Notes: Python and Packet Headers

Some notes taken from Vivek Ramachandran’s course on Penetration Testing with python

Network Packets

Packets are layered in encapsulated data like so:

> Ethernet

> IP

> TCP

> Application Data

First 14 bytes are the ethernet header

Network Byte Order

Unlike Little Endian format on a regular computer, the network protocols will send the byte orderingBig Endian format. This means that we have to be clear on our format for sending/injecting packets.

Python & Struct to Pack

The struct module allows us to pack and unpack data for packets.

For example, to create a null byte, we would do:

struct.pack(“x”)# where x is the format.

We have a table of formats that we can choose from:

x = no value; c = string of length 1; b = signed integer; B = unsigned char; ? = boolean; h = short integer; H unsigned short integer; i = int; I = unsigned int; l = long integer; L = unsigned Long integer; q = long long integer; L = unsigned long long integer; f = float; d = double; s = char[] (string); P = char[] (string); p = void (integer)

To pack something like the value of 1, we would do:

struct.pack(“B”, 1)

By default it’s in Little Endian format. To put this into Big Endian Format, we can add the bang like so:

struct.pack(“!B”, 1)which actually won’t appear any different (since there’s only one byte. If however we were using an unsigned short with 2 Bytes…

struct.pack(“H”, 1)we’ll see a difference between that and this: struct.pack(“!H”, 1)

To capture a longer set of bytes we can do:

struct.pack(“2s”, “hi”) Python & Struct to UnPack

It does the opposite process… let’s say we had a Long of 4 bytes like:

\x00\x00\x00\x01

if we do struct.unpack(“!L”, “\x00\x00\x00\x01”) it will return (1,)

Python & Raw Sockets

The socket module allows us to make a call similar to setting up a server using raw sockets:

sniff_socket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x0800))

The most confusing part of the above for me was the socket.htons method and it’s parameter value of 0x0800 . Vivek Ramachandran explains that this is the protocol value (in hex) that we are interested in. 0x0800 is the IP protocol, if you check if_ether.h on a linux system you should get the full list of hex codes avail. I actually couldn’t find this on OSX itself, but I found a resource on EtherTypes at Wikipedia :

EtherType values for some notable protocols [6] EtherType Protocol 0x0800 Internet Protocol version 4 (IPv4) 0x0806 Address Resolution Protocol (ARP) 0x0842 Wake-on-LAN [7] 0x22F3 IETF TRILL Protocol 0x6003 DECnet Phase IV 0x8035 Reverse Address Resolution Protocol 0x809B AppleTalk (Ethertalk) 0x80F3 AppleTalk Address Resolution Protocol (AARP) 0x8100 VLAN-tagged frame ( IEEE 802.1Q ) and Shortest Path Bridging IEEE 802.1aq [8] 0x8137 IPX 0x8204 QNX Qnet 0x86DD Internet Protocol Version 6 (IPv6) 0x8808 Ethernet flow control 0x8819 CobraNet 0x8847 MPLS unicast 0x8848 MPLS multicast 0x8863 PPPoE Discovery Stage 0x8864 PPPoE Session Stage 0x8870 Jumbo Frames (proposed) [2] [3] 0x887B