How can I send multiple binary UDP packets from a single file using netcat? - netcat

Is there a delimiter or some way of telling netcat how many bytes to send per packet from a file? Invoking netcat multiple times in a script is not acceptable as I need to send them out as fast as possible.
I have captured UDP packets with binary data into a file using mnc (multicast netcat) and attempt to play them back as follows:
start program sending multicast packets to 230.250.5.1 12340
... start mnc to capture packets:
$mnc -l -i eth1 -p 12340 230.250.5.1 >capturefile
... playback packets using netcat, sending to 230.250.5.1 12345
$netcat -c -w 1 -u -s 10.20.30.40 230.250.5.1 12345 <capturefile
capturefile appears to have the packets I want to send.
When I play back with netcat the packets are concatenated. UDP packet size is 208 during packet capture and wireshark shows 250 as packet size, I assume that includes ethernet bytes. On replay, wireshark shows packet size of 1016.

Related

How to change a packet data with scapy?

How can one change a packet data with scapy?
I tried to use sniff() and then send() the edited packet, but it won't work as the original packet has already reached it's destination.
"but it won't work as the original packet has already reached it's destination."
So first you need to setup some MiTM solution so all the communications between both ends
traverse though your device, and let you modifiy packet data.
Some wll known software pacakages for this functionality /attack are ettercap and cain/abel.
iTayb,
Seems you are interested in proxying some sort of service using scapy? If so which one?
First order of business is some how have the packets pass through the box running scapy. Do this by setting the gateway on the remote machine to match the scapy box. If this is for some sort of pentesting you will need to spoof some mac addresses. You can do this with scapy using arpcachepoison method or with a third party program like ettercap.
Once this is complete your method of using sniff() and send() should work a little bit better just make sure you change the packet before you get to the sending part ;) Here is a small example of how you could do that...here I just change the IP header destination address but you could change anything you want.
from scapy import *
def chgSend(x):
x[IP].dst = '192.168.1.1'
send(x)
while 1:
sniff(prn=chgSend)
dc
I had the same problem,
I think the problem is that you have enabled ip_forward so the original packet is forwarded to the original destination before the modified packet is sent by scapy.
Theorically, the solution is to create a rule in iptables forwarding the packets what you want to modify to another port (This is more or less what Ettercap does internaly),
i.e = iptables -t nat -A PREROUTING -p tcp --destination-port "YourInterestingPort" -j REDIRECT --to-port 1234
And then in scapy listen to that port, modify the packet and send the packet to the original port.
This solution is difficult to implement because of the filtering, you have to redirect and modify only the packets that you want and exclude syn ack arp etc...
If you want to modify the responses of a server, A more simple way to do it is, instead of modify the packets on the fly, to act like an intermediary.
arpspoof
ipatbles
Open a socket, receive the packet, open a connection and send it to the original destination like if you were a client and receive the answer, modify the answer and return it to the original querier.
while True:
c, addr = s_mb.accept() # Establish connection with client.
query = c.recv(BUFFER_SIZE)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
s.send(PACKET)
response = s.recv(1024)
if response = "THIS IS THE RESPONSE THAT I WANT TO MODIFY":
if(real_simulation):
fakeresponse = "MODIFIED RESPONSE"
#print "The packet has beeb modified"
else:
fakeresponse = response
s.close()
c.send(fakeresponse)
(Sorry for the dirty code)

c#, socket cannot receive fragmented UDP packets

I have an embedded device which is connected to my PC directly through ethernet.
The device is streaming audio to pc through UDP and it sends 4096 bytes UDP packet.
Given that, the MTU for ethernet is 1500 bytes the packet will be fragmented.
At PC I have a c# program that tries to receive packets and decode it. UDP receiver can receive packets very well when they have under 1500 bytes payload but it cannot receive fragmented packets.
I've monitored incoming packet by Wireshark and I can see that there is not any failure in packets nor discarded.
I don't know the problem is in my code or C# socket is Unable to receive these kinds of packets. in both cases what would be the solution?
1st Attempt: (usinfg Socket)
Socket sokcet = new Socket(SocketType.Dgram, ProtocolType.Udp);
IPEndPoint ep = new IPEndPoint(IPAddress.Any,5222);
sokcet.Bind(ep);
int counter = 0;
while (true)
{
if(sokcet.Available > 0){
byte[] bytes = new byte[sokcet.Available];
int receivedBytes = sokcet.Receive(bytes);
string print = String.Format("Packet Received : {0},{1}", receivedBytes, counter);
Console.WriteLine(print);
}
}
2nd Attempt: (using UDPClient)
IPEndPoint groupEP = new IPEndPoint(IPAddress.Any, listenPort);
UdpClient listener = new UdpClient(listenPort,AddressFamily.InterNetwork);
while (!done)
{
byte[] bytes = listener.Receive(ref groupEP);
}
None of them are working for packets larger than 1500 bytes.
Update 1:
I tested the scenario in Loopback(127.0.0.1) and I can receive 4k UDP message very well.
Update 2:
#Evk I tested the scenario from another pc connected to mine over a Switch and also over a router. now I am sure that C# does not have any problem. not sure about OS (win7 ultimate 64x).
My embedded device uses LWIP and there are some reports of a similar situation that happened when users used LWIP for sending large UDP packets. but I'm not sure this is my case.
I even checked UDP packet's Source and Destination address, Checksum and ... and I can't figure out why OS dropping my packets. is there any tools that can analyze network packet to tell if they have any problem?
I would make certain that the messages are in fact, being delivered to your processes' UDP receive queue. You may see it wireshark, but that is not a guarantee that it did not later get dropped or filtered at the UDP protocol level.
I would open a command window (CMD) and run this in a loop as you send your traffic and run your decoding application (Also, stop other applications that may use UDP as they may interfere with these figures):
> netstat -s -p udp
UDP Statistics for IPv4
Datagrams Received = 48775 <======= [This *should* increase]
No Ports = 83823
Receive Errors = 16367 <====== [ WATCH THIS]
Datagrams Sent = 130194
If you notice receive errors going up while your application sits there and does not seem to processing...then there is chance that the > 1500 byte packets are getting dropped by UDP for some reason. You may need to either increase your application's socket receive buffers or look for windows UDP network configuration options that would cause > MTU packets to be dropped on receive..

Decode RTP over UDP with Scapy

How can I decode (and manipulate) RTP over UDP with Scapy 2.3.2?
I have a capture file called rtp.pcap which contains an RTP audiostream to 224.0.1.11:5016. Wireshark correctly decodes the stream when you enable the RTP over UDP protocol (default off). However, I want to do automatic packet manipulation, so I would like to decode it with Scapy.
Currently, Scapy does not recognize RTP, although there is an RTP layer:
>>> from scapy.all import RTP # shows that RTP layer is installed in my version
>>> pkts = sniff(offline="rtp.pcap", filter="udp dst port 5016")
>>> pkts[0].show()
[...]
###[ UDP ]###
sport= 5004
dport= 5016
len= 196 <-- thats an audio pkt
[...]
###[ Raw ]###
load= ...
[...]
The following code forces the UDP Payload to be interpreted as RTP:
from scapy.all import RTP
for pkt in pkts:
if pkt["UDP"].dport==5016: # Make sure its actually RTP
pkt["UDP"].payload = RTP(pkt["Raw"].load)
could you share with us your PCAP file, so we could perform some tests, and properly implement it to scapy ?
Thanks !
PS: you might want to use the voip module, which can live-play the RTP packets:
load_module("voip")
voip_play3()

Node.js server listening for UDP. Tcpdump says packets are coming through, but node doesn't get them

Integrating with a partner. Our server has a restful interface, but their product emits a stream of UDP packets. Since we're still prototyping, I didn't want to make any commits to our API server repo to accommodate the change. Instead, I wrote a little node.js server to listen for their UDP packets, do a bit of conversion, and then PUT to our restful server.
I'm stuck, because the node.js process is listening on port 17270, but isn't getting any of my sample UDP packets.
Node server
const dgram = require('dgram');
const server = dgram.createSocket('udp4');
server.on('error', function(err) {
console.log('server error:\n' + err.stack);
});
server.on('message', function(msg, rinfo) {
console.log('Server got UDP packet: ' + msg + ' from ' + rinfo.address + ':' + rinfo.port + '');
doBusinessLogic(msg);
});
server.on('listening', function() {
var address = server.address();
console.log('Server listening for UDP ' + address.address + ':' + address.port + '');
});
function main() {
server.bind(17270);
}
main();
When I send a UDP packet from my local machine using netcat,
echo -n "udp content" | nc -vv4u -w1 ec2.instance 17270
I see nothing happening with the server.
I can run my node.js server locally, and it responds to UDP packets sent to 127.0.0.1.
I can also ssh into the ec2 instance, and netcat UDP packets to 127.0.0.1. That creates the expected response, as well.
So the problem must be networking, I thought.
When I run netstat on the ec2 instance, I can see that node is listening on port 17270.
# netstat -plun
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:17270 0.0.0.0:* 21308/node
I thought it might be AWS security settings, but when I run tcpdump on the ec2 instance and then trigger netcat from my local machine, I can see that there's traffic being received on the ec2 instance.
# tcpdump -vv -i any udp
15:09:52.276786 IP (tos 0x8, ttl 38, id 1756, offset 0, flags [none], proto UDP (17), length 29)
my.local.machine.60924 > ec2.instance.17270: [udp sum ok] UDP, length 1
15:09:52.276852 IP (tos 0x8, ttl 38, id 48463, offset 0, flags [none], proto UDP (17), length 29)
my.local.machine.60924 > ec2.instance.17270: [udp sum ok] UDP, length 1
15:09:52.276863 IP (tos 0x8, ttl 38, id 31296, offset 0, flags [none], proto UDP (17), length 29)
my.local.machine.60924 > ec2.instance.17270: [udp sum ok] UDP, length 1
15:09:52.278461 IP (tos 0x8, ttl 38, id 50202, offset 0, flags [none], proto UDP (17), length 29)
my.local.machine.60924 > ec2.instance.17270: [udp sum ok] UDP, length 1
15:09:52.289575 IP (tos 0x8, ttl 38, id 49316, offset 0, flags [none], proto UDP (17), length 149)
my.local.machine.60924 > ec2.instance.17270: [udp sum ok] UDP, length 121
Just to be sure, I tried temporarily closing port 17270 in the AWS console. If I do that, those packets will be discarded and I won't see any info from tcpdump. So I reopened the port.
I have a process that is listening on a port. I'm clearly sending UDP packets to that port. But the process isn't getting the messages.
I just can't figure out where the disconnect is. What am I missing?
Thanks in advance for any insight!
Probably iptables at a guess. Packets hit the BPF (which tcpdump uses to look at incoming traffic) separately from iptables, so it's possible to see them via tcpdump only to have iptables drop them before they get out of the kernel and up to your application. Look in the output of 'iptables -nvL' for either a default drop/reject policy on the relevant input chain or a rule specifically dropping UDP traffic.
As for fixing it if this is the case, it depends on which distro you're using. In the old days you'd just use the iptables command, something like this (but with the relevant chain name instead of INPUT):
iptables -A INPUT -p udp --dport 17270 -j ACCEPT
...but if you're using Ubuntu they want you to use their ufw tool for
this, and if it's CentOS/RHEL 7 you're probably going to be dealing with firewalld and its firewall-cmd frontend.

Sniffing packets on localhost with Scapy

I'm learning how to use scapy to sniff packets. I have set up a simple echo server running on localhost on port 50420.
I then enter the following line in my terminal to sniff for packets on that port when I send traffic over it:
p = sniff(filter = 'port 50420')
However, no packets are captured, although the data flowed correctly. I have verified that sniffing works for other traffic not using localhost. How can I sniff this localhost traffic using Scapy, if at all possible?
With that line you are sniffing the traffic over the port 50420, but you should do something more. You should add one function to jump when you sniff the packets
sniff(filter="port 50420",prn=myFunction)
And write myFunction:
def myFunction(pkt):
print "Packet!"

Resources