scapy를 이용한 network 패킷 분석

네트워크 패킷에서 HTTP 의 request와 response 의 header 정보를 추출해야 하는 일이 생겼다.

그래서 패킷 분석 프로그램을 찾아보던 중 python의 scapy를 알게 되었다.

그래서, 바로 설치~

]$ sudo apt-get install python-scapy

1	]$ sudo apt-get install python-scapy

우분투 장비라서 apt-get으로 간단하게 설치

scapy의 실행 및 환경보기

]$ sudo scapy
INFO: Can't import python gnuplot wrapper . Won't be able to plot.
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.1.0)
>>> conf
ASN1_default_codec = <ASN1Codec BER[1]>
AS_resolver = <scapy.as_resolvers.AS_resolver_multi instance at 0x2476758>
BTsocket   = <BluetoothL2CAPSocket: read/write packets on a connected L2CAP ...
L2listen   = <L2ListenSocket: read packets at layer 2 using Linux PF_PACKET ...
L2socket   = <L2Socket: read/write packets at layer 2 using Linux PF_PACKET ...
L3socket   = <L3PacketSocket: read/write packets at layer 3 using Linux PF_P...
auto_fragment = 1
checkIPID  = 0
checkIPaddr = 1
checkIPsrc = 1
check_TCPerror_seqack = 0
color_theme = <DefaultTheme>
commands   = arpcachepoison : Poison target's cache with (your MAC,victim's ...
debug_dissector = 0
debug_match = 0
default_l2 = <class 'scapy.packet.Raw'>
emph       = <Emphasize []>
ethertypes = </etc/ethertypes/ >
except_filter = ''
extensions_paths = '.'
histfile   = '/home/apollo89/.scapy_history'
iface      = 'eth0'
iface6     = 'lo'
interactive = True
ipv6_enabled = True
l2types    = 0x1 <- Dot3 (802.3) 0x1 <-> Ether (Ethernet) 0xc -> IP (IP) 0x1...
l3types    = 0x3 -> IP (IP) 0x800 <-> IP (IP) 0x806 <-> ARP (ARP) 0x86dd <->...
layers     = Packet : None NoPayload : None Raw : Raw Padding : Padding ASN1...
load_layers = ['l2', 'inet', 'dhcp', 'dns', 'dot11', 'gprs', 'hsrp', 'inet6'...
logLevel   = 20
manufdb    = </usr/share/wireshark/wireshark/manuf/ >
mib        = <MIB/ >
neighbor   = Dot3 -> IP Ether -> IP Ether -> Dot1Q Ether -> ARP Ether -> IPv...
netcache   = arp_cache: 0 valid items. Timeout=120s in6_neighbor: 0 valid it...
noenum     = <Resolve []>
padding    = 1
prog       = display = 'display' dot = 'dot' hexedit = 'hexer' pdfreader = '...
promisc    = 1
prompt     = '>>> '
protocols  = </etc/protocols/ pim ip ax_25 esp tcp ah mpls_in_ip rohc ipv6_o...
raw_layer  = <class 'scapy.packet.Raw'>
raw_summary = False
readfunc   = None
resolve    = <Resolve []>
route      = Network Netmask Gateway Iface Output IP 127.0.0.0 255.0.0.0 0.0...
route6     = Destination Next Hop iface src candidates fe80::/64 :: eth0 fe8...
services_tcp = </etc/services-tcp/ kpop zabbix_trapper noclog svn cmip_man b...
services_udp = </etc/services-udp/ zabbix_trapper noclog cmip_man z3950 root...
session    = ''
sniff_promisc = 1
stats_classic_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.la...
stats_dot11_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.laye...
stealth    = 'not implemented'
temp_files = []
teredoPrefix = '2001::'
teredoServerPort = 3544
use_dnet   = False
use_pcap   = False
verb       = 2
version    = '2.1.0'
warning_threshold = 5
wepkey     = ''
>>>

]$ sudo scapy

INFO: Can't import python gnuplot wrapper . Won't be able to plot.

INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().

WARNING: No route found for IPv6 destination :: (no default route?)

Welcome to Scapy (2.1.0)

>>> conf

ASN1_default_codec = <ASN1Codec BER[1]>

AS_resolver = <scapy.as_resolvers.AS_resolver_multi instance at 0x2476758>

BTsocket = <BluetoothL2CAPSocket: read/write packets on a connected L2CAP ...

L2listen = <L2ListenSocket: read packets at layer 2 using Linux PF_PACKET ...

L2socket = <L2Socket: read/write packets at layer 2 using Linux PF_PACKET ...

L3socket = <L3PacketSocket: read/write packets at layer 3 using Linux PF_P...

auto_fragment = 1

checkIPID = 0

checkIPaddr = 1

checkIPsrc = 1

check_TCPerror_seqack = 0

color_theme = <DefaultTheme>

commands = arpcachepoison : Poison target's cache with (your MAC,victim's ...

debug_dissector = 0

debug_match = 0

default_l2 = <class 'scapy.packet.Raw'>

emph = <Emphasize []>

ethertypes = </etc/ethertypes/ >

except_filter = ''

extensions_paths = '.'

histfile = '/home/apollo89/.scapy_history'

iface = 'eth0'

iface6 = 'lo'

interactive = True

ipv6_enabled = True

l2types = 0x1 <- Dot3 (802.3) 0x1 <-> Ether (Ethernet) 0xc -> IP (IP) 0x1...

l3types = 0x3 -> IP (IP) 0x800 <-> IP (IP) 0x806 <-> ARP (ARP) 0x86dd <->...

layers = Packet : None NoPayload : None Raw : Raw Padding : Padding ASN1...

load_layers = ['l2', 'inet', 'dhcp', 'dns', 'dot11', 'gprs', 'hsrp', 'inet6'...

logLevel = 20

manufdb = </usr/share/wireshark/wireshark/manuf/ >

mib = <MIB/ >

neighbor = Dot3 -> IP Ether -> IP Ether -> Dot1Q Ether -> ARP Ether -> IPv...

netcache = arp_cache: 0 valid items. Timeout=120s in6_neighbor: 0 valid it...

noenum = <Resolve []>

padding = 1

prog = display = 'display' dot = 'dot' hexedit = 'hexer' pdfreader = '...

promisc = 1

prompt = '>>> '

protocols = </etc/protocols/ pim ip ax_25 esp tcp ah mpls_in_ip rohc ipv6_o...

raw_layer = <class 'scapy.packet.Raw'>

raw_summary = False

readfunc = None

resolve = <Resolve []>

route = Network Netmask Gateway Iface Output IP 127.0.0.0 255.0.0.0 0.0...

route6 = Destination Next Hop iface src candidates fe80::/64 :: eth0 fe8...

services_tcp = </etc/services-tcp/ kpop zabbix_trapper noclog svn cmip_man b...

services_udp = </etc/services-udp/ zabbix_trapper noclog cmip_man z3950 root...

session = ''

sniff_promisc = 1

stats_classic_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.la...

stats_dot11_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.laye...

stealth = 'not implemented'

temp_files = []

teredoPrefix = '2001::'

teredoServerPort = 3544

use_dnet = False

use_pcap = False

verb = 2

version = '2.1.0'

warning_threshold = 5

wepkey = ''

>>>

scapy으로 sniffing 하기

>>> sniff(count=10) # 테스트로 패킷 10개만..
<Sniffed: TCP:2 UDP:7 ICMP:0 Other:1>
>>> packet = _
>>> packet
<Sniffed: TCP:2 UDP:7 ICMP:0 Other:1>
>>> packet.show()
0000 Ether / IP / TCP xxx.xxx.xxx.204:ssh > xxx.xxx.xxx.242:51994 PA / Raw
0001 Ether / xxx.xxx.xxx.3 > xxx.xxx.xxx.10 eigrp / Raw
0002 Ether / IP / UDP xxx.xxx.xxx.3:1985 > xxx.xxx.xxx.2:1985 / HSRP
0003 Ether / IP / TCP xxx.xxx.xxx.242:51994 > xxx.xxx.xxx.204:ssh A / Padding
0004 Ether / IP / UDP xxx.xxx.xxx.3:1985 > xxx.xxx.xxx.2:1985 / HSRP
0005 Ether / IP / UDP xxx.xxx.xxx.2:1985 > xxx.xxx.xxx.2:1985 / HSRP
0006 Ether / IPv6 / UDP xxxx::80ca:xxxx:32b1:xxxx:dhcpv6_client > ff02::1:2:dhcpv6_server / DHCP6_Solicit / DHCP6OptElapsedTime / DHCP6OptClientId / DHCP6OptIA_NA / Raw
0007 Ether / IPv6 / UDP fe80::xxxx:cc8f:xxxx:a486:dhcpv6_client > ff02::1:2:dhcpv6_server / DHCP6_Solicit / DHCP6OptElapsedTime / DHCP6OptClientId / DHCP6OptIA_NA / Raw
0008 Ether / IPv6 / UDP xxxx::6d20:xxxx:6d3a:xxxx:64546 > ff02::1:3:hostmon / LLMNRQuery
0009 Ether / IP / UDP xxx.xxx.xxx.53:56153 > xxx.xxx.xxx.252:hostmon / LLMNRQuery
>>> packet[0].show()
###[ Ethernet ]###
  dst= xx:00:xx:07:xx:6a
  src= 00:xx:54:xx:08:xx
  type= 0x800
###[ IP ]###
     version= 4L
     ihl= 5L
     tos= 0x10
     len= 92
     id= 50504
     flags= DF
     frag= 0L
     ttl= 64
     proto= tcp
     chksum= 0x6e73
     src= xxx.xxx.xxx.204
     dst= xxx.xxx.xxx.242
     \options\
###[ TCP ]###
        sport= ssh
        dport= 51994
        seq= 3005291570
        ack= 3091292211
        dataofs= 5L
        reserved= 0L
        flags= PA
        window= 353
        chksum= 0x9c5d
        urgptr= 0
        options= []
###[ Raw ]###
           load= '$7,\xa..............................\x01\x9e\\'
>>>

>>> sniff(count=10) # 테스트로 패킷 10개만..

<Sniffed: TCP:2 UDP:7 ICMP:0 Other:1>

>>> packet = _

>>> packet

<Sniffed: TCP:2 UDP:7 ICMP:0 Other:1>

>>> packet.show()

0000 Ether / IP / TCP xxx.xxx.xxx.204:ssh > xxx.xxx.xxx.242:51994 PA / Raw

0001 Ether / xxx.xxx.xxx.3 > xxx.xxx.xxx.10 eigrp / Raw

0002 Ether / IP / UDP xxx.xxx.xxx.3:1985 > xxx.xxx.xxx.2:1985 / HSRP

0003 Ether / IP / TCP xxx.xxx.xxx.242:51994 > xxx.xxx.xxx.204:ssh A / Padding

0004 Ether / IP / UDP xxx.xxx.xxx.3:1985 > xxx.xxx.xxx.2:1985 / HSRP

0005 Ether / IP / UDP xxx.xxx.xxx.2:1985 > xxx.xxx.xxx.2:1985 / HSRP

0006 Ether / IPv6 / UDP xxxx::80ca:xxxx:32b1:xxxx:dhcpv6_client > ff02::1:2:dhcpv6_server / DHCP6_Solicit / DHCP6OptElapsedTime / DHCP6OptClientId / DHCP6OptIA_NA / Raw

0007 Ether / IPv6 / UDP fe80::xxxx:cc8f:xxxx:a486:dhcpv6_client > ff02::1:2:dhcpv6_server / DHCP6_Solicit / DHCP6OptElapsedTime / DHCP6OptClientId / DHCP6OptIA_NA / Raw

0008 Ether / IPv6 / UDP xxxx::6d20:xxxx:6d3a:xxxx:64546 > ff02::1:3:hostmon / LLMNRQuery

0009 Ether / IP / UDP xxx.xxx.xxx.53:56153 > xxx.xxx.xxx.252:hostmon / LLMNRQuery

>>> packet[0].show()

###[ Ethernet ]###

dst= xx:00:xx:07:xx:6a

src= 00:xx:54:xx:08:xx

type= 0x800

###[ IP ]###

version= 4L

ihl= 5L

tos= 0x10

len= 92

id= 50504

flags= DF

frag= 0L

ttl= 64

proto= tcp

chksum= 0x6e73

src= xxx.xxx.xxx.204

dst= xxx.xxx.xxx.242

\options\

###[ TCP ]###

sport= ssh

dport= 51994

seq= 3005291570

ack= 3091292211

dataofs= 5L

reserved= 0L

flags= PA

window= 353

chksum= 0x9c5d

urgptr= 0

options= []

###[ Raw ]###

load= '$7,\xa..............................\x01\x9e\\'

>>>

pcap 파일 읽어서 분석하기.

>>> pcap=rdpcap("test11.pcap")
>>> pcap.summary()
Ether / IPv6 / UDP xxxx::41cc:xxxx:6e2a:xxxx:64491 > ff02::1:3:hostmon / LLMNRQuery
Ether / IP / UDP xxx.xxx.xxx.207:50950 > xxx.xxx.xxx.252:hostmon / LLMNRQuery
Ether / IPv6 / UDP xxxx::41cc:xxxx:6e2a:xxxx:64491 > ff02::1:3:hostmon / LLMNRQuery
Ether / IP / UDP xxx.xxx.xxx.207:50950 > xxx.xxx.xxx.252:hostmon / LLMNRQuery
Ether / IP / TCP xxx.xxx.xxx.242:52201 > xxx.xxx.xxx.10:http_alt A / Raw

>>> pcap[1].show()
###[ Ethernet ]###
  dst= xx:00:xx:00:xx:fc
  src= 00:xx:54:xx:d4:xx
  type= 0x800
###[ IP ]###
     version= 4L
     ihl= 5L
     tos= 0x0
     len= 61
     id= 19086
     flags=
     frag= 0L
     ttl= 1
     proto= udp
     chksum= 0xb4e
     src= xxx.xxx.xxx.207
     dst= xxx.xxx.xxx.252
     \options\
###[ UDP ]###
        sport= 50950
        dport= hostmon
        len= 41
        chksum= 0x2705
###[ Link Local Multicast Node Resolution - Query ]###
           id= 63460
           qr= 0L
           opcode= QUERY
           c= 0L
           tc= 0L
           z= 0L
           rcode= ok
           qdcount= 1
           ancount= 0
           nscount= 0
           arcount= 0
           \qd\
            |###[ DNS Question Record ]###
            |  qname= 'xxxxxx99ACA33.'
            |  qtype= A
            |  qclass= IN
           an= None
           ns= None
           ar= None
>>>

>>> pcap=rdpcap("test11.pcap")

>>> pcap.summary()

Ether / IPv6 / UDP xxxx::41cc:xxxx:6e2a:xxxx:64491 > ff02::1:3:hostmon / LLMNRQuery

Ether / IP / UDP xxx.xxx.xxx.207:50950 > xxx.xxx.xxx.252:hostmon / LLMNRQuery

Ether / IPv6 / UDP xxxx::41cc:xxxx:6e2a:xxxx:64491 > ff02::1:3:hostmon / LLMNRQuery

Ether / IP / UDP xxx.xxx.xxx.207:50950 > xxx.xxx.xxx.252:hostmon / LLMNRQuery

Ether / IP / TCP xxx.xxx.xxx.242:52201 > xxx.xxx.xxx.10:http_alt A / Raw

>>> pcap[1].show()

###[ Ethernet ]###

dst= xx:00:xx:00:xx:fc

src= 00:xx:54:xx:d4:xx

type= 0x800

###[ IP ]###

version= 4L

ihl= 5L

tos= 0x0

len= 61

id= 19086

flags=

frag= 0L

ttl= 1

proto= udp

chksum= 0xb4e

src= xxx.xxx.xxx.207

dst= xxx.xxx.xxx.252

\options\

###[ UDP ]###

sport= 50950

dport= hostmon

len= 41

chksum= 0x2705

###[ Link Local Multicast Node Resolution - Query ]###

id= 63460

qr= 0L

opcode= QUERY

c= 0L

tc= 0L

z= 0L

rcode= ok

qdcount= 1

ancount= 0

nscount= 0

arcount= 0

\qd\

|###[ DNS Question Record ]###

| qname= 'xxxxxx99ACA33.'

| qtype= A

| qclass= IN

an= None

ns= None

ar= None

>>>

오~ 뭔가 재미있고 신기하다.

참고
http://www.packetinside.com/2010/10/scapy-%EC%9D%98-%EB%8B%A4%EC%96%91%ED%95%9C-%EA%B8%B0%EB%8A%A5%EC%9D%84-%EC%9D%B5%ED%98%80%EB%B3%B4%EC%9E%90-%EB%91%90%EB%B2%88%EC%A7%B8.html
http://mcchae.egloos.com/10977611

Apollo89.com

아폴로씨의 잡다한 경험들..

scapy를 이용한 network 패킷 분석

댓글 남기기응답 취소

카테고리

최신 댓글

메타