This packet sniffer is easily customized to your own needs:
http://www.newlisp.org/syntax.cgi?code/sniff.txt
On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/ to get wpcap.dll.
ps: also linked from the Tips&Tricks page
Network packet sniffer written in newLISP
Re: Network packet sniffer written in newLISP
Wild!
I sent you an e-mail today about this very thing, then checked the boards and ... magically... here it is.
Reminds me of why I used newLISP all those years. So much community and help.
#awesome
I sent you an e-mail today about this very thing, then checked the boards and ... magically... here it is.
Reminds me of why I used newLISP all those years. So much community and help.
#awesome
Lutz wrote:This packet sniffer is easily customized to your own needs:
http://www.newlisp.org/syntax.cgi?code/sniff.txt
On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/ to get wpcap.dll.
ps: also linked from the Tips&Tricks page
. Kanen Flowers http://kanen.me .
-
- Posts: 2038
- Joined: Tue Nov 29, 2005 8:28 pm
- Location: latiitude 50N longitude 3W
- Contact:
Re: Network packet sniffer written in newLISP
Works fine here Lutz... (MacOS X 10.6.2, newLISP 10.1)
What's it for!?
What's it for!?
Re: Network packet sniffer written in newLISP
I am using it for kane|box - a network security tool I am working on. (I was the founder of nCircle Network Security).
I was writing the tool in Ruby, but Lutz (whom I have known for years) convinced me otherwise.
More on my blog: www.LifeZero.org
P.S. I am seriously happy to see this code and I am already turning it into a module for my own purposes.
I was writing the tool in Ruby, but Lutz (whom I have known for years) convinced me otherwise.
More on my blog: www.LifeZero.org
P.S. I am seriously happy to see this code and I am already turning it into a module for my own purposes.
cormullion wrote:Works fine here Lutz... (MacOS X 10.6.2, newLISP 10.1)
What's it for!?
. Kanen Flowers http://kanen.me .
-
- Posts: 2038
- Joined: Tue Nov 29, 2005 8:28 pm
- Location: latiitude 50N longitude 3W
- Contact:
Re: Network packet sniffer written in newLISP
Hi John - I see you're an old/newLISP master from Kozoru days - good to see you here, I hope you can teach us newcomers some nifty moves... :)
The only suggestion I'd propose to your excellent newLISP Bayes post would be to map round over the results:
because the scientific notation detracts from the scoring... :/
The only suggestion I'd propose to your excellent newLISP Bayes post would be to map round over the results:
Code: Select all
(map (fn (n) (round n -2)) quoted)
Re: Network packet sniffer written in newLISP
Added to my blog post. Several people wrote me with "huh?" comments on the notation. :)
cormullion wrote:Hi John - I see you're an old/newLISP master from Kozoru days - good to see you here, I hope you can teach us newcomers some nifty moves... :)
The only suggestion I'd propose to your excellent newLISP Bayes post would be to map round over the results:
because the scientific notation detracts from the scoring... :/Code: Select all
(map (fn (n) (round n -2)) quoted)
. Kanen Flowers http://kanen.me .
Re: Network packet sniffer written in newLISP
"Many computers can print only capital letters, so we shall not use lowercase letters."
-- Let's Talk Lisp (c) 1976
-- Let's Talk Lisp (c) 1976
Re: Network packet sniffer written in newLISP
xytroxon,
Some of the comments on reddit have a slight pungency of code-elitism, but ... being on reddit is apparently causing my visitors to basically double for the newLISP entry, which is great for the newLISP community.
Lutz will hopefully attest to my love for spreading the word.
Some of the comments on reddit have a slight pungency of code-elitism, but ... being on reddit is apparently causing my visitors to basically double for the newLISP entry, which is great for the newLISP community.
Lutz will hopefully attest to my love for spreading the word.
xytroxon wrote:It's on reddit, vote it up ;p)
http://www.reddit.com/r/programming/com ... t_the_way/
-- xytroxon
. Kanen Flowers http://kanen.me .
Re: Network packet sniffer written in newLISP
I am guessing sniff.lsp was ported from sniffex.c, as it suffers from the same fundamental problem with malformed packets.
From the sniffex.c source code:
Also, the libpcap option pcap_open_offline is not being used, which prevents us from running sniff.lsp against an already captured file (on disk).
I have a small pcap file which illustrates the problem https://www.openpacket.org/capture/grab/61
When I run sniff.lsp against this file (after adding pcap_open_offline as an option), I see the following message (problem):
I am digging through the code to figure out the issue, but you should be aware that sniff.lsp is throwing "Malformed IP datagram" and other errors when the packet is not malformed.
P.S. I am also using sniff.lsp as a module.
From the sniffex.c source code:
In the security world, many packets are sent with malformed IP, TCP, ICMP or UDP datagrams. Because of this, I need to be able to extract the malformed packet content and see what was done by the attacker.Take the IP *total* length field - "ip_len" in "struct sniff_ip" - and, first, check whether it's less than ip_hl*4 (after you've checked whether ip_hl is >= 5). If it is, you have a malformed IP datagram.
Otherwise, subtract ip_hl*4 from it; that gives you the length of the TCP segment, including the TCP header. If that's less than th_off*4 (after you've checked wheteher th_off is >= 5), you have a malformed TCP segment.
Otherwise, subtract th_off*4 from it; that gives you the length of the TCP payload.
Also, the libpcap option pcap_open_offline is not being used, which prevents us from running sniff.lsp against an already captured file (on disk).
I have a small pcap file which illustrates the problem https://www.openpacket.org/capture/grab/61
When I run sniff.lsp against this file (after adding pcap_open_offline as an option), I see the following message (problem):
However, if I load Wireshark (or tcpdump), they both read the pcap file correctly and see a 2 byte payload.--- 3--- time: 15:12:56.26937 capture-length:60
from ether addr: 00:18:01:3b:88:47 to: 00:0d:93:64:0f:4e
UDP from 88.196.140.131 port:29285 to 192.168.1.125 port:24
payload length:-6
I am digging through the code to figure out the issue, but you should be aware that sniff.lsp is throwing "Malformed IP datagram" and other errors when the packet is not malformed.
P.S. I am also using sniff.lsp as a module.
Lutz wrote:This packet sniffer is easily customized to your own needs:
http://www.newlisp.org/syntax.cgi?code/sniff.txt
On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/ to get wpcap.dll.
ps: also linked from the Tips&Tricks page
- Attachments
-
- Wireshark screenshot
- bt-ws.png (54.37 KiB) Viewed 7651 times
. Kanen Flowers http://kanen.me .