Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

Chapter 5 TCP/IP Tricks

Abstract Next we want to take a tour through the TCP/IP protocol family. This forms the heart of the Internet and makes most computer networks in the world tick. The chapter topic is named TCP/IP, but we will also cover network sniffing here that expands over all layers.

5.1 Required Modules

Thanks to Scapy its very easy to create your own packets and send them on a journey, as already seen in Chap. 4. If you have not installed Scapy yet, proceed with the following line:

pip install Scapy

5.2 A Simple Sniffer

Let us try to keep it as simple as possible. The Internet, as well as local area networks, consist of a huge number of services. You use HTTP(S) for surfing web pages, SMTP to send emails, POP3 or IMAP to read emails, ICQ, IRC, Skype or Jabber to chat and so on.

Most people should by now have heard that HTTP without the S is insecure and should not be used to send one's bank account data through the net. However, most protocols for daily use are plaintext protocols, like ICQ or SMTP and IMAP/POP3. Facebook, the biggest social network of the world has recently adopted HTTPS as default (mid 2011). One can activate SSL encryption for most commonly used protocols or install a SSL proxy in front of a service if it doesn't support SSL by itself, but only a few people care about data security and encryption.

Unencrypted network traffic is the low hanging fruit every attacker is searching for. Why should an attacker try to crack passwords if he can easily read them? Why should they try to break into the application server if they could hijack the current admin session and insert his commands by using IP spoofing (Sect. 5.6)?

With a network sniffer like Tcpdump ( or Wireshark ( the admin can illustratively demonstrate its users that one can read their traffic if they don't use encryption. Of course you should have the authorization for this demonstration, as an admin should never invade the privacy of its users. Without authorization, you should only sniff your own or the packets of an intruder to your network.

The next code snippet should demonstrate how easy it is to write your own sniffer in Python. It uses the famous PCAP library from To be able to execute the source code you must also install the Python module impacket and pcapy from Core Security.

pip install impacket pcapy

1 #!/usr/bin/python


3 import sys

4 import getopt

5 import pcapy

6 from impacket.ImpactDecoder import EthDecoder



9 dev = "eth0"

10 filter = "arp"

11 decoder = EthDecoder()


13 # This function will be called for every packet

14 # and just print it

15 def handle_packet(hdr, data):

16 print decoder.decode(data)



19 def usage():

20 print sys.argv[0] + " -i <dev> -f <pcap_filter>"

21 sys.exit(1)


23 # Parsing parameter

24 try:

25 cmd_opts = "f:i:"

26 opts, args = getopt.getopt(sys.argv[1:], cmd_opts)

27 except getopt.GetoptError:

28 usage()


30 for opt in opts:

31 if opt[0] == "-f":

32 filter = opt[1]

33 elif opt[0] == "-i":

34 dev = opt[1]

35 else:

36 usage()


38 # Open device in promisc mode

39 pcap = pcapy.open_live(dev, 1500, 0, 100)


41 # Set pcap filter

42 pcap.setfilter(filter)


44 # Start sniffing

45 pcap.loop(0, handle_packet)

The tool sets the network card eth0 into the so called promiscuous mode. This instructs the kernel to read in every network packet, not only those addressed to the card itself. With the use of the variable filter you can set a PCAP filter expression. In the example this filter ensures that only ARP packets get sniffed. Other possible filters would be e.g. tcp and port 80, to read HTTP Traffic or “(udp or icmp) and host”, to see only ICMPand UDP-Traffic to and from the IP The documentation of the PCAP filter language can be found on

The function open_live() opens a network interface for reading packets. You can otherwise read packets from a PCAP dump file. The parameters we apply to open_live() are snaplen to define how many bytes of a packets payload should be read, a boolean value for setting the promiscuous mode and a timeout in milliseconds beside the network interface to read from.

Afterwards the packets are read from the network card in an endless loop. For every received packet the function handle_packet() gets called. It decodes the packet with the help of the EthDecoder class. We use EthDecoder here instead of ArpDecoder, because the PCAP filter can be specified by the user with the use of the -f parameter.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science