1

I am using a RHEL6 computer and I try to communicate with a Windows XP computer via RAW sockets.

When I receive a specific frame on my RHEL computer, a Python 2 script using RAW sockets processes the frame and changes the following fields before sending it to the Windows computer :

  • Dest MAC
  • Dest IP
  • IP ID
  • Checksum

The packet arrives on my Windows XP computer, as I see the packet in Wireshark, but it never reaches the application layer, as the software that needs the packet doesn't react.

This is how I create the sent packet :

import socket, binascii, optparse
s=socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(3))
s.bind(('eth1',0))
while True:

    result =  s.recv(65535)
    if binascii.hexlify(result[30:34]).decode() == "<WANTED FRAME IP>":
        result2 = "<DEST_MAC>".decode("hex") +  result[6:18] + "<IP_ID>".decode("hex") + result[20:24] + "<CHECKSUM>".decode("hex") + result[26:30] + "<DEST_IP>".decode("hex") + result[34:]
    s.send(result2)

When I try using "classic" socket, the target software correctly receives the packet, but it's not the behavior I want as I have to use RAW sockets to send them.

I tried sending with the same code other simples UDP packets, and I got the same behavior as a result, with the packet correctly seen on wireshark but never reaches application layer on my Windows XP.

Any idea why my RAW socket packets are not correctly processed by the target?

waterleek
  • 11
  • 2

1 Answers1

0

You need to enable Promiscuous Mode on the OS, otherwise it will just kill the packet before it reaches your application. Looks something like this:

sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
sniffer.bind((host, 0))
if os.name == “nt”:
    sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)

Here's a tutorial on how to enable it using python both on linux and Windows: https://codingsec.net/2016/05/packet-sniffing-windows-linux-using-python/

Fernando Cezar
  • 858
  • 7
  • 22
  • I already am using wireshark on the target computer, capturing packets in promiscuous mode, so shouldn't this be enough for packets to reaches the application? – waterleek Jul 19 '18 at 12:47
  • Wireshark opened promiscuous mode for itself. Your app has to do the same, otherwise that socket will get nothing (just like you described is happening) – Fernando Cezar Jul 19 '18 at 12:50
  • Ok, I will try to get this working, even if i don't have the source code of the target application. – waterleek Jul 19 '18 at 13:15
  • Have you any idea how Windows XP drops packets sent from RAW socket and not from classic socket? – waterleek Jul 19 '18 at 13:16