3

I am developing a python sniffer which sniff the udp packets. I use this code to receive and get the payload of the received packet in human readable format, but the printed payload is not human readable! I searched about converting this format to human readable, but I got nothing. 

packet = recv_socket.recvfrom(65565)
packet = packet[0]
ip_header = packet[0:20]
iph = struct.unpack('!BBHHHBBH4s4s', ip_header)
data = packet[28:]

payload = ":".join("{:02x}".format(ord(c)) for c in data)

print payload.decode("utf-8", "ignore")
print payload

Right now, the out put of print commands are as follow:

.*###[ DNS ]###
  id        = 1382
  qr        = 0L
  opcode    = 12L
  aa        = 0L
  tc        = 0L
  rd        = 1L
  ra        = 0L
  z         = 1L
  ad        = 1L
  cd        = 0L
  rcode     = 12L
  qdcount   = 30062
  ancount   = 867
  nscount   = 28525
  arcount   = 0
  qd        = ''
  an        = ''
  ns        = ''
  ar        = None
###[ Raw ]###
     load      = '\x01\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x00<\x00\x04\x80w\xf3\x86'
05:66:61:6c:75:6e:03:63:6f:6d:00:00:01:00:01:c0:0c:00:01:00:01:00:00:00:3c:00:04:80:77:f3:86
Shahrooz Pooryousef
  • 107
  • 11
  • It is unclear what you are asking. Please see [How do I ask a good question?](https://stackoverflow.com/help/how-to-ask) – Galen Dec 16 '17 at 02:31
  • Thank you Galen, I will check the link. I also edited my question again. – Shahrooz Pooryousef Dec 16 '17 at 03:12
  • 1
    Maybe I'm missing something, but how do you know that the UDP payload is supposed to be human readable? How do you know there isn't some header on the front of the payload and the "human readable" portion is after that? How do you know the format of the data? – djhoese Dec 16 '17 at 03:18
  • I am sending a dns query to an specific server and the server will always send two response to me. Every thing in the wireshark is clear. With scapy library I can print the sent response value which is an IP address. But I want to implement that with python raw socket. I just want to print the response value which is a IP address for my query. – Shahrooz Pooryousef Dec 16 '17 at 03:29
  • Is this python 2 or 3? **Edit:** nevermind see the print statement – djhoese Dec 16 '17 at 15:03
  • I'm not sure if this matters for the payload part of it but your unpack seems wrong based on this (http://www.tcpipguide.com/free/t_DNSMessageHeaderandQuestionSectionFormat.htm) and this (https://docs.python.org/2/library/struct.html#format-characters). I've never dealt with DNS responses though so feel free to tell me I don't know what I'm talking about. For example, you use B first but wouldn't that be one byte when the DNS message header page says that ID is 2 bytes. – djhoese Dec 16 '17 at 15:16
  • B is for byte for the ip header not the udp header. In addition, for your previous comment, every udp query has a response from the server which include an IP for your mentioned domain name in your query. It is clear which I need to extract that IP address from my received response. – Shahrooz Pooryousef Dec 16 '17 at 21:42
  • @ShahroozPooryousef: The IP header is parsed and removed before your code will see it, unless you open the socket in raw mode. Where in your code do you parse the DNS response? – Blender Dec 17 '17 at 02:26

0 Answers0