0

I have made some modifications to Pyshark to have it include the raw data in it's layers. From there, I can grab the frame_raw.value which looks something like:

'000026002f4000a0200800a0200800001b2db7ec0100000010308f09c000cb000000c300cb01c4007c0018742eb7cf16c3cabcb2'

I now need to use that data to create a scapy packet, which needs to look something like this:

b'\x00\x00&\x00/@\x00\xa0 \x08\x00\xa0 \x08\x00\x00\x1b-\xb7\xec\x01\x00\x00\x00\x100\x8f\t\xc0\x00\xcb\x00\x00\x00\xc3\x00\xcb\x01\xc4\x00|\x00\x18t.\xb7\xcf\x16\xc3\xca\xbc\xb2'

How do I convert the pyshark data to the required format that scapy needs?

Here is an example of my input and output:

In [264]: d

Out[264]: '000026002f4000a0200800a0200800001b2db7ec0100000010308f09c000cb000000c300cb01c4007c0018742eb7cf16c3cabcb2'

In [265]: RadioTap(d)

Out[265]: <RadioTap version=48 pad=48 len=12336 present=Flags+FHSS+dBm_AntSignal+dB_TX_Attenuation+dBm_TX_Power+dB_AntSignal+dB_AntNoise+b20+b21+b28+b29 notdecoded='2f4000a0200800a0200800001b2db7ec0100000010308f09c000cb000000c300cb01c4007c0018742eb7cf16c3cabcb2' |>

Zachary Alfakir
  • 23
  • 4

1 Answers1

2

Simply passing the binary string to RadioTap() (or Ether() if that is your link layer protocol) works for me:

Scapy 2.4+

>>> from scapy.all import *
>>> data="000026002f4000a0200800a0200800001b2db7ec0100000010308f09c000cb000000c300cb01c4007c0018742eb7cf16c3cabcb2"
>>> RadioTap(hex_bytes(data))
<RadioTap  version=0 pad=0 len=38 present=TSFT+Flags+Rate+Channel+dBm_AntSignal+b14+b29+Ext notdecoded=' \x08\x00\xa0 \x08\x00\x00\x1b-\xb7\xec\x01\x00\x00\x00\x100\x8f\t\xc0\x00\xcb\x00\x00\x00\xc3\x00\xcb\x01' |<Dot11  subtype=12L type=Control proto=0L FCfield= ID=31744 addr1=18:74:2e:b7:cf:16 addr2=None addr3=None SC=None addr4=None |<Raw  load='\xc3\xca\xbc\xb2' |>>>

Scapy < 2.4

Python 3

>>> from scapy.all import *
>>> import codecs
>>> data="000026002f4000a0200800a0200800001b2db7ec0100000010308f09c000cb000000c300cb01c4007c0018742eb7cf16c3cabcb2"
>>> RadioTap(codecs.decode(data, "hex"))
<RadioTap  version=0 pad=0 len=38 present=TSFT+Flags+Rate+Channel+dBm_AntSignal+b14+b29+Ext notdecoded=' \x08\x00\xa0 \x08\x00\x00\x1b-\xb7\xec\x01\x00\x00\x00\x100\x8f\t\xc0\x00\xcb\x00\x00\x00\xc3\x00\xcb\x01' |<Dot11  subtype=12L type=Control proto=0L FCfield= ID=31744 addr1=18:74:2e:b7:cf:16 addr2=None addr3=None SC=None addr4=None |<Raw  load='\xc3\xca\xbc\xb2' |>>>

Python 2

>>> from scapy.all import *
>>> data="000026002f4000a0200800a0200800001b2db7ec0100000010308f09c000cb000000c300cb01c4007c0018742eb7cf16c3cabcb2"
>>> RadioTap(data.decode("hex"))
<RadioTap  version=0 pad=0 len=38 present=TSFT+Flags+Rate+Channel+dBm_AntSignal+b14+b29+Ext notdecoded=' \x08\x00\xa0 \x08\x00\x00\x1b-\xb7\xec\x01\x00\x00\x00\x100\x8f\t\xc0\x00\xcb\x00\x00\x00\xc3\x00\xcb\x01' |<Dot11  subtype=12L type=Control proto=0L FCfield= ID=31744 addr1=18:74:2e:b7:cf:16 addr2=None addr3=None SC=None addr4=None |<Raw  load='\xc3\xca\xbc\xb2' |>>>
pchaigno
  • 11,313
  • 2
  • 29
  • 54
  • I am trying to do that with `RadioTap(data)`, but I can check to see if it is valid because RadioTap version should always be 0, but with the above data, I keep getting `version=48` – Zachary Alfakir Apr 12 '18 at 19:13
  • Works fine for me. I updated my answer to use `RadioTap` and your payload. Are you still getting an incorrect version number if you copy/paste my commands? I'm using Scapy 2.3.3. – pchaigno Apr 12 '18 at 20:42
  • ``` In [264]: d Out[264]: '000026002f4000a0200800a0200800001b2db7ec0100000010308f09c000cb000000c300cb01c4007c0018742eb7cf16c3cabcb2' In [265]: RadioTap(d) Out[265]: ``` – Zachary Alfakir Apr 12 '18 at 20:46
  • You forgot the `.decode("hex")` at the end of the string. Checkout the end of the second line in the snippet of code in my answer. – pchaigno Apr 12 '18 at 20:48
  • I am receiving `data` as a string already, and therefore it does not have an attribute name `decode`. – Zachary Alfakir Apr 12 '18 at 20:54
  • Maybe there is a difference in python2.7 and python3 ? I am using python3.5 – Zachary Alfakir Apr 12 '18 at 21:00
  • Seems like python3 has removed string.decode. What is the equivalent? – Zachary Alfakir Apr 12 '18 at 21:21
  • I found the answer. In Python3, you must do something along the lines of: `RadioTap(codecs.decode(data, 'hex'))` If you update your answer with this (for python3), I will accept it. – Zachary Alfakir Apr 12 '18 at 21:35
  • 1
    FTR: you even have a hex_bytes function with scapy 2.4.0+, which supports both Python 2 and Python 3 – Cukic0d Apr 20 '18 at 00:57
  • 1
    @Cukic0d Thanks! I updated the answer with the `hex_bytes` solution. – pchaigno Apr 20 '18 at 06:37