I have one Pcap File which consist of Some Information. ------------------------------------------------------- I need to modify the data in the file. Example: As you can see There are details of packets and in **Additional Record** section I have TXT value

=Room 110

Now please help me to change the TXT value > Example: from

: fn=Room 110

to

: fn=Room 1234

## Things I have Done So Far ## ### 1. Used Scapy and Hex Editor To change the Metadata. ### with Scapy I have done changes like Changing Destination address or mac address and ports. But unable to change the TXT records with scapy. With Hex I am able to change TXT value by converting the String to hex, but I face challenge in different length. > Example: I can Chnage

: fn=Room 110

to

: fn=Room 123

> But Can't Change from

: fn=Room 110

to

: fn=Room 1234

In this case, the generated pcap gets invalid. #### Here is a sample working Screenshot Using Python #### This code Changes The Destination Mac, Source IP and TXT=Room And That TXT value is being modified by Checking the HEX Value before and after the "TXT: fn=Room" of the packet. ### Any help regarding this Issue is very very appreciated ### Thank you.

**Problem:** ip rule built to route L4 traffic out a specific interface are not respected when packets are generated with different source address. **Overview** I want to generate packets with a different source address than the host's address's. To accomplish this I am using python's package Scapy. Note: my goal is to send to send DNS traffic, however I was not able to find a simple solution that let me spoof the source address in DNS requests, so I am just generating a UDP packet with src and dst address at port 53, believe this still works as I am only testing L3 and L4, not the actual DNS protocol at the moment. Here is my script

#!/usr/bin/python3

# The following is designed to generate a packet with a different source address

import sys 
from scapy.all import *

def main():
    S = "10.0.26.122" # spoofed source IP address
    D = "10.0.26.123" # destination IP address
    SP = 53 # source port
    DP = 53 # destination port
    payload = "This is a fake message" # packet payload

    spoofed_packet = IP(src=S, dst=D) / UDP(sport=53, dport=53) / payload
    send(spoofed_packet)

#Entry point
main()

Before running the script, here is what my route table looks like:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.104.8.1      0.0.0.0         UG    101    0        0 ens192
10.0.21.0       0.0.0.0         255.255.255.0   U     104    0        0 ens256
10.0.26.0       0.0.0.0         255.255.255.0   U     0      0        0 ens224
10.0.27.0       0.0.0.0         255.255.255.0   U     102    0        0 ens193
10.0.28.0       10.0.29.1       255.255.255.0   UG    100    0        0 ens161
10.0.29.0       0.0.0.0         255.255.255.0   U     100    0        0 ens161
10.104.8.0      0.0.0.0         255.255.255.0   U     101    0        0 ens192
10.212.134.0    10.104.8.1      255.255.255.0   UG    101    0        0 ens192
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

Here are the ip interfaces

# ip -br a
lo               UNKNOWN        127.0.0.1/8
ens161           UP             10.0.29.122/24
ens192           UP             10.104.8.122/24
ens193           UP             10.0.27.122/24
ens224           UP             10.0.26.122/24
ens256           UP             10.0.21.122/24
virbr0           DOWN           192.168.122.1/24
virbr0-nic       DOWN
ip_vti0@NONE     DOWN

When I run the script with ./packet-gen.py "10.0.26.122" "10.0.26.123" it works. This is because I have not yet built my ip rule / separate routing table. I perform a tcpdump at the host (10.0.26.122) and on the far end host (10.0.26.123), and I see the UDP packet being sent. I also tested with dig www.google.com @10.0.26.123 and see an actual DNS request being performed and get a response. Now the problem. I want to remove the route entry in the main table, then only route based on the port number. To do this I run the following to first remove the route entry to 10.0.26.0/24.

# ip route del 10.0.26.0/24 dev ens224
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.104.8.1      0.0.0.0         UG    101    0        0 ens192
10.0.21.0       0.0.0.0         255.255.255.0   U     104    0        0 ens256
10.0.27.0       0.0.0.0         255.255.255.0   U     102    0        0 ens193
10.0.28.0       10.0.29.1       255.255.255.0   UG    100    0        0 ens161
10.0.29.0       0.0.0.0         255.255.255.0   U     100    0        0 ens161
10.104.8.0      0.0.0.0         255.255.255.0   U     101    0        0 ens192
10.212.134.0    10.104.8.1      255.255.255.0   UG    101    0        0 ens192
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

The entry is removed. If I run my script again it does not work. The dig request also fails. This is expected as there is no L3 route in the main kernel routing table. To route on L4 I first created a new ip route table to send all traffic via ens224:

# ip route add table 53 0.0.0.0/0 dev ens224

Then I create an ip rule to capture any traffic using port 53, and send out my custom table 53.

# ip rule add ipproto udp dport 53 lookup 53

I also created a special sysctl rule for rp_filter too loosen strict reverse path forwarding rules

# sysctl -w "net.ipv4.conf.ens224.rp_filter=2"

To check my work I see the following:

# ip route list table 53
default dev ens224 scope link
# ip rule list
0:      from all lookup local
32765:  from all ipproto udp dport 53 lookup 53
32766:  from all lookup main
32767:  from all lookup default
# ip route get 10.0.26.123 ipproto udp dport 53
10.0.26.123 dev ens224 table 53 src 10.0.26.122 uid 0
    cache
# ip route get 10.0.26.123
10.0.26.123 via 10.104.8.1 dev ens192 src 10.104.8.122 uid 0
    cache

The last command shows that by default if communication is not dns, use the default route. To test this I first try to ping 10.0.26.123. It fails which is expected. Now I try to perform a dig request dig www.google.com @10.0.26.123, and it works. The dig request hits the ip rule before going to the main table and is routed appropriately. I see the traffic reach the service with tcpdump (10.0.26.123), and coming from my host (10.0.26.122). Now I try running my scapy script again, and nothing. Even with the same source address as the host, nothing in tcpdump on my host or the server. I tried changing the source address, no change, nothing. If I add back the main L3 route for 10.0.26.0/24 in the main table, the scapy script works again. What am I missing here? Why wont my generate traffic respect the ip rule sets I created?

I want to test *snort*, so I want to have some test network traffic. Since *snort* can read pcap files, I want to generate some traffics which can be customized and save it to pcap files. Here are my questions: 1. Is it right to test *snort* as I said? 2. Is there a good tool to generate traffic and save it to pcap file? Any suggestions about what I going to do means a lot to me!

I wrote this rule to change all udp destination IP addresses to 8.8.8.8 when dport is 53: iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j DNAT --to-destination 8.8.8.8 The rule worked when I used: dig +short iranled.com @4.2.2.4 tcpdump output is: 04:42:38.023348 IP 192.168.1.2.48984 > 8.8.8.8.53: UDP, length 29 04:42:38.242241 IP 8.8.8.8.53 > 192.168.1.2.48984: UDP, length 45 it is OK. But when I create this packet from scapy, the iptables rule has no result! sr1(IP(dst="4.2.2.4")/UDP()/DNS(rd=1,qd=DNSQR(qname="iranled.com"))) tcpdump output is: 04:43:00.442453 IP 192.168.1.2.53 > 4.2.2.4.53: UDP, length 29 04:43:00.855930 IP 4.2.2.4.53 > 192.168.1.2.53: UDP, length 45 why aren't scapy packets changed by iptables? **UPDATE**: #iptables -L -n --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcpflags:! 0x17/0x02 2 ACCEPT udp -- 127.0.0.1 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 5 DROP all -- 0.0.0.0/0 255.255.255.255 6 DROP all -- 0.0.0.0/0 192.168.1.255 7 DROP all -- 224.0.0.0/8 0.0.0.0/0 8 DROP all -- 0.0.0.0/0 224.0.0.0/8 9 DROP all -- 255.255.255.255 0.0.0.0/0 10 DROP all -- 0.0.0.0/0 0.0.0.0 11 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 12 LSI all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 13 INBOUND all -- 0.0.0.0/0 0.0.0.0/0 14 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 15 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Unknown Input" Chain FORWARD (policy DROP) num target prot opt source destination 1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 2 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 3 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Unknown Forward" Chain OUTPUT (policy DROP) num target prot opt source destination 1 ACCEPT tcp -- 192.168.1.2 127.0.0.1 tcp dpt:53 2 ACCEPT udp -- 192.168.1.2 127.0.0.1 udp dpt:53 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 DROP all -- 224.0.0.0/8 0.0.0.0/0 5 DROP all -- 0.0.0.0/0 224.0.0.0/8 6 DROP all -- 255.255.255.255 0.0.0.0/0 7 DROP all -- 0.0.0.0/0 0.0.0.0 8 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID 9 OUTBOUND all -- 0.0.0.0/0 0.0.0.0/0 10 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 11 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Unknown Output" Chain INBOUND (1 references) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 LSI all -- 0.0.0.0/0 0.0.0.0/0 Chain LOG_FILTER (5 references) num target prot opt source destination Chain LSI (2 references) num target prot opt source destination 1 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 2 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "Inbound " 3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 4 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "Inbound " 5 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 6 LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "Inbound " 7 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 8 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix "Inbound " 9 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain LSO (0 references) num target prot opt source destination 1 LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0 2 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix "Outbound " 3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTBOUND (1 references) num target prot opt source destination 1 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

I'm trying to use a Raspberry Pi to find ARP requests from a specific wireless device on my network. It's one of those Amazon dash buttons. Someone used this code to listen to when the dash connects to wifi. from scapy.all import * def arp_display(pkt): if pkt[ARP].op == 1: #who-has (request) if pkt[ARP].psrc == '0.0.0.0': # ARP Probe if pkt[ARP].hwsrc == '74:75:48:5f:99:30': # button 1 print "Pushed Huggies" elif pkt[ARP].hwsrc == '10:ae:60:00:4d:f3': # button 2 print "Pushed Elements" else: print "ARP Probe from unknown device: " + pkt[ARP].hwsrc print sniff(prn=arp_display, filter="arp", store=0, count=10) When I run this on Raspbian (with python and scapy installed), I get an error "IndexError: Layer [ARP] not found" I'm totally unfamiliar with scapy and just diving in for the first time. Thanks for any ideas.

I am using Ubuntu 16.10 to run an experiment. I use Python scapy to send two packets to a machine connected over a switch. The first packet is a normal TCP SYN packet and is received by the nc app on the second machine and I can see the corresponding SYN/ACK packet. However, the second packet I send contains an IP option Loose Source Routing . This second packet is received on the other machine (I can see it in wireshark) but not handed to the application, therefore no SYN/ACK is sent. I am wondering why that is the case. Here's the scapy code I am using: Packet 1: pkt1=IP(src="10.0.0.2", dst="10.0.0.3")/TCP(sport=random.randint(54100,54300),dport=23800) send(pkt1) Packet 2: pkt2=IP(src="10.0.0.2", dst="10.0.0.3",options=IPOption('\x83\x03\x10'))/TCP(sport=random.randint(54100,54300),dport=23800) send(pkt2)

I'm configuring a tap interface and trying to send and receive packets through it, i configure it like this: ip tuntap add name tap0 mode tap multi_queue ip link set tap0 up i'm using scapy to send traffic to the interface, the command is : p = Ether()/IP() sendp(p, iface = 'tap0') using tcpdump -i tap0 -vvven -vlan and didn't catch any packets.

When I try to run Scappy interactive shell I am faced with this: INFO: Can't import PyX. Won't be able to use psdump() or pdfdump() (The shell is working but of course I can not use the above ^ :( However when I installed PyX I then get this error: lstat(./dvips) failed ... ./dvips: No such file or directory python: ../../../texk/kpathsea/progname.c:316: remove_dots: Assertion `ret' failed. When I uninstall PyX It then just returns to the first error has anyone had this before or does anyone know how to correct this?

The sniff function in scapy in python2.7 worked fine before upgrading my linux Operating System. from scapy.all import * client_mac="c4:3d:c7:8f:03:19" wlan_mac="00:c0:ca:6d:ac:fa" sniff(iface="mon0",prn=packet_callback,filter="(ether dst "+client_mac+" and ether src "+wlan_mac+") or (ether src "+client_mac+" and ether dst "+wlan_mac+")") After the upgrade I ran my script again in python2.7 and got these messages below from scapy WARNING: No route found for IPv6 destination :: (no default route?) tcpdump: WARNING: eth0: no IPv4 address assigned How can I get scapy to sniff on the correct interface? I tried adding conf.iface="mon0" above the sniff function but still no luck. using ifconfig -a I got the following eth0 Link encap:Ethernet HWaddr 00:25:22:e9:b1:28 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:720 (720.0 B) TX bytes:720 (720.0 B) mon0 Link encap:UNSPEC HWaddr 00-C0-CA-6D-AC-FA-3A-30-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:635 errors:0 dropped:638 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:192290 (187.7 KiB) TX bytes:0 (0.0 B) wlan0 Link encap:Ethernet HWaddr 00:c0:ca:6d:ac:fa inet addr:192.168.1.7 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::2c0:caff:fe6d:acfa/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:866 errors:0 dropped:0 overruns:0 frame:0 TX packets:811 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:385790 (376.7 KiB) TX bytes:99505 (97.1 KiB)

Is there a way to filter packets by mac address and "EAP" protocol using scapy in python? this is my sniff command line: sniff(iface="mon0",prn=lambda x: x.summary())