scapy sniff and decode diameter

Question

i am trying to do scapy/python sniffer for Diameter messages and parse Diameter part to get AVP's from Raw.load. After some fails i get back to basic python/scapy script like this: from scapy.all import *

def pkt_diam(pkt):
    raw = pkt.getlayer(Raw).load
    print raw
    # pkt.show()

sniff(iface="eth0", filter="port 3868", store=0, prn=pkt_diam)

By printing raw.load i have received just some AVP's but very unreadable. If i use pkt.show() i receive whole packet, Ethernet, IP, TCP and Raw part but Raw.load i almost unusable.

###[ Raw ]###
        load      = '\x01\x00\x00\xec@\x00\x01/\x01\x00\x00\x00\x07K\x12\xca\x07K\x12\xca\x00\x00\x01\x07@\x00\x00 00000001;000001;61de2650\x00\x00\x01\x04@\x00\x00 \x00\x00\x01\n@\x00\x00\x0c\x00\x00(\xaf\x00\x00\x01\x02@\x00\x00\x0c\x01\x00\x00\x00\x00\x00\x01\x15@\x00\x00\x0c\x00\x00\x00\x01\x00\x00\x01\x08@\x00\x00\x1dtest.a-server.org\x00\x00\x00\x00\x00\x01(@\x00\x00\x14a-server.org\x00\x00\x01)@\x00\x00 \x00\x00\x01\n@\x00\x00\x0c\x00\x00(\xaf\x00\x00\x01*@\x00\x00\x0c\x00\x00\x13\x89\x00\x00\x02t\x80\x00\x008\x00\x00(\xaf\x00\x00\x01\n@\x00\x00\x0c\x00\x00(\xaf\x00\x00\x02u\x80\x00\x00\x10\x00\x00(\xaf\x00\x00\x00\x01\x00\x00\x02v\x80\x00\x00\x10\x00\x00(\xaf\x00\x00\x00\x05'

I need some help to parse and decode Diameter Raw.load message. Thx in advance

Answer 1

The best way to do it is to define the Diameter header yourself , following the link that I just gave you which is the section of the main Scapy documentation that details the step-by-step guide on how to build your own protocol type (header).

Once you have the Diameter() header defined correctly, dissecting the Diameter packets will become a breeze.

The wikipedia page on the Diameter protocol seems to be a very good reference regarding the Diameter packet header.

Answer 2

As part of the current Scapy pull requests https://bitbucket.org/secdev/scapy/pull-requests/ , number #109 provides support for the Diameter layer (parsing and generation).

Download the latest Scapy sources and the diameter.py file which should be placed in the 'contribution' directory (this file will not fully work with the current 2.3.1 Scapy version)

Answer 3

scapy is very useful.

from scapy.all import *

packets = rdpcap('/path/to/rx.pcap')

def generatePacket(): 
 '''
   Generate a packet.
 '''
 IP()/TCP()/DiamG()

def dissectPacket():
 '''
   dissect a packet.
 '''
 packet[0][DiamG]

The above shows the idea. and you can use print(repr(packet[0][DiamG])) to see result. Of course in order to check the packet is a Diameter packet, you might want to check at first like:

x = packet[0]
while x.payload:
    x = x.payload
    if x.name == 'Diameter' # it has diameter message.
        # dissect it like above.

And how to ensemble and send a Diameter packet, one can check: building diameter message