Network packet sniffer written in newLISP

Lutz · Post by **Lutz** » Thu Mar 25, 2010 12:11 pm

This packet sniffer is easily customized to your own needs:

http://www.newlisp.org/syntax.cgi?code/sniff.txt

On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/ to get wpcap.dll.

ps: also linked from the Tips&Tricks page

kanen · Post by **kanen** » Thu Mar 25, 2010 6:48 pm

Wild!

I sent you an e-mail today about this very thing, then checked the boards and ... magically... here it is.

Reminds me of why I used newLISP all those years. So much community and help.

#awesome

Lutz wrote:This packet sniffer is easily customized to your own needs:

http://www.newlisp.org/syntax.cgi?code/sniff.txt

On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/ to get wpcap.dll.

ps: also linked from the Tips&Tricks page

cormullion · Post by **cormullion** » Thu Mar 25, 2010 8:16 pm

Works fine here Lutz... (MacOS X 10.6.2, newLISP 10.1)

What's it for!?

kanen · Post by **kanen** » Thu Mar 25, 2010 11:58 pm

I am using it for kane|box - a network security tool I am working on. (I was the founder of nCircle Network Security).

I was writing the tool in Ruby, but Lutz (whom I have known for years) convinced me otherwise.

More on my blog: www.LifeZero.org

P.S. I am seriously happy to see this code and I am already turning it into a module for my own purposes.

cormullion wrote:Works fine here Lutz... (MacOS X 10.6.2, newLISP 10.1)

What's it for!?

cormullion · Post by **cormullion** » Fri Mar 26, 2010 4:55 pm

Hi John - I see you're an old/newLISP master from Kozoru days - good to see you here, I hope you can teach us newcomers some nifty moves... :)

The only suggestion I'd propose to your excellent newLISP Bayes post would be to map round over the results:

Code: Select all

(map (fn (n) (round n -2)) quoted)

because the scientific notation detracts from the scoring... :/

kanen · Post by **kanen** » Fri Mar 26, 2010 8:45 pm

Added to my blog post. Several people wrote me with "huh?" comments on the notation. :)

cormullion wrote:Hi John - I see you're an old/newLISP master from Kozoru days - good to see you here, I hope you can teach us newcomers some nifty moves... :)

The only suggestion I'd propose to your excellent newLISP Bayes post would be to map round over the results:
Code: Select all
(map (fn (n) (round n -2)) quoted)
because the scientific notation detracts from the scoring... :/

xytroxon · Post by **xytroxon** » Sat Mar 27, 2010 7:46 am

It's on reddit, vote it up ;p)

http://www.reddit.com/r/programming/com ... t_the_way/

-- xytroxon

kanen · Post by **kanen** » Sun Mar 28, 2010 6:03 pm

xytroxon,

Some of the comments on reddit have a slight pungency of code-elitism, but ... being on reddit is apparently causing my visitors to basically double for the newLISP entry, which is great for the newLISP community.

Lutz will hopefully attest to my love for spreading the word.

xytroxon wrote:It's on reddit, vote it up ;p)

http://www.reddit.com/r/programming/com ... t_the_way/

-- xytroxon

kanen · Post by **kanen** » Fri Apr 16, 2010 10:35 pm

I am guessing sniff.lsp was ported from sniffex.c, as it suffers from the same fundamental problem with malformed packets.

From the sniffex.c source code:

Take the IP *total* length field - "ip_len" in "struct sniff_ip" - and, first, check whether it's less than ip_hl*4 (after you've checked whether ip_hl is >= 5). If it is, you have a malformed IP datagram.

Otherwise, subtract ip_hl*4 from it; that gives you the length of the TCP segment, including the TCP header. If that's less than th_off*4 (after you've checked wheteher th_off is >= 5), you have a malformed TCP segment.

Otherwise, subtract th_off*4 from it; that gives you the length of the TCP payload.

In the security world, many packets are sent with malformed IP, TCP, ICMP or UDP datagrams. Because of this, I need to be able to extract the malformed packet content and see what was done by the attacker.

Also, the libpcap option pcap_open_offline is not being used, which prevents us from running sniff.lsp against an already captured file (on disk).

I have a small pcap file which illustrates the problem https://www.openpacket.org/capture/grab/61

When I run sniff.lsp against this file (after adding pcap_open_offline as an option), I see the following message (problem):

--- 3--- time: 15:12:56.26937 capture-length:60
from ether addr: 00:18:01:3b:88:47 to: 00:0d:93:64:0f:4e
UDP from 88.196.140.131 port:29285 to 192.168.1.125 port:24
payload length:-6

However, if I load Wireshark (or tcpdump), they both read the pcap file correctly and see a 2 byte payload.

I am digging through the code to figure out the issue, but you should be aware that sniff.lsp is throwing "Malformed IP datagram" and other errors when the packet is not malformed.

P.S. I am also using sniff.lsp as a module.

Lutz wrote:This packet sniffer is easily customized to your own needs:

http://www.newlisp.org/syntax.cgi?code/sniff.txt

On Mac OS X and UBUNTU linux the necessary libpcap is installed by default. On Windows goto http://www.winpcap.org/ to get wpcap.dll.

ps: also linked from the Tips&Tricks page

newlispfanclub.alh.net

Network packet sniffer written in newLISP

Network packet sniffer written in newLISP

Re: Network packet sniffer written in newLISP

Re: Network packet sniffer written in newLISP

Re: Network packet sniffer written in newLISP

Re: Network packet sniffer written in newLISP

Re: Network packet sniffer written in newLISP

Re: Network packet sniffer written in newLISP

Re: Network packet sniffer written in newLISP

Re: Network packet sniffer written in newLISP