I want to capture outgoing UDP packets sent to IP address 10.24.11.73 and destination port number 32806. so I set
pcap_setdirection(*pchandle, PCAP_D_OUT);
but my problem is the filter string (const char *) passed to
pcap_compile(*pchandle, &program, filter, 0, subnet);
I looked at PCAP-FILTER and tried different string combination but non seems to work.
can some one help me with this issue. what should the filter string be set to in order to capture the intended packets.
I am using WinPcap and Visual Studio
You'd want something like this:
"udp and dst host 10.24.11.73 and dst port 32806"
Related
I'm using Metamask as ethereum provider in dapp
When I'm calling web3.eth.getAccounts()
It returns 0xaBCd12baabcd7be123B6123DabCD484321ABcd3
When i'm sending ethereum.send("eth_requestAccounts")
It returns same address but chars are lower cased or capitalized based on some weird logic 0xabcD12BAAbcd7BE123b6123Dabcd484321abCD3.
There's no other change to the address rather than that, no digit is missing and order is correct.
Why wuold that be happening?
What's the simplest way to spoof a ping reply with Scapy? I have a compiled script that keep pinging a certain domain and I need to investigate it's behavior when it receive a ping reply. I thought Scapy would be my best option to do so, but I can't figured it out.
So far I've found the class scapy.layers.inet.ICMPEcho_am, but trying to import it from scapy.layers.inet throws an ImportError. Beside, I also need to fake a DNS respond, and I'm even more clueless on that.
Thanks in advance for any hint, solution, etc.
A ping (echo) reply is just an ICMP packet with a type and code of 0:
IP(src="FAKE INITIATOR ADDRESS", dst="THE SERVER ADDRESS") / ICMP(type=0, code=0)
or, alternatively:
IP(src="FAKE INITIATOR ADDRESS", dst="THE SERVER ADDRESS") / ICMP(type="echo-reply", code=0)
Obviously, "FAKE INITIATOR ADDRESS" and "THE SERVER ADDRESS" should be replaced by strings that hold the fake client address and the server address that you're spoofing a reply to.
The code=0 isn't actually necessary since 0 is the default, but I figured explicit it nice.
I made this program to send spoof IPv6 pings on a given interface. You need to take care of proper sequence number also in the packet
def sniffer(interface):
#scapy.sniff(iface=interface, filter="icmp6 && ip6[40] == 128", store=False, prn=process_packet)
scapy.sniff(iface=interface,filter="icmp6", store=False, prn=process_packet)
def process_packet(packet):
print("DUMP\n")
print(packet.show())
print(packet[Ether].src)
print(Ether().src)
if packet[Ether].src == Ether().src:
print("OUTGOING PACKET")
print(packet[IPv6].dst)
if packet.haslayer(ICMPv6EchoRequest):
print("OUTGOING ECHO REQUEST")
reply_packet = Ether(dst=packet[Ether].src)\
/IPv6(dst=packet[IPv6].src,
src=packet[IPv6].dst) \
/ ICMPv6EchoReply(seq=packet[ICMPv6EchoRequest].seq,
id=0x1)
scapy.sendp(reply_packet, iface="Wi-Fi")
else:
print("INCOMING PACKET")
interface = "Wi-Fi"
sniffer(interface)
I used the following haproxy configuration in frontend to modify the response header of requests depending on a query string:
frontend my-frontend
acl is-foo urlp(foo) 1
http-response replace-header Set-Cookie "(.*)" "\1; SameSite=None" if is-foo
Depending on my information from the docs the acl should match for all requests like
example.com?a=b&foo=1&bar=2
example.com?foo=1
example.com?a=b&foo=1
And it should not match for requests like
example.com?a=b&foo=0&bar=2
example.com?a=b
example.com?a=b&foo=bar
The actual result is that the acl matches never.
If i invert the if i.e.: if !is-foo the replace-header happens on every request.
So the problem must be the acl which matches never.
I use haproxy 2.0.15
I got it working by myself.
It seems to be the case that urlp(foo) is not present at runtime when it has been executed for http-response.
So we need to store its value in a temporary variable using set-var(custom.name), before. At runtime in if condition we can access it with var(custom.name) and match it against our condition. I used urlp_val() instead of urlp() here because the value will be casted to int immediately.
frontend my-frontend
http-request set-var(txn.foo) urlp_val(foo)
http-response replace-header Set-Cookie "(.*)" "\1; SameSite=None" if { var(txn.foo) eq 1 }
Thank you for traveling.
I'm looking for a select statement that will check if 2 IP addresses are in the same subnet, based on how many bits in the host portion of the mask. I found this excellent question and answer, but it only works for IPv4 addresses.
My MySQL statement for IPv4 is as follows where 3 is the number of bit in the host portion of the mask (21 bit network):
SELECT FROM table WHERE ((-1 << 3) & INET_ATON(IPADDRESS1) = (-1 << 3) & INET_ATON(IPADDRESS2))
Can anyone create an IPv6 equivalent? (It's beyond my even attempting). I realize there is a INET6_ATON but the -1 I use to create the 1's mask above won't work (due to length), along with probably other reasons.
If it helps, we can assume that the IPv6 address is in RFC 5952 format, or the full 8 colon separated numbers.
You have a number of problems here. Most of the answers are here and in the reference implementation for IPv6
Before you spit at me for having a link-only answer, here are some hints of what is going on.
The links refer to an efficient way to handle non-overlapping ranges, such as IP addresses. However, part of the solution is to be able to add/subtract 1 from a 128-bit value. See the Functions IpIncr and IpDecr.
For producing a mask, I would recommend converting to 32-character hex, then playing with substrings. See CONCAT, LEFT, RIGHT, REPEAT, etc. Once you have done that, string comparisons should easily handle checking for "in network".
The code will be simpler in MySQL 8.0 because BLOBs can be treated as really long bit strings; previously bit stuff was limited to BIGINT, which is not big enough for IPv6.
I have a solution for when the addresses are stored as strings.
A similar problem is to find all addresses in the database that belonged to a specific subnet, which is rather similar to the problem posted here, to check whether two addresses are in the same subnet.
It is a little tricky, especially for IPv6. In IPv6 there can optionally be compressed segments, like 1::1 which is equivalent to 1:0:0:0:0:0:0:1, which is the main reason it is tricky.
The IPAddress Java library will produce mysql SQL to search for addresses in a given subnet. The link describes this problem in more detail. Disclaimer: I am the project manager.
The basic algorithm is to take the network section of the subnet address, then take each variant of that section (for example the two strings above are variants of the full address 1::1), then count the number of segment separators, then do a mysql substring on the address being matched, but also count the total separators in the address being matched.
Here is sample code:
public static void main(String[] args) throws IPAddressStringException {
System.out.println(getSearchSQL("columnX", "1.2.3.4/16"));
System.out.println(getSearchSQL("columnX", "1:2:3:4:5:6:7:8/64"));
System.out.println(getSearchSQL("columnX", "1::8/64"));
}
static String getSearchSQL(String expression, String ipAddressStr) throws IPAddressStringException {
IPAddressString ipAddressString = new IPAddressString(ipAddressStr);
IPAddress ipAddress = ipAddressString.toAddress();
IPAddressSection networkPrefix = ipAddress.getNetworkSection(ipAddress.getNetworkPrefixLength(), false);
StringBuilder sql = new StringBuilder("Select rows from table where ");
networkPrefix.getStartsWithSQLClause(sql, expression);
return sql.toString();
}
Ouptut:
Select rows from table where (substring_index(columnX,'.',2) = '1.2')
Select rows from table where (substring_index(columnX,':',4) = '1:2:3:4')
Select rows from table where ((substring_index(columnX,':',4) = '1:0:0:0') OR ((substring_index(columnX,':',2) = '1:') AND (LENGTH (columnX) - LENGTH(REPLACE(columnX, ':', '')) <= 5)))
From the ZooKeeper multi-server config docs they show the following configs that can be placed inside of zoo.cfg (ZK's config file) on each server:
tickTime=2000
dataDir=/var/zookeeper/
clientPort=2181
initLimit=5
syncLimit=2
server.1=zoo1:2888:3888
server.2=zoo2:2888:3888
server.3=zoo3:2888:3888
Furthermore, they state that you need a myid file on each ZK node whose content matches one of the server.id values above. So for example, in a 3-node "ensemble" (ZK cluster), the first node's myid file would simply contain the value 1. The second node's myid file would contain 2, and so forth.
I have a few practical questions about what this looks like in the real world:
1. Can localhost be used? If zoo.cfg has to be repeated on each node in the ensemble, is it OK to define the current server as localhost? For example, in a 3-node ensemble, would it be OK for Server #2's zoo.cfg to look like:
tickTime=2000
dataDir=/var/zookeeper/
clientPort=2181
initLimit=5
syncLimit=2
server.1=zoo1:2888:3888
server.2=localhost:2888:3888 # Afterall, we're on server #2!
server.3=zoo3:2888:3888
Or is this not advised/not possible?
2. Do they server ids have to be numerical? For instance, could I have a 5-node ensemble where each server's zoo.cfg looks like:
tickTime=2000
dataDir=/var/zookeeper/
clientPort=2181
initLimit=5
syncLimit=2
server.red=zoo1:2888:3888
server.green=zoo2:2888:3888
server.blue=zoo3:2888:3888
server.orange=zoo1:2888:3888
server.purple=zoo2:2888:3888
And, say, Server 1's myid would contain the value red inside of it (etc.)?
1. Can localhost be used?
This is a good question as ZooKeeper docs don't make it cristal clear whether the configuration file only accepts IP addresses. It says only hostname which could mean either an IP address, a DNS, or a name in the hosts file, such as localhost.
server.x=[hostname]:nnnnn[:nnnnn], etc
(No Java system property)
servers making up the ZooKeeper ensemble. When the server starts up, it determines which server it is by looking for the file myid in the data directory. That file contains the server number, in ASCII, and it should match x in server.x in the left hand side of this setting.
However, note that ZooKeeper recommend to use the exactly same configuration file in all hosts:
ZooKeeper's behavior is governed by the ZooKeeper configuration file. This file is designed so that the exact same file can be used by all the servers that make up a ZooKeeper server assuming the disk layouts are the same. If servers use different configuration files, care must be taken to ensure that the list of servers in all of the different configuration files match.
So simply put the machine IP address and everything should work. Also, I have personally tested using 0.0.0.0 (in a situation where the interface IP address was different from the public IP address) and it does work.
2. Do they server ids have to be numerical?
From ZooKeeper multi-server configuration docs, myid need to be a numerical value from 1 to 255:
The myid file consists of a single line containing only the text of that machine's id. So myid of server 1 would contain the text "1" and nothing else. The id must be unique within the ensemble and should have a value between 1 and 255.
Since myid must match the x in server.x parameter, we can infer that x must be a numerical value as well.