Nmap Development mailing list archives

Re: NSE: Getting IP address from a captured packet

From: epixoip <epixoip () bindshell nl>
Date: Mon, 14 Mar 2011 20:18:33 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hey Nick,

An extremely simple, primitive, hideously ugly, etc example of opening a PF socket and listening for one packet would 
be something like:

callback = function(len, layer2, layer3)
    for c in layer3:gmatch"." do
        print(string.byte(c))
    end
end

action = function(host, port)
        local pcap = nmap.new_socket()

        pcap:pcap_open(host.interface, 64, 0, callback, "arp")
        pcap:pcap_register("")

        pcap:set_timeout(9999)
        status, len, layer2, layer3 = pcap:pcap_receive()

        dnet:ethernet_close()
        pcap:pcap_close()
end


Running this script from 192.168.2.10 and capturing a packet from 192.168.2.11 outputs:

0
1
8
0
6
4
0
1
72
93
96
51
3
46
192
168
2
11
0
0
0
0
0
0
192
168
2
10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
117
102

So bytes 15 - 18 are the src ip addr, and bytes 25 - 28 are the dest ip addr. This should always be a constant. This of 
course is the ugliest example possible, and I'm sorry it isn't prettier, but it should give you some hints.

- - jeremi


* Nick Nikolaou <nikolasnikolaou1 () gmail com> [15.03.2011. @00:00:07 +0000]:

Hey everyone,

I'm working a script that sniffs packets on the network and adds the IP
addresses to newtargets. (
https://secwiki.org/w/Nmap_Script_Ideas#targets-sniffer)
Using pcap_receive() I'm able to capture packets but I'm not really sure
what Layer 3 data pcap_receive() returns and I'm having trouble getting the
IP addresses from the packets.

Can anyone shed some light on this?


Thanks
Nick




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNftqFAAoJEID/BFdBEacYlHYH/iijjLluZSdFPe/k7dPdKPJm
z+zgWlNjPU6K6SRLd1ugwchKuiSxKW+j3YPvMh+UrZsZL8sTlK7X5+q76w6F+Aln
hXO2P9c4GTg3IU3TzFTDhvEslCPFLblEbUADMunHtBcTycqcVV2HLkMFZRhYPTfq
4jT3/KeVwnDusakrAoZvSdCyAi8kQrlO+t51hhm+QgkSxgAXw+aGf0Ysl9oVzuqf
TpbiGsglyZ8THyZLylhHLZe7SQOvl5El/fNkk9pw7mWxQl694UYkjDQFq0g72BW9
clxn3uWUhhd5+Sap6jDk9MGzV7NuKi1F3nlz78fHioV27sPL+gtQgMflDbIaJes=
=pmp9
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NSE: Getting IP address from a captured packet Nick Nikolaou (Mar 14)
- Re: NSE: Getting IP address from a captured packet epixoip (Mar 14)
- Re: NSE: Getting IP address from a captured packet Henri Doreau (Mar 15)