Scapy packet have new DNS layer after reassembling from raw bytes

Question

i'm trying to send and receive scapy packets. i'm doing so by build a packet with scapy, sending it using send function supplied by scapy, receiving the packet as rawbytes using recvfrom function of socket.

seems like the build function of scapy - which converting scapy packets to hex string sometimes adding "new" DNS layer to the packet.

i'll give example: when converting this packet IP()/UDP()/"hello" to hex string using build and then reassembling it with IP(hex_str) i receive the expected packet:

<IP  version=4L ihl=5L tos=0x0 len=33 id=1 flags= frag=0L ttl=64 proto=udp chksum=0x7cc9 src=127.0.0.1 dst=127.0.0.1 options=[] |<UDP  sport=domain dport=domain len=13 chksum=0xbd95 |<Raw  load='hello' |>>>

However, when converting this packet IP()UDP()/"ab" to hex string using build and then reassmbling it with IP(hex_string) im receiving a different packet then expected:

<IP  version=4L ihl=5L tos=0x0 len=30 id=1 flags= frag=0L ttl=64 proto=udp chksum=0x7ccc src=127.0.0.1 dst=127.0.0.1 options=[] |<UDP  sport=domain dport=domain len=10 chksum=0xa00b |<DNS  id=24930 |>>>

Any help will be highly appriciated ! Thank You

Answer 1

The problem is, that 53 is the default value of the UDP sport (source port) and dport (destination port) in the scapy implementation and the RFC 1035 "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION" says in Chapter "4.2.1. UDP usage":

Messages sent using UDP user server port 53 (decimal).

So it seems that scapy tries to interpret your hex_string as IP/TCP/DNS packet. More generally it seems, that scapy tries always to interpret the hex_strings as protocol, which corresponds to the port number.

If you change the UDP ports for example to 42

packet = IP()/UDP(sport=42, dport=42)/"ab"
hex_string = packet.build()
newPacket = IP(hex_string)

the representation of the newPacket is:

<IP  [some flags] |<UDP  sport=nameserver dport=nameserver len=10 chksum=0x91ab |<Raw  load='ab' |>>>