Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] A network sniffing/decoding script

From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 2 Jul 2011 22:45:13 +0200
Hi all,

I started implementing some broadcast listeners, similar to broadcast-dropbox-listener.
I thought I would write them as a single script listening on a bunch of ports.
After discussing this a bit with a colleague I ended up taking another approach.
Instead I wrote a small script that uses pcap to sniff traffic on a given interface.
It does so by setting a filter that excludes all traffic intended for the ip of that interface.

For each captured packet, it then checks if it's ip based (decodes using the packet library) or not.
If the packet is ip-based it checks the destination port against a table containing valid decoders and executes a 
decoder if there is a match.
For non-ip based packets it attempts to match a part of the packet against a table of matches and executes a decoder if 
there is a match.
Each decoder is started as it's own thread which allows the script to continue processing incoming packet while also 
preventing the script from crashing if one decoder were to crash.
Where, possible (DNS, DHCP, Netbios) I've used existing libraries to do the decoding. I've also ripped the code from 
broadcast-dropbox-listener.
The decoding effort varies across the protocols which can be seen in the following sample output:

-- | broadcast-listener: 
-- |   udp
-- |       Netbios
-- |         ip           query
-- |         192.168.0.60 \x01\x02__MSBROWSE__\x02\x01
-- |       DHCP
-- |         srv ip       cli ip       mask             gw           dns
-- |         192.168.0.1  192.168.0.5  255.255.255.0    192.168.0.1  192.168.0.18, 192.168.0.19
-- |       DropBox
-- |         displayname  ip            port   version  host_int  namespaces
-- |         39000860     192.168.0.107 17500  1.8      39000860  28814673, 29981099
-- |       HSRP
-- |         ip             version  op     state   prio  group  secret  virtual ip
-- |         192.168.0.254  0        Hello  Active  110   1      cisco   192.168.0.253
-- |   ether
-- |       CDP
-- |         ip  id      platform       version
-- |         ?   Router  cisco 7206VXR  12.3(23)
-- |       ARP Request
-- |         sender ip     sender mac         target ip
-- |         192.168.0.101 00:04:30:26:DA:C8  192.168.0.60
-- |_      192.168.0.1   90:24:1D:C8:B9:AE  192.168.0.60

I'm attaching the current version of the script, along with the file containing the decoders (packetdecoders.lua) which 
goes in nselib/data/.
Implementing support for adding new targets should be pretty simple and could be added in each decoder.
Anyway, I don't know if this has a place in Nmap or not. 
Any opinions, comments, questions or suggestions are most welcome.

Attachment: broadcast-listener.nse
Description:

Attachment: packetdecoders.lua
Description:

Attachment: dhcp_parse-local.patch
Description: 



//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: