Professional Documents
Culture Documents
What is a Packet
Sniffer?
PROF.HITESH MOHAPATRA
LAB 1 ASSIGNMENT 1
Types
Once the raw packet data is captured, the packet sniffing software
must analyse it and present it in human-readable form so that the
person using the packet sniffing software can make sense of it. The
person analysing the data can view details of the 'conversation'
hap
Negative impact
Just like everybody else, both network engineers and hackers love
free stuff, which is why open source and freeware sniffer software
applications are often the tools of choice for packet sniffing tasks.
One of the more popular open source offerings
is: Wireshark (previously known as Ethereal).
AF_INET is an address family that is used to designate the type of addresses that your socket
can communicate with (in this case, Internet Protocol v4 addresses).
When you create a socket, you have to specify its address family, and then you can only use
addresses of that type with the socket. The Linux kernel, for example,
supports 29 other address families such as UNIX (AF_UNIX) sockets and IPX (AF_IPX), and
also communications with IRDA and Bluetooth (AF_IRDA and AF_BLUETOOTH,
but it is doubtful you'll use these at such a low level).For the most part, sticking
with AF_INET for socket programming over a network is the safest option.
There is also AF_INET6 for Internet Protocol v6 addresses.
socket.SOCK_RAW
Raw mode is basically there to allow you to bypass some of the way
that your computer handles TCP/IP. Rather than going through the
normal layers of encapsulation/decapsulation that the TCP/IP stack
on the kernel does, you just pass the packet to the application that
needs it. No TCP/IP processing -- so it's not a processed packet, it's a
raw packet. The application that's using the packet is now
responsible for stripping off the headers, analyzing the packet, all
the stuff that the TCP/IP stack in the kernel normally does for you
Pseudo code
10
Program
import socket, sys
from struct import
11
socket
+
IPPROTO_TCP)
str(msg[0])
'
# receive a packet
while True:
packet = s.recvfrom(65500)
#packet string from
packet = packet[0]
#take first
ip_header =
tuple
20 characters
packet[0:20]
for
ihl
the
ip
header
ip_header)
ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8]);
d_addr = socket.inet_ntoa(iph[9]);
print 'Version : ' + str(version) + '\tIP Header Length : ' + str(ihl)
\tTTL : ' + str(ttl) + '\tProtocol : ' + str(protocol) + '\tSource Address
+ str(s_addr) + '\tDestination Address : ' + str(d_addr)
tcp_header
#now
tcph
'
'
packet[iph_length:iph_length+20]
unpack them :)
= unpack('!HHLLBBHHH'
source_port = tcph[0]
dest_port = tcph[1]
sequence = tcph[2]
acknowledgement = tcph[3]
doff_reserved = tcph[4]
tcph_length = doff_reserved
tcp_header)
>>
+
:
+tcph_length*4
Header
Out Put
12
IP header format
13