stackoom
  简体   繁体   中英

How to properly unpack a RAW socket on Win10 using Python?

 原文  2018-06-23 10:56:43       python/ sockets/ packet-sniffers/ raw-sockets

Question

I have working code for Linux, but on Windows I got unexpected result. Code: 

import socket
import sys
from struct import unpack
import platform


def main():
    local_ip = socket.gethostbyname(socket.gethostname())
    print local_ip
    try:
        if platform.system() == 'Linux':
            s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW,
                              socket.ntohs(0x0003))
        elif platform.system() == 'Windows':
            s = socket.socket(socket.AF_INET, socket.SOCK_RAW,
                              socket.IPPROTO_IP)
            s.bind((local_ip, 0))
            s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
            s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
        else:
            sys.exit()
    except socket.error as msg:
        print('Socket could not be created. Error Code : ' + str(
            msg[0]) + ' Message ' + msg[1])
        sys.exit()

    # receive a packet
    i = 0
    while i < 10:
        i += 1
        packet = s.recvfrom(65565)
        # packet string from tuple
        packet = packet[0]
        # parse ethernet header
        eth_length = 14
        eth_header = packet[:eth_length]
        eth = unpack('!6s6sH', eth_header)
        eth_protocol = socket.ntohs(eth[2])
        ip_header = packet[eth_length:20 + eth_length]
        # unpack header
        iph = unpack('!BBHHHBBH4s4s', ip_header)
        version_ihl = iph[0]
        version = version_ihl >> 4
        ihl = version_ihl & 0xF
        ttl = iph[5]
        protocol = iph[6]
        s_addr = socket.inet_ntoa(iph[8])
        d_addr = socket.inet_ntoa(iph[9])
        print 'Header protocol:', eth[2], 'Unpacked protocol:', eth_protocol
        print 'Version : ' + str(
            version) + ' IP Header Length : ' + str(
            ihl) + ' TTL : ' + str(
            ttl) + ' Protocol : ' + str(
            protocol) + ' Source Address : ' + str(
            s_addr) + ' Destination Address : ' + str(d_addr)


if __name__ == '__main__':
    main()

I took this as example

So, on Linux I'm getting expected data

127.0.1.1 Header protocol: 2048 Unpacked protocol: 8 Version : 4 IP Header Length : 5 TTL : 64 Protocol : 17 Source Address : 127.0.0.1 Destination Address : 127.0.0.53 Header protocol: 2048 Unpacked protocol: 8 Version : 4 IP Header Length : 5 TTL : 64 Protocol : 17 Source Address : 127.0.0.1 Destination Address : 127.0.0.53 Header protocol: 2048 Unpacked protocol: 8 Version : 4 IP Header Length : 5 TTL : 64 Protocol : 17 Source Address : 127.0.0.53 Destination Address : 127.0.0.1 Header protocol: 2048 Unpacked protocol: 8 Version : 4 IP Header Length : 5 TTL : 64 Protocol : 17 Source Address : 127.0.0.53 Destination Address : 127.0.0.1 Header protocol: 2048 Unpacked protocol: 8 Version : 4 IP Header Length : 5 TTL : 64 Protocol : 6 Source Address : 10.0.2.15 Destination Address : 5.196.61.211

But on Windows all fields are incorrect

10.0.2.15

Header protocol: 2560 Unpacked protocol: 10 Version : 0 IP Header Length : 2 TTL : 8 Protocol : 70 Source Address : 183.96.34.40 Destination Address : 36.2.80.16 Header protocol: 2560 Unpacked protocol: 10 Version : 0 IP Header Length : 2 TTL : 8 Protocol : 70 Source Address : 183.96.34.40 Destination Address : 36.2.80.16 Header protocol: 2560 Unpacked protocol: 10 Version : 0 IP Header Length : 2 TTL : 8 Protocol : 70 Source Address : 183.96.34.40 Destination Address : 36.3.80.16 Header protocol: 2560 Unpacked protocol: 10 Version : 0 IP Header Length : 2 TTL : 8 Protocol : 70 Source Address : 183.96.34.40 Destination Address : 36.3.80.16 Header protocol: 2560 Unpacked protocol: 10 Version : 0 IP Header Length : 2 TTL : 8 Protocol : 70 Source Address : 183.96.34.40 Destination Address : 36.3.80.17

How can I get the correct data?

PS. I know about pypcap, scapy and other, but I need raw data parser without any third-party libs. If it possible, of course.

PPS. I looked here all similar topics, but solution still not found

Many thnx

1 answers

solution1
 2  2018-06-23 16:01:39

On Linux you are using SOCK_RAW with AF_PACKET to sniff at layer 2, which means that you first get the layer 2 information (ethernet) and then layer 3 information (IP). On Windows you are using AF_INET to sniff at layer 3 which means that you don't get any layer 2 information. Still, your code assumes layer 2 information (ethernet) in both cases.
A way to fix this would thus to skip handling any ethernet information on Windows since there will be none and start immediately with the IP header.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to create Dialog box for Restarting in Win10 using Python How to execute a python console using Qt on win10? How to uninstall python package in win10 Win10 starting Python PyQt5 application using shortcut How to solve the issues of installing shapely in win10 and python 3.6.5? Win10 how can I know a python script is running? How to install Python, VSCode, and flake8 correctly on Win10 Python(on Win10): Path issue replacing “\” with “/” Backup Postgres from Python on Win10 Twilio for Python installation errror (Win10)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM