search

pellegre / libcrafter

A high level C++ network packet sniffing and crafting library.
298 stars 88 forks source link

Payload size/contents not working for ReadPcap packetcontainer #41

Closed hrbrmstr closed 9 years ago

hrbrmstr commented 9 years ago

I'm writing a R package to read/analyze/visualize PCAPs (and, perhaps, live sniffs) that's (right now) using your C++ library. I'm having an issue with getting the contents of layer payloads.

I've reduced my problem into a standalone example. The following uses the honeybot PCAP file:

#include <crafter.h>
#include <iostream>

using namespace std;
using namespace Crafter;

int main() {

  std::vector<Packet*> pcap;

  ReadPcap(&pcap, "/tmp/hbot.pcap", "");

  TCP* lay = pcap[9]->GetLayer<TCP>() ;

  if (lay) {
    cout << "Layer size: " << lay->GetSize() << std::endl;
    cout << "Header size: " << lay->GetHeaderSize() << std::endl;
    cout << "Payload size: " << lay->GetPayloadSize() << std::endl;
    lay->HexDump();
    lay->RawString();
    lay->Print();
  }

  return(0);

}

That returns:

$ ./ctest
Layer size: 20
Header size: 20
Payload size: 0
  04090050 E35E2B95 6B876865 5018FAF0  ...P.^+.k.heP... 00000000
  671F0000                             g...             00000010
\x4\x9\x0\x50\xe3\x5e\x2b\x95\x6b\x87\x68\x65\x50\x18\xfa\xf0\x67\x1f\x0\x0
< TCP (20 bytes) :: SrcPort = 1033 , DstPort = 80 , SeqNumber = 3814599573 , 
AckNumber = 1804036197 , DataOffset = 5 , Reserved = 0 , Flags = ( PSH ACK ) , 
WindowsSize = 64240 , CheckSum = 0x671f , UrgPointer = 0 , >

But there is clearly payload:

image

Am I missing a necessary call to ensure the payload is accessible?

pellegre commented 9 years ago

Hi, in case an application protocol is coming from the net on the top of the transport layer, libcrafter will use a RawLayer object to represent it. Try this : 

#include <crafter.h>
#include <iostream>

using namespace std;
using namespace Crafter;

int main() {

  std::vector<Packet*> pcap;

  ReadPcap(&pcap, "/tmp/hbot.pcap", "");

  RawLayer* raw = pcap[9]->GetLayer<RawLayer>();
  if(raw) {
    raw->Print();
  }

  return(0);

}

I know the "Payload" concept is confusing, but it doesn't mean to represent the data on the top of TCP / UDP. Is mostly used for IP / TCP options and extra data for a given protocol, not for what is on the top of it.

hrbrmstr commented 9 years ago

ZOMGOSH #ty. That was it! Super-helpful library, btw. I'll make sure to ping you when the R pkg is complete.

pellegre commented 9 years ago

awesome! looking forward to see the R pkg working :)