Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sending a packet over physical loopback in scapy

I've recently discovered Scapy & it looks wonderful

I'm trying to look at simple traffic over a physical loopback module / stub on my NIC.

But Scapy sniff doesn't give anything

What I'm doing to send a packet is:

payload = 'data'*10
snf = sniff(filter="icmp", iface="eth0")
for x in xrange(1, 10):
  sendp(Ether(dst=src_mac, src=spoof_src_mac)/IP(dst=dst_ip, src=spoof_src_ip)/ICMP()/payload, iface=ifname)

f.open('scapylog.log', 'w')
f.write(str(snf))

with src_mac = my mac address & dsp_ip my ip address. the "spoof" fields are just random (valid) mac & ip values.

The resulting sniff / logfile is empty. nothing to report

I can see that traffic is going in the network through the ifconfig stats of the interfaces that increment each time I call this script - so traffic is flowing...

If someone has an idea why I'm not seeing my traffic I'd be happy to hear :)

Thanks!

like image 716
YNWA Avatar asked Dec 15 '16 14:12

YNWA


1 Answers

Just stumbled across your question while looking for a similar solution myself. I found this on the Scapy Troubleshooting page:

The loopback interface is a very special interface. Packets going through it are not really assembled and dissassembled. The kernel routes the packet to its destination while it is still stored an internal structure. What you see with tcpdump -i lo is only a fake to make you think everything is normal. The kernel is not aware of what Scapy is doing behind his back, so what you see on the loopback interface is also a fake. Except this one did not come from a local structure. Thus the kernel will never receive it.

In order to speak to local applications, you need to build your packets one layer upper, using a PF_INET/SOCK_RAW socket instead of a PF_PACKET/SOCK_RAW (or its equivalent on other systems than Linux):

>>> conf.L3socket
<class __main__.L3PacketSocket at 0xb7bdf5fc>
>>> conf.L3socket=L3RawSocket
>>> sr1(IP(dst="127.0.0.1")/ICMP())
<IP  version=4L ihl=5L tos=0x0 len=28 id=40953 flags= frag=0L ttl=64 proto=ICMP chksum=0xdce5 src=127.0.0.1 dst=127.0.0.1 options='' |<ICMP  type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |>>
like image 197
Kyle Avatar answered Oct 21 '22 19:10

Kyle