Nmap Development mailing list archives
Re: NSE: Getting IP address from a captured packet
From: epixoip <epixoip () bindshell nl>
Date: Mon, 14 Mar 2011 20:18:33 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Nick, An extremely simple, primitive, hideously ugly, etc example of opening a PF socket and listening for one packet would be something like: callback = function(len, layer2, layer3) for c in layer3:gmatch"." do print(string.byte(c)) end end action = function(host, port) local pcap = nmap.new_socket() pcap:pcap_open(host.interface, 64, 0, callback, "arp") pcap:pcap_register("") pcap:set_timeout(9999) status, len, layer2, layer3 = pcap:pcap_receive() dnet:ethernet_close() pcap:pcap_close() end Running this script from 192.168.2.10 and capturing a packet from 192.168.2.11 outputs: 0 1 8 0 6 4 0 1 72 93 96 51 3 46 192 168 2 11 0 0 0 0 0 0 192 168 2 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 117 102 So bytes 15 - 18 are the src ip addr, and bytes 25 - 28 are the dest ip addr. This should always be a constant. This of course is the ugliest example possible, and I'm sorry it isn't prettier, but it should give you some hints. - - jeremi * Nick Nikolaou <nikolasnikolaou1 () gmail com> [15.03.2011. @00:00:07 +0000]:
Hey everyone, I'm working a script that sniffs packets on the network and adds the IP addresses to newtargets. ( https://secwiki.org/w/Nmap_Script_Ideas#targets-sniffer) Using pcap_receive() I'm able to capture packets but I'm not really sure what Layer 3 data pcap_receive() returns and I'm having trouble getting the IP addresses from the packets. Can anyone shed some light on this? Thanks Nick
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJNftqFAAoJEID/BFdBEacYlHYH/iijjLluZSdFPe/k7dPdKPJm z+zgWlNjPU6K6SRLd1ugwchKuiSxKW+j3YPvMh+UrZsZL8sTlK7X5+q76w6F+Aln hXO2P9c4GTg3IU3TzFTDhvEslCPFLblEbUADMunHtBcTycqcVV2HLkMFZRhYPTfq 4jT3/KeVwnDusakrAoZvSdCyAi8kQrlO+t51hhm+QgkSxgAXw+aGf0Ysl9oVzuqf TpbiGsglyZ8THyZLylhHLZe7SQOvl5El/fNkk9pw7mWxQl694UYkjDQFq0g72BW9 clxn3uWUhhd5+Sap6jDk9MGzV7NuKi1F3nlz78fHioV27sPL+gtQgMflDbIaJes= =pmp9 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE: Getting IP address from a captured packet Nick Nikolaou (Mar 14)
- Re: NSE: Getting IP address from a captured packet epixoip (Mar 14)
- Re: NSE: Getting IP address from a captured packet Henri Doreau (Mar 15)