<TCP  sport=ftp_data dport=http seq=0 ack=0 dataofs=5L reserved=0L flags=S window=8192 chksum=0x917c urgptr=0 |>>>>> b.hide_defaults()>>> b<IP  ihl=5L len=40 frag=0 proto=tcp chksum=0x7ccd src=127.0.0.1 |<TCP  dataofs=5L chksum=0x917c |>>

4. The display (): display () method allows you to simply view the values of each parameter in the current packet. For example, see.

5. sprintf: outputs the value of a parameter in a certain layer. If it does not exist, it outputs ??, The specific format is: % [[mt] [r],] [layer [: nb].] field %. For more information about the parameters, see Security Power Tools 146 or http://wikicode.net. Example:

>>> a=IP()/TCP()>>> b=IP(str(a))>>> b<IP  version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=64 proto=tcp chksum=0x7ccd src=127.0.0.1 dst=127.0.0.1 options=[] |<TCP  sport=ftp_data dport=http seq=0 ack=0 dataofs=5L reserved=0L flags=S window=8192 chksum=0x917c urgptr=0 |>>>>> b.hide_defaults()>>> b<IP  ihl=5L len=40 frag=0 proto=tcp chksum=0x7ccd src=127.0.0.1 |<TCP  dataofs=5L chksum=0x917c |>>>>> a.sprintf("%IP.gabuzomeu%")'??'

4. Create a package

Scapy packages are created based on the network interface layer, Internet layer, transmission layer, and application layer Layer layer reference model. Each layer has its own creation function, such as IP (), TCP (), UDP (), and so on. Different layers are connected through. Example:

Example 1
>>> A = IP (ttl = 5) >>>. src '2017. 0.0.1 '> a <IP ttl = 5 |>. dst '2017. 0.0.1 '>. dst = "192.168.0.1" >>> a <IP ttl = 5 dst = 192.168.0.1 | >>>> packet1 = a >>> packet1 <IP ttl = 5 dst = 192.168.0.1 |> example 2
>>> Packet2 = IP (dst = "192.168.0.1")/TCP (dport = 80) Example 3
>>> Packet3 = IP (dst = "www.baidu.com")/ICMP () >>> packet3 <IP frag = 0 proto = icmp dst = Net ('www .baidu.com ') | <ICMP | >>>> ls (packet3) version: BitField = 4 (4) ihl: BitField = None (None) tos: XByteField = 0 (0) len: required field = None (None) id: required field = 1 (1) flags: FlagsField = 0 (0) frag: BitField = 0 (0) ttl: ByteField = 64 (64) proto: byteEnumField = 1 (0) chksum: x1_field = None (None) src: Emph = '27. 214.7.85 '(None) dst: Emph = Net ('www .baidu.com') ('2017. 0.0.1 ') options: PacketListField = [] ([]) -- type: ByteEnumField = 8 (8) code: MultiEnumField = 0 (0) chksum: x1_field = None (None) id: conditionalField = 0 (0) seq: ConditionalField = 0 (0) ts_ori: ConditionalField = 4842323 (4842323) ts_rx: ConditionalField = 4842323 (4842323) ts_tx: ConditionalField = 4842323 (4842323) gw: conditionalField = '0. 0.0.0 '('0. 0.0.0 ') ptr: ConditionalField = 0 (0) reserved: ConditionalField = 0 (0) addr_mask: ConditionalField = '0. 0.0.0 '('0. 0.0.0 ') unused: ConditionalField = 0 (0) Example 4
>>> Target = "www.baidu.com/30" >>> ip = IP (dst = target) >>> ip <IP dst = Net ('www .baidu.com/30 ') | >>>> ls (ip) version: BitField = 4 (4) ihl: BitField = None (None) tos: XByteField = 0 (0) len: required field = None (None) id: required field = 1 (1) flags: FlagsField = 0 (0) frag: BitField = 0 (0) ttl: ByteField = 64 (64) proto: byteEnumField = 0 (0) chksum: x1_field = None (None) src: Emph = '27. 214.7.85 '(None) dst: Emph = Net ('www .baidu.com/30') ('2017. 0.0.1 ') options: PacketListField = [] ([])
>>> IP().display()###[ IP ]###  version   = 4  ihl       = None  tos       = 0x0  len       = None  id        = 1  flags     =   frag      = 0  ttl       = 64  proto     = ip  chksum    = None  src       = 127.0.0.1  dst       = 127.0.0.1  \options   \>>> TCP().display()###[ TCP ]###  sport     = ftp_data  dport     = http  seq       = 0  ack       = 0  dataofs   = None  reserved  = 0  flags     = S  window    = 8192  chksum    = None  urgptr    = 0  options   = {}
The display () method can be used to check the values of each parameter in the current packet.

5. Package Structure

In Scapy, scapy writes a class for each layer. You only need to instantiate the class, call the class method, or change the class parameter value. If IP () is not passed to its parameter, its parameter is the default value. If it is passed, the default value is overwritten:

>>> A = IP () >>>. display () ### [IP] ### version = 4 ihl = None tos = 0x0 len = None id = 1 flags = frag = 0 ttl = 64 proto = ip chksum = None src = 127.0.0.1 dst = 127.0.0.1 \ options \> a = IP (dst = "192.168.0.1") >>> a. display () ### [IP] ### version = 4 ihl = None tos = 0x0 len = None id = 1 flags = frag = 0 ttl = 64 proto = ip chksum = None src = 27.214.7. ** // (local IP address) dst = 192.168.0.1 \ options \

Note that the difference between the two display () values is compared. The first value is the default value, and the second value is "192.168.0.1 ".

"/" Is used to connect layers, such as IP ()/TCP (). For example:

>>> IP () <IP | >>>> IP ()/TCP () <IP frag = 0 proto = tcp | <TCP | >>>>> Ether () /IP ()/TCP () <Ether type = 0x800 | <IP frag = 0 proto = tcp | <TCP | >>>>> IP () /TCP () /"GET/HTTP/1.0 \ r \ n" <IP frag = 0 proto = tcp | <TCP | <Raw load = 'get/HTTP/1.0 \ r \ n \ r \ n' | >>>>> Ether () /IP ()/UDP () <Ether type = 0x800 | <IP frag = 0 proto = ipencap | <IP frag = 0 proto = udp | <UDP | >>>>>> IP (proto = 55, ttl = 10)/TCP () <IP frag = 0 ttl = 10 proto = 55 | <TCP |> the specific parameter transfer process provides charts in the scapy document, as follows:

 

 

 

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.