- \n
- Take pcap (packet capture)<\/a><\/li>\n
- Import pcap via scapy<\/a><\/li>\n
- Modify pcap<\/a><\/li>\n
- Export pcap<\/a><\/li>\n
- View pcap in Wireshark<\/a><\/li>\n<\/ol>\n
<\/p>\n
All the commands shown were run on an Ubuntu 18.04 LTS VM running on VirtualBox, but should work on any Linux host with Python3, Scapy, and tcpdump.<\/p>\n
1. Take pcap (packet capture)<\/h3>\n
In one terminal I ran
tcpdump<\/code>, capturing only port 53 traffic:<\/p>\n$ sudo tcpdump -i enp0s3 -w dns.pcap port 53 \r\ntcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes\r\n^C2 packets captured\r\n2 packets received by filter\r\n0 packets dropped by kernel<\/code><\/pre>\nIn another terminal I generated a DNS request. I limited it to A records to reduce the number of packets generated:<\/p>\n
$ host -t a mediacropolis.osric.com\r\nmediacropolis.osric.com has address 216.154.220.53<\/code><\/pre>\nI confirmed it worked:<\/p>\n
$ tcpdump -n -r dns.pcap \r\nreading from file dns.pcap, link-type EN10MB (Ethernet)\r\n19:51:29.207334 IP 192.168.1.56.57241 > 192.168.1.1.53: 58127+ A? mediacropolis.osric.com. (41)\r\n19:51:29.247780 IP 192.168.1.1.53 > 192.168.1.56.57241: 58127 1\/0\/0 A 216.154.220.53 (57)<\/code><\/pre>\n2. Import pcap via scapy<\/h3>\n
First I set up a virtual environment. This was probably unnecessary, but is a habit I have when starting any new Python project:<\/p>\n
mkdir mod_pcap\r\ncd mod_pcap\r\npython3 -m venv venv\r\nsource venv\/bin\/activate\r\npip install scapy<\/code><\/pre>\nThen I ran Scapy and imported the packet capture:<\/p>\n
$ scapy\r\n>>> packets = rdpcap(\"\/home\/chris\/dns.pcap\")<\/code><\/pre>\n3. Change pcap<\/h3>\n
First I looked at the packets in Scapy just to see what the objects looked like:<\/p>\n
>>> packets[0]\r\n<Ether dst=fc:ec:da:7b:02:cf src=08:00:27:f0:43:22 type=IPv4 |<IP version=4 ihl=5 tos=0x0 len=69 id=2453 flags=DF frag=0 ttl=64 proto=udp chksum=0xad89 src=192.168.1.56 dst=192.168.1.1 |<UDP sport=57241 dport=domain len=49 chksum=0x83cc |<DNS id=58127 qr=0 opcode=QUERY aa=0 tc=0 rd=1 ra=0 z=0 ad=0 cd=0 rcode=ok qdcount=1 ancount=0 nscount=0 arcount=0 qd=<DNSQR qname='mediacropolis.osric.com.' qtype=A qclass=IN |> an=None ns=None ar=None |>>>>\r\n>>> packets[1]\r\n<Ether dst=08:00:27:f0:43:22 src=fc:ec:da:7b:02:cf type=IPv4 |<IP version=4 ihl=5 tos=0x0 len=85 id=30039 flags=DF frag=0 ttl=64 proto=udp chksum=0x41b7 src=192.168.1.1 dst=192.168.1.56 |<UDP sport=domain dport=57241 len=65 chksum=0x1cff |<DNS id=58127 qr=1 opcode=QUERY aa=0 tc=0 rd=1 ra=1 z=0 ad=0 cd=0 rcode=ok qdcount=1 ancount=1 nscount=0 arcount=0 qd=<DNSQR qname='mediacropolis.osric.com.' qtype=A qclass=IN |> an=<DNSRR rrname='mediacropolis.osric.com.' type=A rclass=IN ttl=600 rdlen=None rdata=216.154.220.53 |> ns=None ar=None |>>>><\/code><\/pre>\n2 packets: one request, one reply.<\/p>\n
What if I wanted to change the packets so that the request and reply are instead for supercalifragilisticexpialidocious.osric.net? And the record data is 10.0.100.7?<\/p>\n
>>> request = packets[0]\r\n>>> reply = packets[1]\r\n>>> request[\"DNSQR\"].qname = b'supercalifragilisticexpialidocious.osric.net'\r\n>>> reply[\"DNSRR\"].rrname = b'supercalifragilisticexpialidocious.osric.net'\r\n>>> reply[\"DNSRR\"].rdata = b'10.0.100.7'\r\n>>> packets = [request, reply]\r\n>>> wrpcap(\"\/home\/chris\/dns-modified.pcap\", packets)\r\n>>> exit()<\/code><\/pre>\nCan
tcpdump<\/code> still read it?<\/p>\n$ tcpdump -n -r dns-modified.pcap\r\nreading from file dns-modified.pcap, link-type EN10MB (Ethernet)\r\n19:51:29.207334 IP 192.168.1.56.57241 > 192.168.1.1.53: 58127+[|domain]\r\n19:51:29.247780 IP 192.168.1.1.53 > 192.168.1.56.57241: 58127 1\/0\/0 (57)<\/code><\/pre>\nThat doesn’t look quite right. What about
tshark<\/code>?<\/p>\n$ tshark -r dns-modified.pcap \r\n 1 0.000000 192.168.1.56 \u2192 192.168.1.1 DNS 83 Standard query 0xe30f[Malformed Packet]\r\n 2 0.040446 192.168.1.1 \u2192 192.168.1.56 DNS 99 Standard query response 0xe30f A mediacropolis.osric.com[Malformed Packet]<\/code><\/pre>\nIt looks unhappy:
Malformed Packet<\/code>. What went wrong?<\/p>\nOh! The length and the checksum in both the IP header and the UDP header are incorrect.<\/p>\n
Searching around for how to address this led me to How to calculate a packet checksum without sending it?<\/a> on StackOverflow. It suggested deleting the checksums and rebuilding the packets, and Scapy would automatically calculate the checksums.<\/p>\n
A tangent on using<\/em>
__class__<\/code>:<\/em><\/p>\nI thought it inadvisable to use “magic” objects (see https:\/\/www.python.org\/dev\/peps\/pep-0008\/#descriptive-naming-styles) like
__class__<\/code> as in the example on StackOverflow. But it does make sense:<\/p>\n>>> type(reply)\r\n<class 'scapy.layers.l2.Ether'>\r\n>>> reply.__class__\r\n<class 'scapy.layers.l2.Ether'>\r\n>>> type(reply['IP'])\r\n<class 'scapy.layers.inet.IP'>\r\n>>> reply['IP'].__class__\r\n<class 'scapy.layers.inet.IP'><\/code><\/pre>\nNo matter what subclass of a packet layer you have, __class__ will give you the right subclass.<\/p>\n
Back to the task at hand. I ended up deleting the length (
len<\/code>) and checksum (chksum<\/code>) from both the IP layer and the UDP layer and rebuilt the packets:<\/p>\n>>> del request['IP'].len\r\n>>> del request['IP'].chksum\r\n>>> del request['UDP'].len\r\n>>> del request['UDP'].chksum\r\n>>> del reply['IP'].len\r\n>>> del reply['IP'].chksum\r\n>>> del reply['UDP'].len\r\n>>> del reply['UDP'].chksum\r\n>>> # rebuild packets\r\n>>> request = Ether(request.build())\r\n>>> reply = Ether(reply.build())<\/code><\/pre>\n[Note: I also changed the host request from supercalifragilisticexpialidocious.osric.net to example.osric.net. I also included the trailing dot in the request and reply:
b'example.osric.net.'<\/code>]<\/p>\nThen I re-built the
PacketList<\/code>:<\/p>\n>>> packets = PacketList([request, reply])<\/code><\/pre>\n4. Export pcap<\/h3>\n
Scapy’s
wrpcap<\/code> function takes a destination filename and aPacketList<\/code> object (scapy.plist.PacketList<\/code>).<\/p>\nwrpcap(\"\/home\/chris\/mod_dns.pcap\", packets)<\/code><\/pre>\nDid it work?<\/p>\n
$ tcpdump -n -r mod_dns.pcap \r\nreading from file mod_dns.pcap, link-type EN10MB (Ethernet)\r\n14:16:40.005857 IP 192.168.1.56.57241 > 192.168.1.1.53: 58127+ A? example.osric.net. (35)\r\n14:18:34.295393 IP 192.168.1.1.53 > 192.168.1.56.57241: 58127 1\/0\/0 A 10.0.100.7 (68)\r\n\r\n$ tshark -r mod_dns.pcap \r\n 1 0.000000 192.168.1.56 \u2192 192.168.1.1 DNS 77 Standard query 0xe30f A example.osric.net\r\n 2 114.289536 192.168.1.1 \u2192 192.168.1.56 DNS 110 Standard query response 0xe30f A example.osric.net A 10.0.100.7<\/code><\/pre>\nSuccess!<\/p>\n
5. View pcap in Wireshark<\/h3>\n
If it worked in tcpdump and tshark, I expected it to work in Wireshark, but I wanted to make sure:<\/p>\n
![\"Screenshot](\"https:\/\/osric.com\/chris\/accidental-developer\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-06-14-29-36.png\")
<\/a><\/p>\nA note on packet timestamps:<\/h3>\n
I don’t see any timestamp data when I view the packets in Scapy, but tcpdump shows timestamps:<\/p>\n
$ tcpdump -n -r mod_dns.pcap \r\nreading from file mod_dns.pcap, link-type EN10MB (Ethernet)\r\n14:16:40.005857 IP 192.168.1.56.57241 > 192.168.1.1.53: 58127+ A? example.osric.net. (35)\r\n14:18:34.295393 IP 192.168.1.1.53 > 192.168.1.56.57241: 58127 1\/0\/0 A 10.0.100.7 (68)<\/code><\/pre>\nHow can I modify the timestamps? The timestamps appear to be the time the packet was created\/rebuilt by Scapy. I would like to have better control of this, but I have not yet found a way to do that. Please leave a comment if you know of a way to do this!<\/p>\n","protected":false},"excerpt":{"rendered":"
My motivation was to start from a known good packet capture, for example, a DNS request and reply, and modify that request to create something interesting: an example to examine in Wireshark, or positive and negative test cases for an IDS software (Snort, Suricata). I haven’t done much with Scapy before, but it seemed like … Continue reading Modifying a packet capture with Scapy<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[86,48],"tags":[548,545,493,547,549,546],"class_list":["post-3197","post","type-post","status-publish","format-standard","hentry","category-python","category-security","tag-pcap","tag-scapy","tag-tcpdump","tag-tshark","tag-udp","tag-wireshark"],"_links":{"self":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/3197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/comments?post=3197"}],"version-history":[{"count":13,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/3197\/revisions"}],"predecessor-version":[{"id":3212,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/3197\/revisions\/3212"}],"wp:attachment":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/media?parent=3197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/categories?post=3197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/tags?post=3197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Import pcap via scapy<\/a><\/li>\n