Discussion:
Suffering from performance issues while sniffing in a real-time?
Marek Denis
2012-04-12 20:38:32 UTC
Permalink
Hi,

Does any of you have any experience with sniffing data with Scapy
functions and methods, yet analyzing packets in a real time?
I would like to be able to sniff IPv6 packets and detect some anomalies
or do some statistical counting.
If not Scapy (or, at least sniff() function), maybe other Python
libraries are more optimised? Any advices?
Or some embedding Python into C programm and making the C code to sniff
and pass the packets to the Python layer is a good solution?
--
Marek Denis
[***@octogan.net]

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org
Cor Rosielle
2012-04-13 08:00:24 UTC
Permalink
Marek,

Is it sufficient to filter packets and output specific fields? Like this example:
- only show tcp packets
- where destination port =6666
- and TCP -RST-flag is not set
- display that it's a TCP or ICMP response
- for TCP display: length of IP packet, source IP, TCP-flags
- for ICMP display: length of IP packet, source IP, ICMP type and code and original destination

sniff(filter='(tcp and dst port 6666 and tcp[tcpflags] & (tcp-rst) = 0)', prn = lambda x: x.sprintf("{TCP:len=%IP.len% ip=%IP.src% flags=%TCP.flags%}{ICMP:len=%IP.len% ip=%IP.src% type=%ICMP.type% code=%ICMP.code% orig.dest=%IPerror.dst%}"))

It does print certain anomalies, but I have found no way to do the counting.

Cor
Post by Marek Denis
Hi,
Does any of you have any experience with sniffing data with Scapy
functions and methods, yet analyzing packets in a real time?
I would like to be able to sniff IPv6 packets and detect some anomalies
or do some statistical counting.
If not Scapy (or, at least sniff() function), maybe other Python
libraries are more optimised? Any advices?
Or some embedding Python into C programm and making the C code to sniff
and pass the packets to the Python layer is a good solution?
--
Marek Denis
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org
Marek
2012-04-13 11:05:40 UTC
Permalink
Cor,
Post by Cor Rosielle
Marek,
I was rather thinking about a monitor that tries to identify some IPv6
attacks. This means some counting should be performed, matching packets
and so on. I would like to do it online, so here comes my initial
question - should Scapy be able to handle typical traffic in realtime?
Post by Cor Rosielle
It does print certain anomalies, but I have found no way to do the counting.
How about checking data in the callback function inspecting necessary
data and storing Packet in the memory if necessary?
--
pozdrawiam

Marek Denis
[***@octogan.net]

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org
Loading...