네트워크 패킷에서 HTTP 의 request와 response 의 header 정보를 추출해야 하는 일이 생겼다.
그래서 패킷 분석 프로그램을 찾아보던 중 python의 scapy를 알게 되었다.
그래서, 바로 설치~
]$ sudo apt-get install python-scapy
우분투 장비라서 apt-get으로 간단하게 설치
scapy의 실행 및 환경보기
]$ sudo scapy INFO: Can't import python gnuplot wrapper . Won't be able to plot. INFO: Can't import PyX. Won't be able to use psdump() or pdfdump(). WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.1.0) >>> conf ASN1_default_codec = <ASN1Codec BER[1]> AS_resolver = <scapy.as_resolvers.AS_resolver_multi instance at 0x2476758> BTsocket = <BluetoothL2CAPSocket: read/write packets on a connected L2CAP ... L2listen = <L2ListenSocket: read packets at layer 2 using Linux PF_PACKET ... L2socket = <L2Socket: read/write packets at layer 2 using Linux PF_PACKET ... L3socket = <L3PacketSocket: read/write packets at layer 3 using Linux PF_P... auto_fragment = 1 checkIPID = 0 checkIPaddr = 1 checkIPsrc = 1 check_TCPerror_seqack = 0 color_theme = <DefaultTheme> commands = arpcachepoison : Poison target's cache with (your MAC,victim's ... debug_dissector = 0 debug_match = 0 default_l2 = <class 'scapy.packet.Raw'> emph = <Emphasize []> ethertypes = </etc/ethertypes/ > except_filter = '' extensions_paths = '.' histfile = '/home/apollo89/.scapy_history' iface = 'eth0' iface6 = 'lo' interactive = True ipv6_enabled = True l2types = 0x1 <- Dot3 (802.3) 0x1 <-> Ether (Ethernet) 0xc -> IP (IP) 0x1... l3types = 0x3 -> IP (IP) 0x800 <-> IP (IP) 0x806 <-> ARP (ARP) 0x86dd <->... layers = Packet : None NoPayload : None Raw : Raw Padding : Padding ASN1... load_layers = ['l2', 'inet', 'dhcp', 'dns', 'dot11', 'gprs', 'hsrp', 'inet6'... logLevel = 20 manufdb = </usr/share/wireshark/wireshark/manuf/ > mib = <MIB/ > neighbor = Dot3 -> IP Ether -> IP Ether -> Dot1Q Ether -> ARP Ether -> IPv... netcache = arp_cache: 0 valid items. Timeout=120s in6_neighbor: 0 valid it... noenum = <Resolve []> padding = 1 prog = display = 'display' dot = 'dot' hexedit = 'hexer' pdfreader = '... promisc = 1 prompt = '>>> ' protocols = </etc/protocols/ pim ip ax_25 esp tcp ah mpls_in_ip rohc ipv6_o... raw_layer = <class 'scapy.packet.Raw'> raw_summary = False readfunc = None resolve = <Resolve []> route = Network Netmask Gateway Iface Output IP 127.0.0.0 255.0.0.0 0.0... route6 = Destination Next Hop iface src candidates fe80::/64 :: eth0 fe8... services_tcp = </etc/services-tcp/ kpop zabbix_trapper noclog svn cmip_man b... services_udp = </etc/services-udp/ zabbix_trapper noclog cmip_man z3950 root... session = '' sniff_promisc = 1 stats_classic_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.la... stats_dot11_protocols = [<class 'scapy.layers.inet.TCP'>, <class 'scapy.laye... stealth = 'not implemented' temp_files = [] teredoPrefix = '2001::' teredoServerPort = 3544 use_dnet = False use_pcap = False verb = 2 version = '2.1.0' warning_threshold = 5 wepkey = '' >>>
scapy으로 sniffing 하기
>>> sniff(count=10) # 테스트로 패킷 10개만..
<Sniffed: TCP:2 UDP:7 ICMP:0 Other:1>
>>> packet = _
>>> packet
<Sniffed: TCP:2 UDP:7 ICMP:0 Other:1>
>>> packet.show()
0000 Ether / IP / TCP xxx.xxx.xxx.204:ssh > xxx.xxx.xxx.242:51994 PA / Raw
0001 Ether / xxx.xxx.xxx.3 > xxx.xxx.xxx.10 eigrp / Raw
0002 Ether / IP / UDP xxx.xxx.xxx.3:1985 > xxx.xxx.xxx.2:1985 / HSRP
0003 Ether / IP / TCP xxx.xxx.xxx.242:51994 > xxx.xxx.xxx.204:ssh A / Padding
0004 Ether / IP / UDP xxx.xxx.xxx.3:1985 > xxx.xxx.xxx.2:1985 / HSRP
0005 Ether / IP / UDP xxx.xxx.xxx.2:1985 > xxx.xxx.xxx.2:1985 / HSRP
0006 Ether / IPv6 / UDP xxxx::80ca:xxxx:32b1:xxxx:dhcpv6_client > ff02::1:2:dhcpv6_server / DHCP6_Solicit / DHCP6OptElapsedTime / DHCP6OptClientId / DHCP6OptIA_NA / Raw
0007 Ether / IPv6 / UDP fe80::xxxx:cc8f:xxxx:a486:dhcpv6_client > ff02::1:2:dhcpv6_server / DHCP6_Solicit / DHCP6OptElapsedTime / DHCP6OptClientId / DHCP6OptIA_NA / Raw
0008 Ether / IPv6 / UDP xxxx::6d20:xxxx:6d3a:xxxx:64546 > ff02::1:3:hostmon / LLMNRQuery
0009 Ether / IP / UDP xxx.xxx.xxx.53:56153 > xxx.xxx.xxx.252:hostmon / LLMNRQuery
>>> packet[0].show()
###[ Ethernet ]###
dst= xx:00:xx:07:xx:6a
src= 00:xx:54:xx:08:xx
type= 0x800
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x10
len= 92
id= 50504
flags= DF
frag= 0L
ttl= 64
proto= tcp
chksum= 0x6e73
src= xxx.xxx.xxx.204
dst= xxx.xxx.xxx.242
\options\
###[ TCP ]###
sport= ssh
dport= 51994
seq= 3005291570
ack= 3091292211
dataofs= 5L
reserved= 0L
flags= PA
window= 353
chksum= 0x9c5d
urgptr= 0
options= []
###[ Raw ]###
load= '$7,\xa..............................\x01\x9e\\'
>>>
pcap 파일 읽어서 분석하기.
>>> pcap=rdpcap("test11.pcap")
>>> pcap.summary()
Ether / IPv6 / UDP xxxx::41cc:xxxx:6e2a:xxxx:64491 > ff02::1:3:hostmon / LLMNRQuery
Ether / IP / UDP xxx.xxx.xxx.207:50950 > xxx.xxx.xxx.252:hostmon / LLMNRQuery
Ether / IPv6 / UDP xxxx::41cc:xxxx:6e2a:xxxx:64491 > ff02::1:3:hostmon / LLMNRQuery
Ether / IP / UDP xxx.xxx.xxx.207:50950 > xxx.xxx.xxx.252:hostmon / LLMNRQuery
Ether / IP / TCP xxx.xxx.xxx.242:52201 > xxx.xxx.xxx.10:http_alt A / Raw
>>> pcap[1].show()
###[ Ethernet ]###
dst= xx:00:xx:00:xx:fc
src= 00:xx:54:xx:d4:xx
type= 0x800
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 61
id= 19086
flags=
frag= 0L
ttl= 1
proto= udp
chksum= 0xb4e
src= xxx.xxx.xxx.207
dst= xxx.xxx.xxx.252
\options\
###[ UDP ]###
sport= 50950
dport= hostmon
len= 41
chksum= 0x2705
###[ Link Local Multicast Node Resolution - Query ]###
id= 63460
qr= 0L
opcode= QUERY
c= 0L
tc= 0L
z= 0L
rcode= ok
qdcount= 1
ancount= 0
nscount= 0
arcount= 0
\qd\
|###[ DNS Question Record ]###
| qname= 'xxxxxx99ACA33.'
| qtype= A
| qclass= IN
an= None
ns= None
ar= None
>>>
오~ 뭔가 재미있고 신기하다.
참고
http://www.packetinside.com/2010/10/scapy-%EC%9D%98-%EB%8B%A4%EC%96%91%ED%95%9C-%EA%B8%B0%EB%8A%A5%EC%9D%84-%EC%9D%B5%ED%98%80%EB%B3%B4%EC%9E%90-%EB%91%90%EB%B2%88%EC%A7%B8.html
http://mcchae.egloos.com/10977611
