Network packet sniffer written in newLISP

Lutz · March 25, 2010, 05:11:13 AM

This packet sniffer is easily customized to your own needs:

http://www.newlisp.org/syntax.cgi?code/sniff.txt">http://www.newlisp.org/syntax.cgi?code/sniff.txt

On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/">http://www.winpcap.org/ to get wpcap.dll.

ps: also linked from the Tips&Tricks page

kanen · March 25, 2010, 11:48:34 AM

Wild!

I sent you an e-mail today about this very thing, then checked the boards and ... magically... here it is.

Reminds me of why I used newLISP all those years. So much community and help.

#awesome

~~Quote from: "Lutz"~~This packet sniffer is easily customized to your own needs:

http://www.newlisp.org/syntax.cgi?code/sniff.txt">http://www.newlisp.org/syntax.cgi?code/sniff.txt

On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/">http://www.winpcap.org/ to get wpcap.dll.

ps: also linked from the Tips&Tricks page

cormullion · March 25, 2010, 01:16:52 PM

Works fine here Lutz... (MacOS X 10.6.2, newLISP 10.1)

What's it for!?

kanen · March 25, 2010, 04:58:13 PM

I am using it for kane|box - a network security tool I am working on. (I was the founder of nCircle Network Security).

I was writing the tool in Ruby, but Lutz (whom I have known for years) convinced me otherwise.

More on my blog: http://www.lifezero.org">www.LifeZero.org

P.S. I am seriously happy to see this code and I am already turning it into a module for my own purposes.

~~Quote from: "cormullion"~~Works fine here Lutz... (MacOS X 10.6.2, newLISP 10.1)

What's it for!?

cormullion · March 26, 2010, 09:55:44 AM

Hi John - I see you're an old/newLISP master from Kozoru days - good to see you here, I hope you can teach us newcomers some nifty moves... :)

The only suggestion I'd propose to your excellent newLISP Bayes post would be to map round over the results:

Code Select Expand
(map (fn (n) (round n -2)) quoted)

because the scientific notation detracts from the scoring... :/

kanen · March 26, 2010, 01:45:36 PM

Added to my blog post. Several people wrote me with "huh?" comments on the notation. :)

~~Quote from: "cormullion"~~Hi John - I see you're an old/newLISP master from Kozoru days - good to see you here, I hope you can teach us newcomers some nifty moves... :)

The only suggestion I'd propose to your excellent newLISP Bayes post would be to map round over the results:

Code Select Expand (map (fn (n) (round n -2)) quoted)

because the scientific notation detracts from the scoring... :/

xytroxon · March 27, 2010, 12:46:37 AM

It's on reddit, vote it up ;p)

http://www.reddit.com/r/programming/comments/bird1/the_thing_was_fast_i_mean_damn_fast_fast_the_way/">http://www.reddit.com/r/programming/com ... t_the_way/">http://www.reddit.com/r/programming/comments/bird1/the_thing_was_fast_i_mean_damn_fast_fast_the_way/

-- xytroxon

kanen · March 28, 2010, 11:03:10 AM

xytroxon,

Some of the comments on reddit have a slight pungency of code-elitism, but ... being on reddit is apparently causing my visitors to basically double for the newLISP entry, which is great for the newLISP community.

Lutz will hopefully attest to my love for spreading the word.

~~Quote from: "xytroxon"~~It's on reddit, vote it up ;p)

http://www.reddit.com/r/programming/comments/bird1/the_thing_was_fast_i_mean_damn_fast_fast_the_way/">http://www.reddit.com/r/programming/com ... t_the_way/">http://www.reddit.com/r/programming/comments/bird1/the_thing_was_fast_i_mean_damn_fast_fast_the_way/

-- xytroxon

kanen · April 16, 2010, 03:35:08 PM

I am guessing sniff.lsp was ported from sniffex.c, as it suffers from the same fundamental problem with malformed packets.

From the sniffex.c source code:

~~Quote~~Take the IP *total* length field - "ip_len" in "struct sniff_ip" - and, first, check whether it's less than ip_hl*4 (after you've checked whether ip_hl is >= 5). If it is, you have a malformed IP datagram.

Otherwise, subtract ip_hl*4 from it; that gives you the length of the TCP segment, including the TCP header. If that's less than th_off*4 (after you've checked wheteher th_off is >= 5), you have a malformed TCP segment.

Otherwise, subtract th_off*4 from it; that gives you the length of the TCP payload.

In the security world, many packets are sent with malformed IP, TCP, ICMP or UDP datagrams. Because of this, I need to be able to extract the malformed packet content and see what was done by the attacker.

Also, the libpcap option pcap_open_offline is not being used, which prevents us from running sniff.lsp against an already captured file (on disk).

I have a small pcap file which illustrates the problem https://www.openpacket.org/capture/grab/61">//https://www.openpacket.org/capture/grab/61

When I run sniff.lsp against this file (after adding pcap_open_offline as an option), I see the following message (problem):

~~Quote~~--- 3--- time: 15:12:56.26937 capture-length:60

from ether addr: 00:18:01:3b:88:47 to: 00:0d:93:64:0f:4e

UDP from 88.196.140.131 port:29285 to 192.168.1.125 port:24

payload length:-6

However, if I load Wireshark (or tcpdump), they both read the pcap file correctly and see a 2 byte payload.

I am digging through the code to figure out the issue, but you should be aware that sniff.lsp is throwing "Malformed IP datagram" and other errors when the packet is not malformed.

P.S. I am also using sniff.lsp as a module.

~~Quote from: "Lutz"~~This packet sniffer is easily customized to your own needs:

http://www.newlisp.org/syntax.cgi?code/sniff.txt">http://www.newlisp.org/syntax.cgi?code/sniff.txt

On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/">http://www.winpcap.org/ to get wpcap.dll.

ps: also linked from the Tips&Tricks page

newLISP Fan Club

News:

Network packet sniffer written in newLISP

Lutz

kanen

cormullion

kanen

cormullion

kanen

xytroxon

kanen

kanen