How to combine decoded packet data and header output into a single variable/dictionary for string searches

Question

I'm somewhat of a Python novice, but I've taken up a small personal project to teach myself a bit more. Basically, I'm writing a packet sniffer using sockets and impacket. However, where I am getting stuck at is one particular point: combining the output from header and packet into one variable (I was thinking of a dictionary, but it didn't like that...) so that I can simply search out the IP header for one particular partial source IP (i.e., the first two octets). Or would there be a more efficient way of handling this? Any help is appreciated. :-)

EDIT: When I was trying the dictionary, I was doing

ip_dict = { header: packet }

However, the output I get is akin to this:

{<impacket.ImpactPacket.IP instance at 0x02563440>: <impacket.ImpactPacket.Data instance at 0x02563530>}

As opposed to the actual output of said IP header and data.

HOST = socket.gethostbyname(socket.gethostname())

s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IP)
s.bind((HOST, 0))

while True:

    # Include IP headers
    s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

    # receive all packages
    s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)

    # receive a packet
    packet = s.recvfrom(42028)[0]

    # look at IP info
    h_decode = ImpactDecoder.IPDecoder()
    header = h_decode.decode(packet)

    # disabled promiscuous mode
    s.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)

    decoder = ImpactDecoder.DataDecoder()
    packet = decoder.decode(packet)

    print header
    print packet

    time.sleep(1)

Answer 1

Dictionaries are sets of key/value pairs. When you used

ip_dict = { header: packet }

You told it to build a dictionary with the header instance as the key and the packet instance as the value, which is what it did:

{<impacket.ImpactPacket.IP instance at 0x02563440>: <impacket.ImpactPacket.Data instance at 0x02563530>}

If you want something from inside those instances, you have to extract it yourself. For example, although I've never used the impacket library before, the objects seem to have lots of methods living inside them. For example [suppressing the real numbers and data and replacing them with nonsense]:

In [25]: z
Out[25]: <impacket.ImpactPacket.IP instance at 0xb6151fac>

In [26]: z.[here I hit TAB in the IPython interpreter]
z.add_option              z.get_ip_offmask          z.set_bytes_from_string
z.auto_checksum           z.get_ip_p                z.set_checksum_from_data
z.calculate_checksum      z.get_ip_rf               z.set_ip_address
z.child                   z.get_ip_src              z.set_ip_df
z.compute_checksum        z.get_ip_sum              z.set_ip_dst
z.contains                z.get_ip_tos              z.set_ip_hl
z.ethertype               z.get_ip_ttl              z.set_ip_id
z.fragment_by_list        z.get_ip_v                z.set_ip_len
z.fragment_by_size        z.get_long                z.set_ip_mf
z.get_buffer_as_string    z.get_packet              z.set_ip_off
z.get_byte                z.get_pseudo_header       z.set_ip_offmask
z.get_bytes               z.get_size                z.set_ip_p
z.get_data_as_string      z.get_word                z.set_ip_rf
z.get_header_size         z.is_BSD                  z.set_ip_src
z.get_ip_address          z.list_as_hex             z.set_ip_sum
z.get_ip_df               z.load_header             z.set_ip_tos
z.get_ip_dst              z.normalize_checksum      z.set_ip_ttl
z.get_ip_hl               z.packet_printable        z.set_ip_v
z.get_ip_id               z.parent                  z.set_long
z.get_ip_len              z.protocol                z.set_parent
z.get_ip_mf               z.set_byte                z.set_word
z.get_ip_off              z.set_bytes               

In [26]: z.get_ip_src()
Out[26]: '1.2.3.4' # fake

In [27]: z.get_ip_dst()
Out[27]: '5.6.7.8' # fake

In [29]: z.get_data_as_string()
Out[29]: '\x00abcde' # fake

I have no idea what half of the methods do, or which of them are important, but you can easily build a dictionary out of whatever you like:

In [31]: {(z.get_ip_src(), z.get_ip_dst()): z.get_bytes()}
Out[31]: 
{('1.2.3.4',
  '5.6.7.8'): array('B', [1,2,3,4,5,6,7,8])} # fake

or combine bits from the IPDecoder and the DataDecoder, whatever. The point is that the issue isn't about Python dictionaries, it's about the impacket library's data structures, and what information you want to extract from them. The docs will probably describe how to get what you need.