Programming Forums > Script Programming > Python

Sane · Jan 11th, 2006, 2:36 PM

What module would you suggest I use to look into how I could go about retreiving and analyzing outgoing internet packets?

I'd like to be able to for a game I play, take the packets it sends while playing online and analyze those for a scoring program.

Polyphemus_ · Jan 11th, 2006, 2:39 PM

Cheater

. Never used one, tried googling for TCP packet sniffer?

Sane · Jan 11th, 2006, 2:41 PM

Okay. And I said analyzing it for a score tracking program. >_>

It will submit anyone's scores automatically to my website to be added to a database of everyones scores.

If I used software it would be additional programs by clients would need to install. Plus it would probably be extremely difficult to automate the control and retrieval from already programmed software.

Sane · Jan 11th, 2006, 4:41 PM

Okay, I found something called Impacket. But I can't figure out how to use this example to retrieve outgoing packets... >_>

(Toggle Plain Text)

#!/usr/bin/python
# Copyright (c) 2003 CORE Security Technologies
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# $Id: ping.py,v 1.3 2003/10/27 17:36:56 jkohen Exp $
#
# Simple ICMP ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
#  Gerardo Richarte <gera@coresecurity.com>
#  Javier Kohen <jkohen@coresecurity.com>
#
# Reference for:
#  ImpactPacket: IP, ICMP, DATA.
#  ImpactDecoder.

import select
import socket
import time
import sys

from impacket import ImpactDecoder, ImpactPacket

if len(sys.argv) < 3:
	print "Use: %s <src ip> <dst ip>" % sys.argv[0]
	sys.exit(1)

src = sys.argv[1]
dst = sys.argv[2]

# Create a new IP packet and set its source and destination addresses.

ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)

# Create a new ICMP packet of type ECHO.

icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)

# Include a 156-character long payload inside the ICMP packet.
icmp.contains(ImpactPacket.Data("A"*156))

# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)

# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

seq_id = 0
while 1:
	# Give the ICMP packet the next ID in the sequence.
	seq_id += 1
	icmp.set_icmp_id(seq_id)

	# Calculate its checksum.
	icmp.set_icmp_cksum(0)
	icmp.auto_checksum = 1

	# Send it to the target host.
	s.sendto(ip.get_packet(), (dst, 0))

	# Wait for incoming replies.
	if s in select.select([s],[],[],1)[0]:
	   reply = s.recvfrom(2000)[0]

	   # Use ImpactDecoder to reconstruct the packet hierarchy.
	   rip = ImpactDecoder.IPDecoder().decode(reply)
	   # Extract the ICMP packet from its container (the IP packet).
	   ricmp = rip.child()

	   # If the packet matches, report it to the user.
	   if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
		   print "Ping reply for sequence #%d" % ricmp.get_icmp_id()

	   time.sleep(1)

#!/usr/bin/python
# Copyright (c) 2003 CORE Security Technologies
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# $Id: ping.py,v 1.3 2003/10/27 17:36:56 jkohen Exp $
#
# Simple ICMP ping.
#
# This implementation of ping uses the ICMP echo and echo-reply packets
# to check the status of a host. If the remote host is up, it should reply
# to the echo probe with an echo-reply packet.
# Note that this isn't a definite test, as in the case the remote host is up
# but refuses to reply the probes.
# Also note that the user must have special access to be able to open a raw
# socket, which this program requires.
#
# Authors:
#  Gerardo Richarte <gera@coresecurity.com>
#  Javier Kohen <jkohen@coresecurity.com>
#
# Reference for:
#  ImpactPacket: IP, ICMP, DATA.
#  ImpactDecoder.

import select
import socket
import time
import sys

from impacket import ImpactDecoder, ImpactPacket

if len(sys.argv) < 3:
	print "Use: %s <src ip> <dst ip>" % sys.argv[0]
	sys.exit(1)

src = sys.argv[1]
dst = sys.argv[2]

# Create a new IP packet and set its source and destination addresses.

ip = ImpactPacket.IP()
ip.set_ip_src(src)
ip.set_ip_dst(dst)

# Create a new ICMP packet of type ECHO.

icmp = ImpactPacket.ICMP()
icmp.set_icmp_type(icmp.ICMP_ECHO)

# Include a 156-character long payload inside the ICMP packet.
icmp.contains(ImpactPacket.Data("A"*156))

# Have the IP packet contain the ICMP packet (along with its payload).
ip.contains(icmp)

# Open a raw socket. Special permissions are usually required.
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

seq_id = 0
while 1:
	# Give the ICMP packet the next ID in the sequence.
	seq_id += 1
	icmp.set_icmp_id(seq_id)

	# Calculate its checksum.
	icmp.set_icmp_cksum(0)
	icmp.auto_checksum = 1

	# Send it to the target host.
	s.sendto(ip.get_packet(), (dst, 0))

	# Wait for incoming replies.
	if s in select.select([s],[],[],1)[0]:
	   reply = s.recvfrom(2000)[0]

	   # Use ImpactDecoder to reconstruct the packet hierarchy.
	   rip = ImpactDecoder.IPDecoder().decode(reply)
	   # Extract the ICMP packet from its container (the IP packet).
	   ricmp = rip.child()

	   # If the packet matches, report it to the user.
	   if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
		   print "Ping reply for sequence #%d" % ricmp.get_icmp_id()

	   time.sleep(1)

This works on my computer, It pings my server and works fine.

Any ideas?

Sane · Jan 12th, 2006, 6:16 PM

Yeah, it seems impacket is for recieving and decoding packets come TO your computer, not FROM.

Pleeeze. I hate to triple post but this is really bugging my and I'm pressed for time.

Arevos · Jan 13th, 2006, 4:47 AM

As I understand it, getting outgoing packages depends on your OS. Essentially, you query your TCP/IP implentation for information, and the interface to do so is, I believe, tied to the kernel. I'd guess that the program whose traffic you wish to monitor runs on Windows, so you'd need to research how to monitor TCP/IP packets from Windows.

Perhaps try http://oss.coresecurity.com/projects/pcapy.html, which is a python library that interfaces with http://www.winpcap.org/windump/.

Alternatively, you could set up a router program, that takes in the information from your game, and passes it on to the game servers, monitoring the data as it passes through. Of course, this would either require the users changing the game servers used by the game (if this is even possible), or changing the hosts file to redirect data meant for the game server to your program. But neither of which is anythin close to an ideal solution.

Sane · Jan 13th, 2006, 10:42 AM

I've looked at pcapy and it's essentially the same thing as Impacket.

The ideal solution for me is something that'll be consistently compatible on Windows, router or not. I don't see why you can't just simply view your outgoing traffic, it just seems so simple.

Arevos · Jan 13th, 2006, 11:15 AM

Quote:

Originally Posted by Sane

I've looked at pcapy and it's essentially the same thing as Impacket.

So it is - but in which case you should be able to use Impacket to view outgoing packets, as it's based on libpcap, which is the basis for tcpdump. And I know tcpdump can handle outgoing packages, therefore libpcap can, which in turn suggests the high probability that pcapy or Impacket can also.

Sane · Jan 13th, 2006, 6:16 PM

XD

That response made me laugh. ^_^

Is there a way I can just use tcpdump instead of these silly interfaces to them?

Is there anyway this also could be illegal? The game says it's against the TOS to modify packets, but what about reading them?

coldDeath · Jan 14th, 2006, 3:04 AM

Well tcpdump is a *nix program, you could pipe it to stdin and parse the output.

I'm not sure how you'd do that on windows, but i saw a windows version call windump.

Jan 11th, 2006, 2:36 PM	#1
Sane Banned Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 2,101 Rep Power: 6	Retreiving outgoing packets What module would you suggest I use to look into how I could go about retreiving and analyzing outgoing internet packets? I'd like to be able to for a game I play, take the packets it sends while playing online and analyze those for a scoring program.

Jan 11th, 2006, 4:41 PM	#4
Sane Banned Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 2,101 Rep Power: 6	Okay, I found something called Impacket. But I can't figure out how to use this example to retrieve outgoing packets... >_> (Toggle Plain Text) #!/usr/bin/python # Copyright (c) 2003 CORE Security Technologies # # This software is provided under under a slightly modified version # of the Apache Software License. See the accompanying LICENSE file # for more information. # # $Id: ping.py,v 1.3 2003/10/27 17:36:56 jkohen Exp $ # # Simple ICMP ping. # # This implementation of ping uses the ICMP echo and echo-reply packets # to check the status of a host. If the remote host is up, it should reply # to the echo probe with an echo-reply packet. # Note that this isn't a definite test, as in the case the remote host is up # but refuses to reply the probes. # Also note that the user must have special access to be able to open a raw # socket, which this program requires. # # Authors: # Gerardo Richarte <gera@coresecurity.com> # Javier Kohen <jkohen@coresecurity.com> # # Reference for: # ImpactPacket: IP, ICMP, DATA. # ImpactDecoder. import select import socket import time import sys from impacket import ImpactDecoder, ImpactPacket if len(sys.argv) < 3: print "Use: %s <src ip> <dst ip>" % sys.argv[0] sys.exit(1) src = sys.argv[1] dst = sys.argv[2] # Create a new IP packet and set its source and destination addresses. ip = ImpactPacket.IP() ip.set_ip_src(src) ip.set_ip_dst(dst) # Create a new ICMP packet of type ECHO. icmp = ImpactPacket.ICMP() icmp.set_icmp_type(icmp.ICMP_ECHO) # Include a 156-character long payload inside the ICMP packet. icmp.contains(ImpactPacket.Data("A"156)) # Have the IP packet contain the ICMP packet (along with its payload). ip.contains(icmp) # Open a raw socket. Special permissions are usually required. s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP) s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) seq_id = 0 while 1: # Give the ICMP packet the next ID in the sequence. seq_id += 1 icmp.set_icmp_id(seq_id) # Calculate its checksum. icmp.set_icmp_cksum(0) icmp.auto_checksum = 1 # Send it to the target host. s.sendto(ip.get_packet(), (dst, 0)) # Wait for incoming replies. if s in select.select([s],[],[],1)[0]: reply = s.recvfrom(2000)[0] # Use ImpactDecoder to reconstruct the packet hierarchy. rip = ImpactDecoder.IPDecoder().decode(reply) # Extract the ICMP packet from its container (the IP packet). ricmp = rip.child() # If the packet matches, report it to the user. if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type(): print "Ping reply for sequence #%d" % ricmp.get_icmp_id() time.sleep(1) #!/usr/bin/python # Copyright (c) 2003 CORE Security Technologies # # This software is provided under under a slightly modified version # of the Apache Software License. See the accompanying LICENSE file # for more information. # # $Id: ping.py,v 1.3 2003/10/27 17:36:56 jkohen Exp $ # # Simple ICMP ping. # # This implementation of ping uses the ICMP echo and echo-reply packets # to check the status of a host. If the remote host is up, it should reply # to the echo probe with an echo-reply packet. # Note that this isn't a definite test, as in the case the remote host is up # but refuses to reply the probes. # Also note that the user must have special access to be able to open a raw # socket, which this program requires. # # Authors: # Gerardo Richarte <gera@coresecurity.com> # Javier Kohen <jkohen@coresecurity.com> # # Reference for: # ImpactPacket: IP, ICMP, DATA. # ImpactDecoder. import select import socket import time import sys from impacket import ImpactDecoder, ImpactPacket if len(sys.argv) < 3: print "Use: %s <src ip> <dst ip>" % sys.argv[0] sys.exit(1) src = sys.argv[1] dst = sys.argv[2] # Create a new IP packet and set its source and destination addresses. ip = ImpactPacket.IP() ip.set_ip_src(src) ip.set_ip_dst(dst) # Create a new ICMP packet of type ECHO. icmp = ImpactPacket.ICMP() icmp.set_icmp_type(icmp.ICMP_ECHO) # Include a 156-character long payload inside the ICMP packet. icmp.contains(ImpactPacket.Data("A"156)) # Have the IP packet contain the ICMP packet (along with its payload). ip.contains(icmp) # Open a raw socket. Special permissions are usually required. s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP) s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) seq_id = 0 while 1: # Give the ICMP packet the next ID in the sequence. seq_id += 1 icmp.set_icmp_id(seq_id) # Calculate its checksum. icmp.set_icmp_cksum(0) icmp.auto_checksum = 1 # Send it to the target host. s.sendto(ip.get_packet(), (dst, 0)) # Wait for incoming replies. if s in select.select([s],[],[],1)[0]: reply = s.recvfrom(2000)[0] # Use ImpactDecoder to reconstruct the packet hierarchy. rip = ImpactDecoder.IPDecoder().decode(reply) # Extract the ICMP packet from its container (the IP packet). ricmp = rip.child() # If the packet matches, report it to the user. if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type(): print "Ping reply for sequence #%d" % ricmp.get_icmp_id() time.sleep(1) This works on my computer, It pings my server and works fine. Any ideas?

Jan 14th, 2006, 3:04 AM	#10
coldDeath Expert Programmer Join Date: Aug 2005 Location: UK Posts: 862 Rep Power: 4	Well tcpdump is a nix program, you could pipe it to stdin and parse the output. I'm not sure how you'd do that on windows, but i saw a windows version call windump. __________________ Programming Tutorials - Linux Installation Guide - Learn Python - Learn C++ Got Slack? Join us at #programmingforums* @ irc.freenode.net! My software never has bugs. It just develops random features.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Jan 11th, 2006, 2:39 PM	#2
Polyphemus_ Expert Programmer Join Date: Aug 2005 Location: Rotterdam, the Netherlands Posts: 942 Rep Power: 4	Cheater . Never used one, tried googling for TCP packet sniffer?

Jan 11th, 2006, 2:41 PM	#3
Sane Banned Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 2,101 Rep Power: 6	Okay. And I said analyzing it for a score tracking program. >_> It will submit anyone's scores automatically to my website to be added to a database of everyones scores. If I used software it would be additional programs by clients would need to install. Plus it would probably be extremely difficult to automate the control and retrieval from already programmed software.

Jan 12th, 2006, 6:16 PM	#5
Sane Banned Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 2,101 Rep Power: 6	Yeah, it seems impacket is for recieving and decoding packets come TO your computer, not FROM. Pleeeze. I hate to triple post but this is really bugging my and I'm pressed for time.

Jan 13th, 2006, 4:47 AM	#6
Arevos Programming Guru Join Date: Aug 2005 Location: England Posts: 1,499 Rep Power: 5	As I understand it, getting outgoing packages depends on your OS. Essentially, you query your TCP/IP implentation for information, and the interface to do so is, I believe, tied to the kernel. I'd guess that the program whose traffic you wish to monitor runs on Windows, so you'd need to research how to monitor TCP/IP packets from Windows. Perhaps try http://oss.coresecurity.com/projects/pcapy.html, which is a python library that interfaces with http://www.winpcap.org/windump/. Alternatively, you could set up a router program, that takes in the information from your game, and passes it on to the game servers, monitoring the data as it passes through. Of course, this would either require the users changing the game servers used by the game (if this is even possible), or changing the hosts file to redirect data meant for the game server to your program. But neither of which is anythin close to an ideal solution.

Jan 13th, 2006, 10:42 AM	#7
Sane Banned Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 2,101 Rep Power: 6	I've looked at pcapy and it's essentially the same thing as Impacket. The ideal solution for me is something that'll be consistently compatible on Windows, router or not. I don't see why you can't just simply view your outgoing traffic, it just seems so simple.

Jan 13th, 2006, 6:16 PM	#9
Sane Banned Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 2,101 Rep Power: 6	XD That response made me laugh. ^_^ Is there a way I can just use tcpdump instead of these silly interfaces to them? Is there anyway this also could be illegal? The game says it's against the TOS to modify packets, but what about reading them?

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Programming Forums > Script Programming > Python

Retreiving outgoing packets