Just a simple packet sniffer. Nothing too fancy. My shout out to Silver Moon for his guide. He's got some pretty cool stuff going on over at Binary Tides. Check it out.
This is a python implementation of sniffing packets using sockets.
The code is commented to provide clarity.
Note : s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP) , IPPROTO_IP is a dummy protocol not a real one.
To get all you want with any packet having a Ethernet header, do this : s = socket.socket( socket.AF_PACKET , socket.SOCK_RAW , socket.ntohs(0x0003))
With this you get : All of the incoming and outgoing traffic : IP packets(TCP , UDP , ICMP), packets(like ARP), Ethernet Header as well.
If you have trouble understanding it, email me at : [email protected]
##Theory Background
Some background info by Srinidhi Varadarajan from Vrigina Tech in ppt for your reference : here
###Ethernet Header
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ethernet destination address (first 32 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ethernet dest (last 16 bits) |Ethernet source (first 16 bits)|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ethernet source address (last 32 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type code | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
###IP Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
###TCP Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
###Whats going on with pack and unpack?
You basically get a packet string from tuple : packet = packet[0]
Then you take first 20 characters for the ip header : ip_header = packet[0:20]
Extracting information from a buffer like this is kinda hard. We need to only parse stuff thats important.
The unapack() takes two parameters :
- string that defines the format of the data held in the buffer.
- the buffer that needs to be parsed.
Look at IPV4 packet header above.
So what is "!BBHHHBBH4 s4 s." ?
! => Python Type Big Endian
B => Python Type Integer (1 byte)
H => Python Type Integer (2 bytes)
s => Python Type String (n bytes)
The first character represents the byte order of the data, for network packets, it's Big Endian.
If you wan't to read more stuff : Python Forensics by Chet Hosmer is your best bet.
I always wondered how Wireshark worked. This was my attempt to get under the hood and see for myself what exactly was going on. Networking can be so abstract until you peek into the RAW data and see what is up.
The way things work in Linux are different from Windows. The API bindings for Sockets on Windows use Winsock and some other drivers.
My implementation is is for Linux because things are a bit straightforward.
Clone the git : git clone <repo-url> or wget it or something.
Then just do : sudo python <path>\sniff-it.py . Doing sudo is important. Gotta have root priviledges.
All about Python Sockets here All about Python Structs here All about Python Sys here
No test cases were written. I manually tested it relentlessly but I never wrote automated tests. I know I should've have, but I just wanted to hack it enough to make it work.
If you want to contribute or add to it or make it better, more readable, go for it. Tweet me issues if you can : @shreyaslumos
Python Packet Sniffer is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
