2

I'm playing around with Scapy and I noticed something weird.

If I create a packet in order to trigger an ICMP time-exceeded error message:

myPacket = IP(dst="www.google.com", ttl=3)/TCP()

... I do get the ICMP message once I send it with the function sr .

On the other hand, if I take any outgoing packet that I have sniffed and change its ttl value to the same used above, I get no reply whatsoever.

What's the problem here? I thought I could experience this by using dummy traffic, not real traffic! I even tried with other TTL values, but to no avail.

Mike Pennington
  • 41,899
  • 19
  • 136
  • 174
Ricky Robinson
  • 21,798
  • 42
  • 129
  • 185
  • ricky, there is a possibility that that third hop router may be dropping ttl time exceeded packets silently, try ttl 4 and 2. also Is your traceroute in scapy showing a missing link at 3 hops out? – dc5553 Apr 27 '12 at 08:17
  • Yeah, I tried with values from 1 to 20 but I still get no ICMP messages back. I really don't know what's going on. – Ricky Robinson Apr 27 '12 at 09:26
  • Try ping with -i 3 and just sniff to see if you get anything outside of scapy? – dc5553 Apr 27 '12 at 09:36
  • traceroute works perfectly, and so does any packet created on Scapy that I send with any TTL values. Ok, a few hops drop my packets without sending any ICMP error back, but most do reply. I might have an idea as to what the problem is. So far I've just been changing the TTL field without recomputing the header's length or the checksum for the packet. Do you think this might be the reason? – Ricky Robinson Apr 27 '12 at 09:42
  • 1
    Only the IP header checksum would prevent routing, to force it to recompute just delete it. Changing the ttl will not effect the header length just the checksum – dc5553 Apr 27 '12 at 09:47
  • 1
    FYI the only thing that would change the IP header len is IP options which you should almost never see. – dc5553 Apr 27 '12 at 09:48
  • Yeah, that was it. I needed to do del(mypacket.getlayer(IP).chksum) and everything works like a charm. :) – Ricky Robinson Apr 27 '12 at 10:16

2 Answers2

1

Ok, packets were getting dropped because once I changed the ttl value the checksum wasn't correct any more. I just had to force the checksum to be computed again by deleting its value:

del(mypacket.getlayer(IP).chksum)
Ricky Robinson
  • 21,798
  • 42
  • 129
  • 185
1

Another option is to use the sendp() function. Scapy automatically calculates the IP and TCP checksums.

myPacket = IP(dst="www.google.com", ttl=3)/TCP()
sendp(myPacket)

def dissect(pck):
    if pck.haslayer("ICMP"): # Filter out all but ICMP packets.  You could do additional filtering
        pck.show()           # Display response packets

sniff(iface="eth0", prn=lambda x:dissect(x), store=0)
phoenix
  • 7,988
  • 6
  • 39
  • 45