Network packet sniffer written in newLISP

Started by Lutz, March 25, 2010, 05:11:13 AM

Previous topic - Next topic

Lutz

This packet sniffer is easily customized to your own needs:



http://www.newlisp.org/syntax.cgi?code/sniff.txt">http://www.newlisp.org/syntax.cgi?code/sniff.txt



On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/">http://www.winpcap.org/ to get wpcap.dll.



ps: also linked from the Tips&Tricks page

kanen

#1
Wild!



I sent you an e-mail today about this very thing, then checked the boards and ... magically... here it is.



Reminds me of why I used newLISP all those years. So much community and help.



#awesome


Quote from: "Lutz"This packet sniffer is easily customized to your own needs:



http://www.newlisp.org/syntax.cgi?code/sniff.txt">http://www.newlisp.org/syntax.cgi?code/sniff.txt



On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/">http://www.winpcap.org/ to get wpcap.dll.



ps: also linked from the Tips&Tricks page
. Kanen Flowers http://kanen.me[/url] .

cormullion

#2
Works fine here Lutz... (MacOS X 10.6.2, newLISP 10.1)



What's it for!?

kanen

#3
I am using it for kane|box - a network security tool I am working on. (I was the founder of nCircle Network Security).



I was writing the tool in Ruby, but Lutz (whom I have known for years) convinced me otherwise.



More on my blog: http://www.lifezero.org">www.LifeZero.org



P.S. I am seriously happy to see this code and I am already turning it into a module for my own purposes.


Quote from: "cormullion"Works fine here Lutz... (MacOS X 10.6.2, newLISP 10.1)



What's it for!?
. Kanen Flowers http://kanen.me[/url] .

cormullion

#4
Hi John - I see you're an old/newLISP master from Kozoru days - good to see you here, I hope you can teach us newcomers some nifty moves... :)



The only suggestion I'd propose to your excellent newLISP Bayes post would be to map round over the results:


(map (fn (n) (round n -2)) quoted)

because the scientific notation detracts from the scoring... :/

kanen

#5
Added to my blog post. Several people wrote me with "huh?" comments on the notation. :)


Quote from: "cormullion"Hi John - I see you're an old/newLISP master from Kozoru days - good to see you here, I hope you can teach us newcomers some nifty moves... :)



The only suggestion I'd propose to your excellent newLISP Bayes post would be to map round over the results:


(map (fn (n) (round n -2)) quoted)

because the scientific notation detracts from the scoring... :/
. Kanen Flowers http://kanen.me[/url] .

xytroxon

#6
It's on reddit, vote it up ;p)



http://www.reddit.com/r/programming/comments/bird1/the_thing_was_fast_i_mean_damn_fast_fast_the_way/">http://www.reddit.com/r/programming/com ... t_the_way/">http://www.reddit.com/r/programming/comments/bird1/the_thing_was_fast_i_mean_damn_fast_fast_the_way/



-- xytroxon
\"Many computers can print only capital letters, so we shall not use lowercase letters.\"

-- Let\'s Talk Lisp (c) 1976

kanen

#7
xytroxon,



Some of the comments on reddit  have a slight pungency of code-elitism, but ... being on reddit is apparently causing my visitors to basically double for the newLISP entry, which is great for the newLISP community.



Lutz will hopefully attest to my love for spreading the word.


Quote from: "xytroxon"It's on reddit, vote it up ;p)



http://www.reddit.com/r/programming/comments/bird1/the_thing_was_fast_i_mean_damn_fast_fast_the_way/">http://www.reddit.com/r/programming/com ... t_the_way/">http://www.reddit.com/r/programming/comments/bird1/the_thing_was_fast_i_mean_damn_fast_fast_the_way/



-- xytroxon
. Kanen Flowers http://kanen.me[/url] .

kanen

#8
I am guessing sniff.lsp was ported from sniffex.c, as it suffers from the same fundamental problem with malformed packets.



From the sniffex.c source code:


QuoteTake the IP *total* length field - "ip_len" in "struct sniff_ip"  - and, first, check whether it's less than ip_hl*4 (after you've  checked whether ip_hl is >= 5).  If it is, you have a malformed IP datagram.



Otherwise, subtract ip_hl*4 from it; that gives you the length of the TCP segment, including the TCP header.  If that's less than th_off*4 (after you've checked wheteher th_off is >= 5), you have a malformed TCP segment.



Otherwise, subtract th_off*4 from it; that gives you the length of the TCP payload.


In the security world, many packets are sent with malformed IP, TCP, ICMP or UDP datagrams. Because of this, I need to be able to extract the malformed packet content and see what was done by the attacker.



Also, the libpcap option pcap_open_offline is not being used, which prevents us from running sniff.lsp against an already captured file (on disk).



I have a small pcap file which illustrates the problem https://www.openpacket.org/capture/grab/61">//https://www.openpacket.org/capture/grab/61



When I run sniff.lsp against this file (after adding pcap_open_offline as an option), I see the following message (problem):
Quote--- 3---  time: 15:12:56.26937 capture-length:60

from ether addr: 00:18:01:3b:88:47 to: 00:0d:93:64:0f:4e

UDP from 88.196.140.131 port:29285 to 192.168.1.125 port:24

payload length:-6


However, if I load Wireshark (or tcpdump), they both read the pcap file correctly and see a 2 byte payload.



I am digging through the code to figure out the issue, but you should be aware that sniff.lsp is throwing "Malformed IP datagram" and other errors when the packet is not malformed.





P.S. I am also using sniff.lsp as a module.


Quote from: "Lutz"This packet sniffer is easily customized to your own needs:



http://www.newlisp.org/syntax.cgi?code/sniff.txt">http://www.newlisp.org/syntax.cgi?code/sniff.txt



On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/">http://www.winpcap.org/ to get wpcap.dll.



ps: also linked from the Tips&Tricks page
. Kanen Flowers http://kanen.me[/url] .