Jump to content
Sign in to follow this  
FireFox

Winpcap filter and TCP/UDP packet splitter

Recommended Posts

Hi,

I have worked on a project for a friend and it needed to retreive some data in UDP packets, it was a challenge because I didn't know anything about that packets, and after few days of work I have managed to do what I wanted.

The hardest part was to set a very strict filter for the cpu usage and for the script optimisation, so here is one :

;use filters with _PcapStartCapture
;retreive only tcp packets containing AABBCCDD, at the start of 8 and with a length of 4; like the StringMid func.
tcp[8:4] == 0xAABBCCDD ;8th byte from the beginning of the tcp DATA, 4bytes length; always include the 0x to specify you are dealing with hex.

And some funcs to split the different data from packets :

;$hCapture is the handle returned by _PcapStartCapture
; #FUNCTION# ====================================================================================================================
; Name...........: _TCP_Recv
; Description ...: Retreives a TCP Packet and returns its data splitted
; Syntax.........: _TCP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
; Parameters ....: $hCapture    - Capture handle
;                   $iInstance    - Instance of the packet to retreive
;                   $iTimeOut    - Timeout
; Return values .: Success    - Array containing the packet data
;                   Failure    - -1 (timedout)
; Author ........: FireFox (d3mon)
; Modified.......:
; Remarks .......:
; Related .......: _UDP_Recv
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _TCP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
    Local $blPacketCaptured = False, $iTimer_Capture, $aPacket, $iPacket

    $iTimer_Capture = TimerInit()

    While (TimerDiff($iTimer_Capture) < $iTimeOut Or $iTimeOut = -1)
        $aPacket = _PcapGetPacket($hCapture)

        If IsArray($aPacket) Then
            If $iPacket = $iInstance Then
                Local $aTCPPacket[21]

                $aTCPPacket[0] = StringMid($aPacket[3], 3, 12) ;Destination Mac Address
                $aTCPPacket[1] = StringMid($aPacket[3], 15, 12) ;Source Mac Address
                $aTCPPacket[2] = StringMid($aPacket[3], 27, 4) ;Type
                $aTCPPacket[3] = StringMid($aPacket[3], 31, 2) ;Version & Header length
                $aTCPPacket[4] = StringMid($aPacket[3], 33, 2) ;Differientiated Services Field
                $aTCPPacket[5] = StringMid($aPacket[3], 35, 4) ;Total Length
                $aTCPPacket[6] = StringMid($aPacket[3], 39, 4) ;Identification
                $aTCPPacket[7] = StringMid($aPacket[3], 43, 4) ;Fragment offset
                $aTCPPacket[8] = StringMid($aPacket[3], 47, 2) ;Time to live
                $aTCPPacket[9] = StringMid($aPacket[3], 49, 2) ;Protocol
                $aTCPPacket[10] = StringMid($aPacket[3], 51, 4) ;Header checksum
                $aTCPPacket[11] = StringMid($aPacket[3], 55, 8) ;Source IP Address
                $aTCPPacket[12] = StringMid($aPacket[3], 63, 8) ;Destination IP Address
                $aTCPPacket[13] = StringMid($aPacket[3], 71, 4) ;Source port
                $aTCPPacket[14] = StringMid($aPacket[3], 75, 4) ;Destination port
                $aTCPPacket[15] = StringMid($aPacket[3], 79, 8) ;Sequence number
                $aTCPPacket[16] = StringMid($aPacket[3], 87, 8) ;Acknowledgment number
                $aTCPPacket[17] = StringMid($aPacket[3], 95, 4) ;Flags
                $aTCPPacket[18] = StringMid($aPacket[3], 99, 4) ;Window size value
                $aTCPPacket[19] = StringMid($aPacket[3], 103, 4) ;Checksum
                ;107 to 110 = NULL data
                $aTCPPacket[20] = StringTrimLeft($aPacket[3], 110) ;Data

                Return $aTCPPacket
            EndIf
            $iPacket += 1
        EndIf

        Sleep(50)
    WEnd

    Return -1
EndFunc   ;==>_TCP_Recv

; #FUNCTION# ====================================================================================================================
; Name...........: _UDP_Recv
; Description ...: Retreives an UDP Packet and returns its data splitted
; Syntax.........: _UDP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
; Parameters ....: $hCapture    - Capture handle
;                   $iInstance    - Instance of the packet to retreive
;                   $iTimeOut    - Timeout
; Return values .: Success    - Array containing the packet data
;                   Failure    - -1 (timedout)
; Author ........: FireFox (d3mon)
; Modified.......:
; Remarks .......:
; Related .......: _TCP_Recv
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _UDP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
    Local $blPacketCaptured = False, $iTimer_Capture, $aPacket, $iPacket

    $iTimer_Capture = TimerInit()

    While (TimerDiff($iTimer_Capture) < $iTimeOut Or $iTimeOut = -1)
        $aPacket = _PcapGetPacket($hCapture)

        If IsArray($aPacket) Then
            If $iPacket = $iInstance Then
                Local $aUDPPacket[18]

                $aUDPPacket[0] = StringMid($aPacket[3], 3, 12) ;Source Mac Address
                $aUDPPacket[1] = StringMid($aPacket[3], 15, 12) ;Destination Mac Address
                $aUDPPacket[2] = StringMid($aPacket[3], 27, 4) ;Type
                $aUDPPacket[3] = StringMid($aPacket[3], 31, 2) ;Version & Header length
                $aUDPPacket[4] = StringMid($aPacket[3], 33, 2) ;Differientiated Services Field
                $aUDPPacket[5] = StringMid($aPacket[3], 35, 4) ;Total Length
                $aUDPPacket[6] = StringMid($aPacket[3], 39, 4) ;Identification
                $aUDPPacket[7] = StringMid($aPacket[3], 43, 4) ;Fragment offset
                $aUDPPacket[8] = StringMid($aPacket[3], 47, 2) ;Time to live
                $aUDPPacket[9] = StringMid($aPacket[3], 49, 2) ;Protocol
                $aUDPPacket[10] = StringMid($aPacket[3], 51, 4) ;Header checksum
                $aUDPPacket[11] = StringMid($aPacket[3], 55, 8) ;Source IP Address
                $aUDPPacket[12] = StringMid($aPacket[3], 63, 8) ;Destination IP Address
                $aUDPPacket[13] = StringMid($aPacket[3], 71, 4) ;Source port
                $aUDPPacket[14] = StringMid($aPacket[3], 75, 4) ;Destination port
                $aUDPPacket[15] = StringMid($aPacket[3], 79, 4) ;Length
                $aUDPPacket[16] = StringMid($aPacket[3], 83, 4) ;Checksum
                $aUDPPacket[17] = StringTrimLeft($aPacket[3], 86) ;Data

                Return $aUDPPacket
            EndIf
            $iPacket += 1
        EndIf

        Sleep(50)
    WEnd

    Return -1
EndFunc   ;==>_UDP_Recv

;for example convert the packet's source/dest IP Address to text
; #FUNCTION# ====================================================================================================================
; Name...........: _HexIPAddressToText
; Description ...: Converts Hex IP Adress to text
; Syntax.........: _HexIPAddressToText($vhexIPAddress)
; Parameters ....: $vIPAddress    - IP Address v4 (string, int)
; Return values .: Success    - Converted IP Address
; Author ........: FireFox (d3mon)
; Modified.......:
; Remarks .......:
; Related .......:
; Link ..........:
; Example .......: No
; ===============================================================================================================================
Func _HexIPAddressToText($vhexIPAddress)
    Local $sIPAddress

    For $iOffset = 1 To 8 Step 2
        $sIPAddress &= Dec(StringMid($vhexIPAddress, $iOffset, 2)) & "."
    Next

    Return StringTrimRight($sIPAddress, 1)
EndFunc   ;==>_UDP_DecodeIPAddress

Ops, almost forgot the Winpcap UDF available here : http://opensource.grisambre.net/pcapau3/

PS : If you find this helpful, please "like"/rate this post.

Enjoy :guitar:

Edited by FireFox

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

@Ontosy

Here you go :

#include <String.au3>
...
Global $aPacket = _TCP_Recv(...)

If Dec($aPacket[13]) = 80 Then ;Source port = 80
$sPacketText = _HexToString($aTCPPacket[20])

... ;process
EndIf

In the $sPacketText you will have the request header where you will be able to retreive the URI.

Br, FireFox.

Edited by FireFox

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By YogendraAtluri
      Hi, 
      I am new to AutoIT scripting and I am still learning. I am trying to communicate with a Labview application that acts like a server. it basically takes commands from the client. But for some commands, it also send back some data. 
      When i am sending commands from my script, i can see that the labview is getting them. But i am not able to get anything back. I tried different code pieces that are available online in the forum.
      This is the working piece of code which i been using to send data.
      #cs This module is used to establish tcp connection with lab view #ce #include <File.au3> Func SendCmd($cmd) TCPStartup() Local $IpAddress="192.168.10.101" Local $Port="5353" $Labview = TCPConnect($IpAddress,$Port) If @error Then ConsoleWrite('!--> TCPConnect error number ( ' & @error & ' ).' & @CRLF) TCPCloseSocket($Labview) TCPShutdown() Exit EndIf TCPSend($Labview, $cmd & @CRLF) TCPCloseSocket($Labview) TCPShutdown() EndFunc SendCmd("wt42d")  
      This is slightly modified code to send and receive data, which is not working. I am not getting any response back
      SendCmd("galil") Func SendCmd($cmd) TCPStartup() Local $IpAddress="192.168.10.101" Local $Port="5353" $Labview = TCPConnect($IpAddress,$Port) If @error Then ConsoleWrite('!--> TCPConnect error number ( ' & @error & ' ).' & @CRLF) TCPCloseSocket($Labview) TCPShutdown() Exit EndIf TCPSend($Labview, $cmd & @CRLF) $ip = @IPAddress1 ;create listening socket $Listensocket = TCPListen($ip, $Port) ConsoleWrite("Listening to Socket - " & $Listensocket & @CRLF) If $Listensocket = -1 Then ConsoleWrite("Exiting..." & @CRLF) Exit EndIf ;Accept incoming clients and recieve info While 1 $connectedsocket = TCPAccept($Listensocket) ConsoleWrite("Connecting to Socket - " & $connectedsocket & "Error -" & @error & @CRLF) If $ConnectedSocket >= 0 Then $ip2 = TCPRecv($connectedsocket,1000000) EndIf WEnd TCPCloseSocket($connectedsocket) TCPCloseSocket($Labview) TCPShutdown() EndFunc I am not getting anything back. I am getting the following output in the console
      +>Setting Hotkeys...--> Press Ctrl+Alt+Break to Restart or Ctrl+BREAK to Stop. Listening to Socket - 544 Connecting to Socket - -1Error -0 Connecting to Socket - -1Error -0 Connecting to Socket - -1Error -0 Connecting to Socket - -1Error -0 Connecting to Socket - -1Error -0 Connecting to Socket - -1Error -0 Connecting to Socket - -1Error -0 Connecting to Socket - -1Error -0 Connecting to Socket - -1Error -0 its going through that loop forever. i need to force stop it.
      But when i open putty and send the same command, i am getting response right away. 
      Can someone please help me with that.
      Thanks in advance
      Regards
      Yogendra
    • By argumentum
      I can TCP/IP in AutoIt, hence, make a HTTP deamon. Now, how can I HTTPS to use SSL !??
      Well, Apache has this "mod_proxy.so" module that can let me have SSL and what not is in Apache.
      All that is needed is to tell Apache what I wanna do by editing httpd.conf .
      # Implements a proxy/gateway for Apache. # 1. Open /Applications/XAMPP/etc/httpd.conf # 2. Enable the following Modules by removing the # at the front of the line. # - LoadModule rewrite_module modules/mod_rewrite.so # - LoadModule proxy_module modules/mod_proxy.so # - LoadModule proxy_http_module modules/mod_proxy_http.so # # 3. Copy and Paste below to the bottom of httpd.conf # <IfModule mod_proxy.c> ProxyRequests On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyVia Off ProxyPreserveHost Off ProxyPass /home/ http://127.0.0.1:84/home/ ProxyPassReverse /home/ http://127.0.0.1:84/home/ SetEnv proxy-nokeepalive 1 # ..since we are not using "keep-alive", we are using "close" </IfModule> ...et voila  
      I'm using XAMPP ( https://www.apachefriends.org/download.html )
      and this is my solution to avoid coding in PHP, as I feel more comfortable coding in AutoIt.
      A "muli-thread or concurrency" can be done by forking the socket ( https://www.autoitscript.com/forum/topic/199177-fork-udf-ish/ )
      but responses are under 20 ms., so I feel fine with a single thread.
      I modified an example ( attached below ), so can try out the concept.
      PS: I am not an Apache guru. I just discovered this and it opens a world of possibilities. In my case, I'm thinking of an API to query SQLite 
      PS2: I'm not gonna make Poll but do click like if you do  
       
      201673-json-http-post-serverlistener.au3
    • By tarretarretarre
      Autoit-Socket-IO
      Introduction
      Autoit-Socket-IO is a event driven TCP/IP wrapper heavily inspired from Socket.IO with focus on user friendliness and long term sustainability.
      I created this UDF because I was fascinated how Socket.IO made a such scary task "reliable and secure networking" so simple for the developer. So this was my main motivation.
      I constantly want to make this UDF faster and better, so if you have any suggestions. Do not hesitate to make requests!
      Features
      Flexiable and easy to understand API Above avarage documentation "Fully featured" examples Security in form of data encryption and middleware-support Limitations
      Speed. Because I want this UDF to be as flexible and simple as possible. Sometimes speed is sacrificed, but that does not mean i don't try to . It is not possible to emit objects mainly because autoit does not support serialization. Only 1D-arrays can be emitted (2D arrays will probably never be supported) Success story
      Since December 2017-now I have used version 1.5.0 in an production environment for 40+ clients with great success, the only downtime is planned windows updates and power outages.
      Getting started
      Download the script from AutoIt or pull it from the official github repo git@github.com:tarreislam/Autoit-Socket-IO.git and checkout the tag 2.0.0 The documentation is located at Docs\index.html Take a look in the examples/ folder Changelog
      Version 2.0.0 (This update break scripts. Please consult the upgrade.md for guidance)
      All global internal variables has been renamed. Added a bunch of new API methods: _Io_RegisterMiddleware, _Io_whoAmI, _Io_IsClient, _Io_IsServer, _Io_getAllByProperty and _Io_getFirstByProperty and some more. Read more about these in the documentation. _Io_socketGetProperty now has a setter method called _Io_socketSetProperty which can be used to set custom properties. _Io_socketGetProperty now has a third parameter "default" which is used when a property is not found Removed _Io_setEventPostScript and _Io_setEventPretScript in favor of _Io_RegisterMiddleware Improved documentation (It still needs some love though) Improved the verbosity of _Io_DevDebug  
      Newest version (2019-09-29!)
      Autoit-Socket-IO-2.0.0.zip
      Older versions (Not supported anymore)
      Autoit-Socket-IO-1.0.0.zip Autoit-Socket-IO-1.1.0.zip Autoit-Socket-IO-1.3.0.zip Autoit-Socket-IO-1.4.0.zip Autoit-Socket-IO-1.5.0.zip
    • By AoRaToS
      I started working on this program in the summer of 2008 then I stopped cause I faced some problems I couldn't overcome back then. Now that I've practiced more and have become a better scripter/programmer I'm releasing the program to the public to get some opinions. I know it's not a new concept but it's the first program I started besides some small stuff I did just for practice! I won't post the source code yet because it's still under construction, although I'm sure I've posted early stages of the code with bugs in the past in some topic...
      What I wanted was a simple, small, serverless program that would work without installation cause I wanted it for where I work, so I ended up with this!
      I have attached some images of various versions, also visit the forum thread.
      The package includes s!mpL3 LAN Messenger and the full change log.
      Current version 2.9.9.1! [04/07/2019]
      Check the Change Log below!
       
       
      http://www.autoitscript.com/forum/index.php?showtopic=88782
       
       
       
      Read the license before using this software.
       
×
×
  • Create New...