Nmap Development mailing list archives
[NSE] A network sniffing/decoding script
From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 2 Jul 2011 22:45:13 +0200
Hi all, I started implementing some broadcast listeners, similar to broadcast-dropbox-listener. I thought I would write them as a single script listening on a bunch of ports. After discussing this a bit with a colleague I ended up taking another approach. Instead I wrote a small script that uses pcap to sniff traffic on a given interface. It does so by setting a filter that excludes all traffic intended for the ip of that interface. For each captured packet, it then checks if it's ip based (decodes using the packet library) or not. If the packet is ip-based it checks the destination port against a table containing valid decoders and executes a decoder if there is a match. For non-ip based packets it attempts to match a part of the packet against a table of matches and executes a decoder if there is a match. Each decoder is started as it's own thread which allows the script to continue processing incoming packet while also preventing the script from crashing if one decoder were to crash. Where, possible (DNS, DHCP, Netbios) I've used existing libraries to do the decoding. I've also ripped the code from broadcast-dropbox-listener. The decoding effort varies across the protocols which can be seen in the following sample output: -- | broadcast-listener: -- | udp -- | Netbios -- | ip query -- | 192.168.0.60 \x01\x02__MSBROWSE__\x02\x01 -- | DHCP -- | srv ip cli ip mask gw dns -- | 192.168.0.1 192.168.0.5 255.255.255.0 192.168.0.1 192.168.0.18, 192.168.0.19 -- | DropBox -- | displayname ip port version host_int namespaces -- | 39000860 192.168.0.107 17500 1.8 39000860 28814673, 29981099 -- | HSRP -- | ip version op state prio group secret virtual ip -- | 192.168.0.254 0 Hello Active 110 1 cisco 192.168.0.253 -- | ether -- | CDP -- | ip id platform version -- | ? Router cisco 7206VXR 12.3(23) -- | ARP Request -- | sender ip sender mac target ip -- | 192.168.0.101 00:04:30:26:DA:C8 192.168.0.60 -- |_ 192.168.0.1 90:24:1D:C8:B9:AE 192.168.0.60 I'm attaching the current version of the script, along with the file containing the decoders (packetdecoders.lua) which goes in nselib/data/. Implementing support for adding new targets should be pretty simple and could be added in each decoder. Anyway, I don't know if this has a place in Nmap or not. Any opinions, comments, questions or suggestions are most welcome.
Attachment:
broadcast-listener.nse
Description:
Attachment:
packetdecoders.lua
Description:
Attachment:
dhcp_parse-local.patch
Description:
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 02)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 09)
- unsubscribe Ryon Skaggs (Jul 09)
- Re: unsubscribe Luis MartinGarcia. (Jul 09)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
- Re: [NSE] A network sniffing/decoding script Daniel Miller (Jul 25)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
- Re: [NSE] A network sniffing/decoding script Luis MartinGarcia. (Jul 25)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
- unsubscribe Ryon Skaggs (Jul 09)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 09)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)