search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.47k stars 3.57k forks source link

tag_cnt show 0 even there's VLan header #624

Open havihu opened 5 years ago

havihu commented 5 years ago

hi, im using pcapy to capture the packets and EthDecoder to parse packets. When im trying to get tag_cnt and im getting 0 even i've vlan header in packet. the weird thing is when im playing on the python shell and running the ping command I do see tag_cnt, the issue is from bulk of tests i'm running and part of the test is packet sniffers that use scapy and impacket, sometimes it do get true results and sometimes not, any suggestion?

here's what im trying:

 cap = pcapy.open_live(dev , 2000 , 0 , 0)
    while(1) :
        try:
            (header, packet) = cap.next()
            eth= EthDecoder().decode(packet)
            print eth.tag_cnt
    except pcapy.PcapError:
            continue
havihu commented 5 years ago

Just found that In Python 2 it’s working Python 3 not but I’m not sure which packet is not compatible

asolino commented 5 years ago

That's an interesting foudn @havihu

It would be great if you can extract a packet that behaves different depending on the Python version so we can try to spot the issue.

havihu commented 5 years ago

here is a packet for example:

b'\xec\r\x9a\xd4.\xbc\x98\x03\x9b\x82\xd6\xbe\x81\x00\x00\x05\x08\x00E\x00\x00T\xc6\xd9@\x00@\x01N\xff\x0c\x89\x05\xe0\x0c\x89\x05\xdf\x08\x00\t\x91\t\x94\x00\x01c\xed\xe0\\x00\x00\x00\x00\xdb\xbc\x06\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567'

in Python3 tag.cnt = 0 in Python tag.cnt = 1

havihu commented 5 years ago

That's an interesting foudn @havihu

It would be great if you can extract a packet that behaves different depending on the Python version so we can try to spot the issue.

Hi, Any regarding? comment above is the packet example thanks.

havihu commented 5 years ago

@asolino Hi, just wanted to update, I used the dev branch for the testing and its working, however i found your comment that impacket 0.9.19 not working in python3 https://github.com/SecureAuthCorp/impacket/issues/611 I think you should update the readme file.

asolino commented 5 years ago

Hey @havihu

impacket 0.9.19 does not fully support Python3. There could be some modules that would work on Python3 but it wasn't even tested. That's the reason why I can't make such statement.

Now, are you saying that this bug cannot be reproduced in 0.9.20-dev? Please confirm.

havihu commented 5 years ago

@asolino in 0.9.20-dev it’s working in 0.9.19 there’re Python 3 compatibility’s issue, got syntax errors, the issue I opened at the beginning appear to be on an old version of Impacket (I’m not sure how i could run on Python3) and there I got for tag cnt 0 instead of 1.

alexbienaime commented 5 years ago

Hi,

I'm having the same issue but regardless of the version it's not working, I've tried several combinations of python (2.7 and 3) with different versions impacket (.16 to .20) all with the same result. EthernetDecoder doens't properly parse and count vlan tags its always. it considers it part of the payload.

In the example bellow 0006 0800 are the 4 bytes if the vlan tag, somehow the Ethernet decoder does decode the type : 802.1Q Virtual LAN (0x8100) , But not the vlan tag. I have to offset those bytes to be able to decode the Ip layer with IPDecoder.

dso-analyzer_1      | 2019-10-11 13:43:05,404:DEBUG:
dso-analyzer_1      | Encapsulated packet
dso-analyzer_1      | Ether: 52:54:00:19:a3:b4 -> 52:54:00:c9:25:ae
dso-analyzer_1      |     
dso-analyzer_1      | 0006 0800 455c 00bd 54a3 4000 4006 d11a    ....E\..T.@.@...
dso-analyzer_1      | 0a00 0001 0a00 0021 cb72 0050 ffdc 3d36    .......!.r.P..=6
dso-analyzer_1      | 2a20 a01c 8018 01fe 6864 0000 0100 0f00    * ......hd......
dso-analyzer_1      | 1000 0662 fc00 0000 fb60 e27a 0004 0000    ...b.....`.z....
dso-analyzer_1      | ffff ffff 0000 0003 c8ac 1b50 c8ac 1d72    ...........P...r
dso-analyzer_1      | fb60 e27a 0005 0003 ffff ffff 0000 0003    .`.z............
dso-analyzer_1      | c8ac 17df c8ac 19f5 0101 080a 461a a54d    ............F..M
dso-analyzer_1      | 3dbf f60d 4745 5420 2f20 4854 5450 2f31    =...GET / HTTP/1
dso-analyzer_1      | 2e30 0d0a 486f 7374 3a20 3130 2e30 2e30    .0..Host: 10.0.0
dso-analyzer_1      | 2e33 330d 0a55 7365 722d 4167 656e 743a    .33..User-Agent:
dso-analyzer_1      | 2041 7061 6368 6542 656e 6368 2f32 2e33     ApacheBench/2.3
dso-analyzer_1      | 0d0a 4163 6365 7074 3a20 2a2f 2a0d 0a0d

Here are all the bytes of the packet:

52 54 00 C9 25 AE 52 54 00 19 A3 B4 81 00 00 06 08 00 45 5C 00 BD 54 A3 40 00 40 06 D1 1A 0A 00 00 01 0A 00 00 21 CB 72 00 50 FF DC 3D 36 2A 20 A0 1C 80 18 01 FE 68 64 00 00 01 00 0F 00 10 00 06 62 FC 00 00 00 FB 60 E2 7A 00 04 00 00 00 00 00 03 C8 AC 1B 50 C8 AC 1D 72 FB 60 E2 7A 00 05 00 03 FF FF FF FF 00 00 00 03 C8 AC 17 DF C8 AC 19 F5 01 01 08 0A 46 1A A5 4D 3D BF F6 0D 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 31 30 2E 30 2E 30 2E 33 33 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 41 70 61 63 68 65 42 65 6E 63 68 2F 32 2E 33 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D