I am trying to create filter function that check if the packet is from facebook, this is my code :
def filter_facebook(packet):
return (IP in packet and (packet[IP].src == "www.facebook.com" or packet[IP].dst == "www.facebook.com"))
packets = sniff(count = 5, lfilter = filter_facebook)
now this function block the continuation and not sniff anything when i am entering to facebook.
now this function block the continuation and not sniff anything when i
am entering to facebook.
This is because no packets match your filter and sniff() waits until 5 packets matches it.
First, you can't use "www.facebook.com" as a comparison value with an IP address. You could first sniff DNS traffic to find which addresses are associated with www.facebook.com as suggested here or find it in another way and then filter with these addresses.
Second, it is a good practice to filter with an interface (iface) when sniffing, the one that receive packets from internet in your situation.
Related
Using wireshark, I could see the html page I was requesting (segment reconstruction). I was not able to use pyshark to do this task, so I turned around to scapy. Using scapy and sniffing wlan0, I am able to print request headers with this code:
from scapy.all import *
def http_header(packet):
http_packet=str(packet)
if http_packet.find('GET'):
return GET_print(packet)
def GET_print(packet1):
ret = packet1.sprintf("{Raw:%Raw.load%}\n")
return ret
sniff(iface='wlan0', prn=http_header, filter="tcp port 80")
Now, I wish to be able to reconstruct the full request to find images and print the html page requested.
What you are searching for is
IP Packet defragmentation
TCP Stream reassembly
see here
scapy
provides best effort ip.defragmentation via defragment([list_of_packets,]) but does not provide generic tcp stream reassembly. Anyway, here's a very basic TCPStreamReassembler that may work for your usecase but operates on the invalid assumption that a consecutive stream will be split into segments of the max segment size (mss). It will concat segments == mss until a segment < mss is found. it will then spit out a reassembled TCP packet with the full payload.
Note TCP Stream Reassembly is not trivial as you have to take care of Retransmissions, Ordering, ACKs, ...
tshark
according to this answer tshark has a command-line option equivalent to wiresharks "follow tcp stream" that takes a pcap and creates multiple output files for all the tcp sessions/"conversations"
since it looks like pyshark is only an interface to the tshark binary it should be pretty straight forward to implement that functionality if it is not already implemented.
With Scapy 2.4.3+, you can use
sniff([...], session=TCPSession)
to reconstruct the HTTP packets
This questions are a new attempt to solve a previous question "How to get a list of all valid ip address in a local network using Javascript?" (see How to get a list of all valid ip address in a local network using Javascript? )
In order to avoid the need of test millions of addresses, I wonder if it would be possible following scenario (in this case, forget the JavaScriipt constraint of the initial post, and suppose a more general language, say C++ and a I/O library like Boost Asio):
a) A server "S" wakeup in a LAN to provide some service, say listening in port X, and get a random address (i.e A1 = 192.168.1.35).
b) A client "C", that need the service, wakeup in the same LAN, an get other random address (say A2 = 192.168.1.40).
"C" does not know the "S" address to get the service. So, two questions:
1.- Can "S" and "C" know for themselves its own addresses (A1 and A2)?
2.- Can "C" send a broadcast request to the LAN in the given port X? Some as "Here P2, some one in X?"
Obviously, if "S" is listening in the given port, and can get the message, them can in turn broadcast its own direction; so if "C" is listening, can get the server's address.
Related to my first question, after some digging, the answer is Yes.
See "Winsock Programer's FAQ".
If in Windows, as is my case for the server, there are a complete API named "IP Helper" http://msdn.microsoft.com/en-us/library/aa366073%28VS.85%29.aspx that can serve as well.
Related to the second question, I will try the quick and dirty method exposed, and hope be back with some result.
I use the router-dealer pattern from 0MQ. Now I want to store the client's address. I know that the first message from the client is the address, IP + portno I guess. Or rather recv() from the router socket puts the address in front of a received packet. But how do I handle this address, e.g. printing out or storing it for further outgoing messages? What type is it?
Here's the Guide explanation on this: http://zguide.zeromq.org/page:all#The-Request-Reply-Mechanisms
The ROUTER manages a set of connections, and keeps an 'identity' for each connection, which is a random number, like a handle. It tells you this identity on each message, as a first frame. It's a binary value, so you can't print it as-is.
The DEALER can override the ROUTER's internal identity by telling it, "use this ID" at connection time. That's what the zmq_setsockopt ZMQ_IDENTITY option does. We use this when nodes have some unique, often string, ID that has some meaning to the application.
the first part of the message is the identity of the sender (dealer) what you can set on the dealer side, with the zmq_setsockopt function (before connecting to the router). it's a maximum 255 char long string. if you don't set it, there will be some random unique thing, starting with #0 char.
so it's not the ip+port of your dealer by default, but you can put there that info if you like.
I need to get the IP address of a connection to see if it has already connected previously (checking against a list of ips, if it has connected previously but isnt connected anymore, it will say offline). (using nonblocking sockets)
How can I get the IP without first accepting it.
///
case FD_ACCEPT:
int W;
for(W = 0;W <= ListView_GetItemCount(GetDlgItem(HwND,IDC_IPLIST));W++){
So then im just gonna check the IP against the list view to see if it had connected before. If it has, I want to use the same socket number it was using last time.
This is how I'm accepting connections right now
case FD_ACCEPT:
while(Client[F] != NULL)
{
F++;
}
Client[F]=accept(wParam,(LPSOCKADDR)&ServAdr,&AdrLen);
break;
so to break it down...
I want to check incoming connections against an IP list of previous connections. This list will have the IP and whether its online/offline (connected/not connected). If it has connected before I want it to show Online when I accept the new connection, and use the same socket number it used last time instead of using a new one all together. If it hasn't I want it to be added to the list. (the list will have the socket number)
If this doesnt make much sense I'll try and clarify a bit more.
What you are asking for cannot be done with accept(). You do not have access to a connection's information until after it has been accepted and a new SOCKET handle allocated. To get the connection info pre-acceptance, you have to use the callback functionality of WSAAccept() instead.
Either way, there is no way to reuse an existing SOCKET handle for a new connection. Each accepted connection must have its own unique SOCKET handle. You can certainly associate the new connection from a previously-seen IP with an existing slot in your ListView, though.
If by socket number you mean the number returned by accept(), you can't rely on it's value at all. I mean, if the remote host disconnects and connects again the value returned by accept() will most probably be different. It does not make sense to rely on this number.
If by socket number you mean the position in your array, you can assign the value returned by accept() to temporary variable:
SOCKET tmpSock;
sockaddr_in tmpAddr;
int namelen;
typedef struct { /*...*/ } TClient;
TClient Client[MAX_CLIENTS];
/*...*/
tmpSock = accept(/*...*/);
namelen = sizeof(tmpAddr);
getpeername(tmpSock, (sockaddr*)&tmpAddr,&namelen);
/*...*/
//looking for tmpAddr.sin_addr in your list and calculating
//the list position - F
/*...*/
Client[F].Socket = tmpSock;
Client[F].IsConnected = true;
Client[F].Address = tmpAddr.sin_addr;
Have in mind that after the listen() call the OS kernel will accept all incoming connection to the port/local IP set by you. It means that the connect() of remote host will return successfully whether you call accept() or not (provided you have space in listen queue). Calling accept() will only allow you to interact with the socket. It will not change the connection state seen by the remote host.
I'm not sure the is possible nor an efficient specification to achieve what you want. I would either:
Accept any connection and then check the IP address, disconnecting connections which are not in the list
(This probably isn't suitable for you) Configure an upstream firewall, such that only allowed IP addresses are allowed through.
If you bind to a wildcard address (INADDR_ANY), then the IP address used for communication isn't determined until a connection comes in (it will be one from the interface the packets are passing through). The same listening socket can result in accepted connections on more than one IP address.
If you bind to a specific address, then you already know the address you bound to.
I am working on implementing UpNP on C++, and I need to get the local internal IP address assigned by the router to make the sockets works. The address I need is the one that appears on routers where it shows the computers connected to the router and the local IP assigned to each computer. I am using this:
PHOSTENT Addr = NULL;
char Host[MAX_PATH];
if( gethostname(Host, sizeof(Host)) == 0 )
{
Address = gethostbyname( Host );
if( Address != NULL )
{
//*(struct in_addr *)Address->h_addr_list[0]) <- this is my address
}
}
This works fine on the computer I am testing, but that computer has only one network card, so I was wondering if maybe when a computer has more than one card or network device, Address->h_addr_list[0] may not be the one I need and it could be in another index of that array.
Will [0] always retrieve the IP assigned by the router?
(Assuming winsock here, as per previous question)
You shouldn't assume that the first address is the correct one (as there may be multiple interfaces, and more than one may be active)
I'd recommend enumerating addresses using either getaddrinfo with an empty pNodeName argument, or GetAdaptersAddresses.
Both of these return a linked lists with your system's registered addresses
... get the local internal IP address assigned by the router ...
Note that in some cases, the machine's IP address will be manually assigned, but the user will still want to use UPnP.
On Linux, it is suggested to use getaddrinfo(3) instead of gethostbyname(3), perhaps Winsocks has made a similar transition?
On Linux, it is common for /etc/hosts to have loopback entries also accessible by hostname; /etc/gai.conf can be used to configure the sort order of returned addresses, and possibly a loopback address will be returned. Does Winsock make it that easy for sysadmins to change the order of returned addresses?
Don't forget that a system may legitimately have multiple upstream routers: a laptop with an EV-DO or EDGE or similar cellular data connection and a wireless or wired Ethernet will have multiple IPs, multiple upstream routers, and the routing table will be consulted to figure out which one should be used to send each packet.
Can you use either (a) the address used by clients to contact you? (getsockname(2) will return the local address used on a specific socket.) (b) ask the user to select among the list of IP addresses, if there are several? Binding to N of M interfaces would be nice, so users can select which networks get the services and which networks are left alone.